## January 18, 2004

### Comment Throttle

So it turns out that the latest fad among the script kiddies is crap-flooding MovableType blogs with thousands of randomly-generated comments. Lamentable as it may be, I cannot afford to have this machine brought to its knees because some pimply-faced 15 year-old is bummed that Saturday Night Live is in reruns this week.

Hence some new policies:

• No more than 1 comment from any given IP address every 20 seconds.
• 8 comments from the same IP address in less than 200 seconds will get you banned.
• No more than 20 comments, in total, per hour.
• No more than 100 comments, in total, per day.

I hope this does not seriously inconvenience any of you, but that’s life on the Internet…

For what it’s worth, here’s my patch for lib/MT/App/Comments.pm.

Thanks to Phil for some pointers, and to Shelley and Sam for illuminating discussions.

Update (1/21/2004): Just in case anyone’s confused, the comment-throttling code in MT 2.66* and my modifications above are incompatible with the current version (1.6.2) of Jay Allen’s MT-Blacklist. Jay’s plugin usurps the post method of lib/MT/App/Comments.pm, so none of this throttling code gets used. Either wait for a new version of Jay’s plugin, or add the throttling code (both Ben’s and mine) to MTBlPost.pm.

Posted by distler at January 18, 2004 10:15 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/291

### Re: Comment Throttle

I was going to leave a comment, at least a “me, too” (though I think both of us could probably drop our numbers somewhat from Sam’s), but I’ve gotten so bored sitting around watching tail -f access.log all day with only a couple of non-flooding nibbles, and reloading terrato.org to see if it’s still down (or just not accepting connections from me ;)) that I’ve sunk to reading Jeff K., and I fear that I’ll shortly descend to Jeff K.-speak, and declare myself king of teh Intarweb!!1!

So I better not comment.

Posted by: Phil Ringnalda on January 18, 2004 10:40 PM | Permalink | Reply to this

### Re: Comment Throttle

Well, I just got back from dinner at The Salt Lick in Driftwood, TX.

Blissed-out on a surfeit of smoke-kissed protein, I probably shouldn’t comment either.

Posted by: Jacques Distler on January 18, 2004 10:53 PM | Permalink | Reply to this

### Re: Comment Throttle

I love Salt Lick. Color me jealous.

Posted by: Matt on January 19, 2004 9:57 AM | Permalink | Reply to this

### Re: Comment Throttle

So, do there exist public domain versions of those things the ticket sales sites use? They basically have a graphic that is recognizable as a series of symbols to a human, but not to a computer. You have to type in the code in order to do what needs to be done.

Would not such a thing solve all these problems? (excluding DOS attacks, of course)

Posted by: Aaron on January 18, 2004 11:31 PM | Permalink | Reply to this

### Re: Comment Throttle

There’s even a MovableType plugin, I believe (though that one is insecurely written and easily defeated, as the authors of the afore-linked crapflooding program discovered).

But Captchas are kinda frowned upon in “enlightened” circles, as they’re not Accessible and don’t work in alternative User-Agents (text-mode browsers, hand-held clients, etc).

Besides, I don’t think they’re needed here.

Posted by: Jacques Distler on January 18, 2004 11:49 PM | Permalink | Reply to this

### Re: Comment Throttle

Actually, it’s not so much that it wasn’t securely written as that the instructions weren’t written at the right level. They say “define your temp directory (preferably in your own home directory)” meaning in /home/user/captcha, but to the audience, that meant http://foo.com/tmp/. Sigh.

Accessible? If it wasn’t too hard (read: install a module from CPAN), it might be fun to have one, with an alternative audio file, the way LiveJournal apparently does them. But, as you say, not until we really need it.

Posted by: Phil Ringnalda on January 19, 2004 12:43 AM | Permalink | Reply to this

### haha

That certainly took forever for you people to implement.

Quite frankly I was considering offering my services to the MT coders for a symbolic amount of money, but I figured it’d look too much like blackmail.

YHL HAND.

Posted by: Dv on January 19, 2004 8:43 AM | Permalink | Reply to this

### The Mother of Invention

Never seemed necessary till you lowlifes came on the scene.

What exciting new “features” can we expect from floodmt-1.1.6.py? I’m waiting with bated breath.

Posted by: Jacques Distler on January 19, 2004 8:58 AM | Permalink | Reply to this

### Really?

Then why are the Unites States so keen on developing a nuclear missile defence system?

AFAIK we’re currently not in the middle of a nuclear war.

Posted by: Dv on January 19, 2004 9:09 AM | Permalink | Reply to this

### Star Wars

Then why are the Unites States so keen on developing a nuclear missile defence system?

Why? Because we have a bunch of morons in charge of the White House.

As to your larger point, it’s essentially impossible to defend a website against a well-crafted DDoS attack. This an unsurprising, well-known fact-of-life on the Internet.

That’s not to say that MT should be brought to its knees by a pathetic little lame-ass script like floodMT. Having settled that issue, could the participants get a life?

Posted by: Jacques Distler on January 19, 2004 9:23 AM | Permalink | Reply to this

Dear sir,

you are a utter dullard who hasn’t the vaguest clue what he’s talking about. This an unsurprising, well-known fact-of-life on the Internet.

A well configured server would serve content normally until 99.9% of its internet connection was saturated.

So why can one dial-up user bring down an entire server? Because you people don’t know shit about networking.

I suggest picking up the book called “Internet for dummies” [ISBN: 0764541730] and working your way up from there.

Posted by: Dv on January 19, 2004 9:57 AM | Permalink | Reply to this

Amazing, a script kiddie forming complete english sentences. Must be due to the evolutionary pressure of the blogosphere environment.

Posted by: Volker Braun on January 19, 2004 10:34 AM | Permalink | Reply to this

Wow, an ad hominem attack and a use of smart quotes!

Hmm, seems you are the troll.

By the way, are we still script kiddies if we write the scripts we use? Didn’t think so.

And Volker Braun, I notice that you didn’t actually give a proper response to Dv’s statement about networking. In addition to that, you used the word “blogosphere”, which marks you as both contemptuous and contemptible.

Have a nice day.

Posted by: Jon Anderson on January 19, 2004 7:09 PM | Permalink | Reply to this

### Re: Your behaviour is foolish.

By the way, are we still script kiddies if we write the scripts we use?

So you admit both to having written this and to having used it? How … umh … interesting.

You’re still a script kiddie, but thanks for that admission. It will prove useful.

And Volker Braun, I notice that you didn’t actually give a proper response to Dv’s statement about networking.

Why should he respond to a non sequitur?

Posted by: Jacques Distler on January 20, 2004 8:08 AM | Permalink | Reply to this

### Re: Your behaviour is foolish.

Something tells me that’s not the real Jon Anderson.

### Not as he seems

Posted by: Jacques Distler on January 20, 2004 2:11 PM | Permalink | Reply to this

### Hello again, sirs

It’s FloodMT with a capitalised ‘F’, in case that helps.

“You’re still a script kiddie”

Well, let’s see what Urbandictionary has to say:

“A wannabe ‘l33t h4x0r’ who downloads pre-made exploits and uses them flagrantly, but does not have a clue how they work.”

At no point have I claimed to be a hacker or ‘elite’; I do not download “pre-made exploits” and have no aspirations to hackerdom. As such, it appears that you are still making unfounded and outright false accusations as to the nature of my character!

(Where we come from we call this libel.)

(Another note: please turn off your smart quotes and the like in your comment posting form. It seems to be well within your evidently vast capabilities, and having these peculiarities of typography is most infuriating.)

(Oh, and one more thing: for some reason your posting form seems to insist on making non-XHTML compliant markup, and then complaining about it. This is idiocy!)

Posted by: Jon Anderson on January 24, 2004 11:58 PM | Permalink | Reply to this

### Re: Hello again, sirs

At no point have I claimed to be a hacker or ‘elite’; I do not download “pre-made exploits” and have no aspirations to hackerdom.

Well, that’s good, because you simply haven’t the chops for it. My advice to you, son, is to give up on wasting your time writing crapflooding scripts.

• They’re lousy.
• You’ll never be able to show them to a future employer (or University) as an example of you programming skills.
• Your mentors in this indeavour are even worse programmers than you are, so you won’t learn anything in the effort.

Instead, join a “real” open-source programming effort. You’ll learn from looking at the code written by programmers more experienced than you and you’ll be able to point with pride, later, to your own contributions.

Oh, and one more thing: for some reason your posting form seems to insist on making non-XHTML compliant markup, and then complaining about it. This is idiocy!

You are the first person to complain about my comment form being too difficult to use. I 'spose that ought to tell you something.

But, yes, XHTML 1.1 compliance is insisted upon hereabouts. A truly l33t h@ckr exploit would be figuring out how to sneak some invalid XHTML onto this blog.

Posted by: Jacques Distler on January 25, 2004 8:20 AM | Permalink | Reply to this

### Re: The Mother of Invention

Our favourite miscreants have been busy. They’re now making the lives of their fellow pre-pubescents miserable by spewing their crap all over LiveJournal too.

Yep, crapping on her LiveJournal is surely the way to attract the attention of that girl you’ve been itching to talk to…

Posted by: Jacques Distler on January 20, 2004 7:51 PM | Permalink | Reply to this

### Re: Comment Throttle

YHBT

YHL

Posted by: jew on January 19, 2004 9:32 AM | Permalink | Reply to this

### Re: Comment Throttle

Jacques–
The link to the patch is bad–take out “archives/” (and it’s more messed up in your feed)

Sorry to see you’ve become a focus for these vandals.

### Re: Comment Throttle

Only messed up 'cuz I can’t type. Thanks for the catch. Fixed now.

Posted by: Jacques Distler on January 19, 2004 10:05 AM | Permalink | Reply to this

### Re: Comment Throttle

To prevent automatic spam on my blog, I implemented a Turing Test. The turing Test consists of a word in an image that would only be readable by humans. The commenter has to type the word into a text box in order to proceed. PayPal, Yahoo, and other places use a Turing Test to verify that it’s not a script that’s trying to insert a comment into my blog. I don’t use Moveable Type, so it would take more effort to customize a script to insert comments into my proprietary blog framework, and I don’t think anyone will bother. It was fun to figure out how to create the Turing Test though. Check it out here: http://www.donnyspi.com/blog

– Don

Posted by: Don Spidell on January 19, 2004 2:01 PM | Permalink | Reply to this

### Re: Comment Throttle

I kinda-sorta like the idea of a Turing Test in the abstract, but not one that relies on pictures of words. It would be more accessible–and more fun–to have one that, say, has a long list of simple questions, such as “which is better, pie or cake?” One of these questions is inserted at random. Either answer is counted as correct, but any other text is not.

Weblog: Random Neural Misfirings
Excerpt: Tending my garden of words
Tracked: January 20, 2004 12:52 PM
Weblog: Eclectic Echoes
Excerpt: It’s almost funny, in a wierd twisted sort of way… Recently the comment spam problem for MovableType users escelated when some script kiddies released an automated comment spammer. The site hails it as: the first integrated solution for tes...
Tracked: January 22, 2004 9:29 PM

### Re: Comment Throttle

There’s even a MovableType [captcha] plugin, I believe (though that one is insecurely written and easily defeated, as the authors of the afore-linked crapflooding program discovered).

Here’s an evil idea… write more broken plugins and submit them to the usual, proper, places. Write a madlibs code generator to write hundreds of such broken plugins.

Someone looking to install and use a working plugin would, one would hope, use google to figure out what the community thinks is a good plugin, and then use that one. Recommendations work.

Meanwhile, script kiddies need to inspect each of those plugins and work out the security flaw to each of them, and then write code to work around those flaws, just in case they want to crapflood a blog which happens to have it installed.

There’s a flaw in this thinking, I know it.

Posted by: Eric Scheid on January 23, 2004 2:06 AM | Permalink | Reply to this

### Re: Comment Throttle

I suspect that the community’s comments about which blocks are good would be just as accessible to spammers?

Posted by: gordsellar on November 30, 2004 5:58 AM | Permalink | Reply to this

### Re: Comment Throttle

FWIW, MT-Blacklist v1.63 beta (release candidate 1) is out and fixes the incompatibility with MT 2.661.

It also adds some nifty features which help clean up crapfloods…

Posted by: Jay Allen on January 23, 2004 8:42 AM | Permalink | Reply to this

### Throttle!

Jay, a quick look at MTBlPost.pm reveals that you are using the same useless throttling code as MT 2.661.

Hello ???

Is no one paying attention? Throttling by IP number does nothing to stem a Crapflood. Please don’t release another “solution” that doesn’t work. My patch above introduces some basic, but effective throttling.

In lieu of something better from Ben Trott, at least use that.

Posted by: Jacques Distler on January 23, 2004 9:45 AM | Permalink | Reply to this
Weblog: Eclectic Echoes
Excerpt: Well I knew when I posted the entry the day before yesterday I was opening myself up as a target… I knew when I saw http://terrato.org/ in my referer logs that it was just a matter of hours… they hit tonight, for about an hour. Funny thing ...
Tracked: January 25, 2004 2:09 AM
Weblog: Not for Sheep
Excerpt: As some of you may know, earlier this week this site was flooded with comments. I installed MT 2.661 (which has some comments throttling features), reinforced my htaccess "screen," and after some more research, satisfied myself this site was safe...
Tracked: January 25, 2004 12:57 PM
Weblog: Cuba Conference
Excerpt: Earlier this second, this site (among my other domains) was flooded with comments. Clean up only took a couple hours and then I upgraded my MT installation to 2.661. Unfortunately, that was not to last. Today, I was hit by...
Tracked: January 25, 2004 1:04 PM
Read the post Redirects Are Not An Option
Weblog: Full Speed
Excerpt: I have just installed David Raynes' Optional-Redirect Plugin for Movable Type. Comment author links no longer behave in the 2.661 way. They work as they should---that is, they link directly. While I understand the nature of this change that Six...
Tracked: January 27, 2004 10:38 AM
Read the post Throttling Comment Spammers
Weblog: Mind of Mog
Excerpt: Distler has a plugin for comment throttling which may be useful if you use MT. Got link from Matt. Thought to share this after Frank J. got hit by porn
Tracked: January 27, 2004 1:46 PM
Read the post Stepping Stones to a Safer Blog
Weblog: Burningbird
Excerpt: In the last few weeks, I've been hit not only by comment spammers, but a new player who doesn't seem to like our party: the crapflooders, people who use automated applications (you may have heard of MTFlood or some variation) to literally flood comment...
Tracked: January 28, 2004 6:19 PM

### Re: Comment Throttle

Hey Jacques, for maintainability and compatibility my intention has always been to use the exact code that MT uses, EXCEPT for the changes necessary for my plugin.

If people wish to customize it, than that’s cool, but I am not going to presume that I know best and rewrite all the MT code. Some people, for one reason of another, may not want to use your fine methods. By sticking very close to the MT code, I give everyone the opportunity to do what they want. People who would patch with you code will still do it.

I agree that IP banning and IP throttling are lame and useless against a round-robin of sufficiently numbered proxies, but that’s not MT-Blacklist’s job.

Posted by: Jay Allen on February 18, 2004 2:52 AM | Permalink | Reply to this

### MT-Blacklist

It’s unfortunate that MTBlPost.pm and MTBlPing.pm usurp the very methods in MovableType that need to be patched to implement effective throttling.

I appreciate your not wanting to “take responsibility” for my patches by adding them to the above files. This was not, as you point out, “MT-Blacklist’s job,” as you conceived it.

Unfortunately, in the mind of most users, there’s no distinction between crapflood protection and anti-spam defences.

They view MT-Blacklist as a general-purpose solution to (both) problems (which they don’t see as distinct).

Maybe you could just point to Shelley’s page, and work with her to make sure she has the latest versions of your files, patched with the latest version of my patches (I modified them to work on a per-blog basis, to avoid problems with multiple blogs set to different time-zones hosted using the same MT installation), available for those users who don’t want to leave themselves vulnerable to being DoS’ed by a crapflood attack.

Posted by: Jacques Distler on February 18, 2004 8:10 AM | Permalink | Reply to this
Read the post MT 2.661 and those god-awful redirects
Weblog: Redsugar Muse
Excerpt: I finally upgraded to MT 2.661. Wanna know why? Because of David Raynes's Optional-Redirect v0.11 That's right. You can mouse over your commenter's names again, without seeing your own url. I know there was a good reason for that feature...
Tracked: March 16, 2004 12:28 PM
Read the post Comment spam throttling
Weblog: Knowledge Jolt with Jack
Excerpt: I've found another way to limit comment spam on my site, with the ThrottleSeconds variable and some modifications sugested by Phil Ringnalda and Jacques Distler. And then I extended it some more.
Tracked: September 24, 2004 3:08 PM

### Re: Comment Throttle

Forgive me for being clueless, but how do I use this “patch”? Do I copy and paste it into Comments.pm and where, at the end? There are no instructions :) Also, do you know if this works with Blacklist 1.65? I’m using MT 2.661 and I’m desperate for a throttling solution.

Posted by: Gina on May 22, 2005 9:02 PM | Permalink | Reply to this

### Patch

Ah. Sorry.

If you have shell-access, then applying the patch is as simple as uploading it to your MovableType directory and typing

patch < comment_throttle.patch

The “patch” command takes care of the rest. If you don’t have shell access, or if you want to apply these changes to MTBlPost.pm in MTBlacklist, instead, then you need to understand a wee bit about the syntax of these patch files.

Each patch begins with a pair of lines like

--- lib/MT/App/Comments.pm.orig	Thu Jan 15 17:41:46 2004
+++ lib/MT/App/Comments.pm	Sun Jan 18 20:39:22 2004

which tells you which file we are going to patch. Then follows a series of sections, each of which starts with a line like

@@ -135,6 +137,38 @@

This says, starting at around line 135 of the original file, delete all of the lines starting with a “-” and add all of the lines starting with a “+” (eliminating the “+” itself, of course). This snippet of code was originally 6 lines long. When you’re done, it will be 38 lines long. I.e., you will have added a net 32 lines.

While tedious, you can alway follow these instruction using a text editor, and then upload the modified file.

Posted by: Jacques Distler on May 22, 2005 9:20 PM | Permalink | PGP Sig | Reply to this

### Re: Patch

Okay, I understand the idea, but implementing has been unsuccessful so far. I’d want to add/remove code on MTBlPost.pm, since I’m using Blacklist, but I decided to try on Comments.pm first so I could try to understand. But I can’t even find the lines I’m supposed to subtract.

For example, in the patch text:

 @@ -74,7 +76,7 @@
$ts[5]+1900,$ts[4]+1, @ts[3,2,1,0]);
require MT::Comment;

-    if (MT::Comment->count({ ip => $user_ip, + if (MT::Comment->count({ blog_id =>$entry->blog_id, ip => $user_ip, created_on => [$from] },
{range => {created_on => 1} }))
{

I’m supposed to remove this line from Comments.pm:

if (MT::Comment->count({ ip => $user_ip, But it doesn’t exist in my mt/lib/MT/Comment.pm file. Is that the right file? I’m lost, but I really want this to work. Could you help me? *beg* ;-) Posted by: Gina on May 30, 2005 10:47 PM | Permalink | Reply to this ### Re: Patch I think you’re looking at the wrong file. It’s lib/MT/App/Comments.pm. And you should be looking at around line 74 (according to the snippet of patch code). Posted by: Jacques Distler on May 31, 2005 8:10 AM | Permalink | PGP Sig | Reply to this ### Re: Patch Well, no wonder I was having trouble! Got the right file, and in 5 minutes all was running well. I tested it by changing the$maxcomments to “2” and the throttle warning came up after trying my third comment. Thank you SO much for this patch and the help you gave me. Now, I can finally open comments on my blog, after 6 months of having them closed.

Now, is a trackback flooding patch in the works? ;-)

Posted by: Gina on May 31, 2005 7:59 PM | Permalink | Reply to this

### Re: Patch

Now, is a trackback flooding patch in the works? ;-)

Gina, Gina,

Been there, done that.

Posted by: Jacques Distler on May 31, 2005 10:30 PM | Permalink | PGP Sig | Reply to this

### Re: Patch

You’re my hero.

Thanks, this has saved my blog and my sanity. :)

Posted by: Gina on June 1, 2005 7:32 PM | Permalink | Reply to this

Post a New Comment