From: Mel Smith <
meds...@gmail.com>
Sent: Saturday, April 24, 2021 6:35 PM
> You all wonder why I require an IP Address and Name in order to
> download from my site.
Mel, your assumptions are wrong.
> Below is my latest attacker's assaults on my web site this morning.
It's NOT an attack, it's a normal way of browser using. Sorry to
disappoint you. Some user just wanted to download some files.
> This person probably attacks from a 'proxy' in Poland.
It's not a proxy. Read logs more carefully and check facts with your
search engine, please.
> I have decided to '403' this person so he gets "Access denied". But,
> I wonder *why* he spends all of his time attacking. Doesn't he have
> anything better to do with his time ?
Do you haven't anything better to do with your time, Mel? Why don't you
spend time on searching and learning?
> Anyway, below is my latest log of his attacks.
And here it's all clear:
>
ip-185-189-215-36.fibreo.pl
Fibreo.pl is a local broadband Internet provider in Poland. Fibreo stands
for FIBRE Optics, so it's probably some home WiFi router in a small town
connected to fiber from the ISP.
> [24/Apr/2021:09:31:57 -0600] "GET
> /0805/hb3432_con_mingw_1903191612.zip
Trying to download a zip file using the following web browser:
> "Mozilla/5.0 (Linux; U; Android 10;
> pl-pl; POCOPHONE F1 Build/QKQ1.190828.002) AppleWebKit/537.36 (KHTML,
> like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36
> XiaoMi/MiuiBrowser/12.3.5-g"
As you can see, it's a default browser on Xiaomi Poco smartphone.
Attackers would somehow hide their identity. Lazy attacker would use Tor
browser and open url to your site in many tabs (every tab connected via
another IP). Smarter attacker would change User-Agent to more popular
browser, possibly some non-branded Google Chrome version. Even more smart
attacker would use javascript code to repeatedly download _many_ _small_
files using more and more connections. That's how DDoS (Distributed Deny
of Service) works.
> [24/Apr/2021:09:31:57 -0600] "GET
> /0805/hb3464_bin_mingw_1712201340.zip
And here's another zip file requested…
> [24/Apr/2021:09:31:58 -0600] "GET
> /0805/hb3464_src_mingw_1712201340.zip
> [24/Apr/2021:09:33:36 -0600] "GET
> /0805/hb3432_con_mingw_1903191612.zip
And retries follow…
> [24/Apr/2021:09:33:36 -0600] "GET
> /0805/hb3432_con_mingw_1903191612.zip
> [24/Apr/2021:09:33:36 -0600] "GET
> /0805/hb3464_bin_mingw_1712201340.zip
And more and more retries, because there is NO info on your page that some
special requirements are needed in order to download files… Or maybe that
info is a popup which can be blocked by some adblock extension or the
browser itself.
And there is no info about limited availability also in your announcements
with subject "New Harbour 3.x build is available" (or similar). You just
declare that "It is available for download at
whosaway.com".
I can report more problems with your website and suggest some solutions,
if you really want to do something more useful than writing questionable
complaints.
Just send an email message to me.
APW
--
Regards from Poland
Andrzej P. Woźniak