How Hackers Are Trying to Break into My Website Thousands of Times Each Day

Why this modern day crime wave is running virtually unchecked.

An inside look into this brazen activity.

Observations and conclusions may surprise you.

How could a little known website experience barrage of attacks?

Little known startup, OiThis (oithis.com), developed novel web based application (oithis.com/app) which enables individuals, companies, and organizations creating simple websites or webpages without domains, web hosting, or coding.

There is more useful functionality there, but important point is that we are talking about little known website. Why would hackers have any interest in it?

The answer may surprise you. It is computer automation which enables hackers to run numerous malicious requests continuously, and across many websites — literally across the entire Internet. Hackers are doing this indiscriminately.

Would you believe it that every website, every household, and most mobile devices are bombarded with such requests on a daily basis?

Unless you are a website administrator who views website log files, such activity goes unnoticed. This in turn creates the wrong perception that such activity does not exist, or is not as widespread.

Hacking attempts — what do they look like?

Imagine that you live in a house, or in a first floor apartment. Imagine that hundreds if not thousands of strangers walking by every day and every night. They are checking your doors, checking your windows, looking inside, trying to pick your door lock, trying to open your windows, and what not. In real life, you would not tolerate such activity, and would certainly call the police.

Below is a tiny fragment of the website log file illustrating hacking attempts from a single hacker which occurred on April 11, 2024 at around 9:58 p.m. EST.

While the fragment above shows a couple of dozen hacking attempts, the total number of such attempts for this particular attack was a staggering 4462 attempts, which occurred during the two short periods, one lasting 7 minutes, and another one a few hours later lasting 4 minutes.

The first highlighted region indicates originating IP address 173.249.10.225 which sent malicious requests. Quick lookup using iplocation.com service reveals that this IP address belongs to Contabo GmbH, located in Nuremberg, Bavaria, Germany.

The second highlighted region shows which specific files a hacker was trying to access in order to probe whether the website contained such files. They are test1.php, test123.php, test2.php, etc.

The third highlighted region indicates website response to such malicious requests as HTTP status codes. Thanks to security measures on the website, all such requests were identified as malicious. Website responded with HTTP status code 403 which means that malicious requests were rejected.

There are different types and approaches when bad actors try to hack a website. The types of hacking attempts illustrated above are probing attempts. Hackers hope that one of the thousands of files being tried exists on the website, and would return some valid output. Based on that, hackers would investigate further, and will try to find vulnerability to be exploited.

An important conclusion is this. It takes very little effort for hackers to automate the process of probing websites, home routers, computers, laptops, and mobile devices — across the entire Internet. Once they discover that a certain malicious request produces non-empty output, they will manually (in a non-automated fashion) try to figure out how to exploit this further.

It’s not difficult to imagine that all it takes is just one flaw which could lead to a successful break-in. This is very concerning, and indicates a sad state of affairs in Internet security.

Note that we observe multiple similar attacks on a daily basis. They originate from all over the world — the US, Asia, Europe, Africa, the Americas — a truly global phenomenon.

Denial of Service (DoS) attack

Imagine a small business like a bakery or a hardware store where an occasional customer may enter every few minutes. This is pretty normal.

Now imagine that a flash mob consisting of dozens, hundreds, or even thousands of people try to enter such business, and all participants of such flash mob are asking the same question. Do you think that such business would be able to help real customers? Most likely not, or with significant delays.

Something similar is happening when a bad actor is trying to overload a website by sending valid requests, but very frequently — like every second, or even dozens or hundreds of times every second.

Below is the fragment of website log file showing such an attack.

Every line of the log file shows identical valid requests as oithis.com/vha1/134.

The first highlighted region indicates that all requests came from the same IP address 110.154.101.152. Checking this IP address with iplocation.com service indicates that this IP address belongs to China Telecom.

The second highlighted region indicates exact times for each request in EST time zone. Notice that such identical requests were sent every second or slightly more often. Since we don’t observe 10 or 100 requests per second, we may conclude that what we are witnessing is merely a precursor to Denial of Service attack. In short, the bad actor wants to see how the website reacts to unusually frequent identical requests, but without imposing an excessive overload on the website.

The third highlighted region indicates that all requests want to see the same webpage /vha1/134 (in full notation oithis.com/vha1/134).

The fourth region indicates that the website responded with HTTP status code 429 — ‘Too many requests for a given period of time’. This means that the website security software was smart enough to detect repeated requests, and reject them.

This particular attack consisted of 106 requests and lasted for about 1.5 minutes.

We observed a few of such attacks every day, all originating from China Telecom. However, DoS attacks can come from anywhere in the world — the US, Asia, Europe — once again, a truly global problem.

Cyber attacks by proxy computers — distributed attacks

In a more devious scenario, bad actors may hijack computers of unsuspected owners. Once successful, they would remotely install malicious software. And then, orchestrate coordinated attacks from those computers.

One example of such an attack is Distributed Denial of Service (DDoS) attack. This is similar to DoS attack illustrated above. However, malicious requests originate from multiple computers at the same time.

Owners of such hijacked computers would be completely clueless about such activity. However, security professionals may be able to figure out IP address of whoever controls such hijacked computer.

Interesting discovery — only a small number of hackers are terrorizing the world

Our security software blocks IP addresses which attack Oithis website. Once blocked, any request from such IP address is promptly rejected so that the website is not wasting valuable computing resources, and in order to eliminate the risk of a successful attack.

A particular IP address may be blocked for a short period of time, or for a longer period. It all depends on the severity and the number of security violations originating from such IP address.

One may think that the number of blocked IP addresses at any given point in time would grow over time, reaching tens of thousands or even hundreds of thousands.

It turns out that the total number of blocked IP addresses at any point of time started to grow initially. However, after many months, this number stabilized, and never exceeded 2400. It is currently floating at around 2100.

Since blocked IP addresses are being unblocked after some time, the actual number of violating IP addresses is somewhat higher — perhaps in the ballpark of no more than 3000–4000.

There are other types of attacks we didn’t mention. Therefore, the actual number of bad actors can be slightly higher. However, we are still talking about thousands, and no more than that.

Very interesting! This means that literally no more than a few thousand bad actors are terrorizing the world of the Internet.

Why are we allowing this to continue?

Thirty thousand foot view of Internet security — I only care about my castle

When we talk about Internet security for an individual, a company, or an organization — it is implied that some sort of defensive security software is being utilized in order to thwart hacking attacks. Such approach is focusing on protecting just that single entity — an individual, a company, or an organization respectfully.

It appears that there is little desire to deploy a more proactive approach — catch hackers in the act, and punish them accordingly — on the global scale, and with global cooperation.

Acronym WWW stands for World Wide Web. However, when it comes to global Internet security, this widely used acronym should stand for Wild Wild West.

When crimes are committed in the physical world, it takes significant amount of time and effort to conduct an investigation and collect necessary evidence.

This is not the case for the world of the Internet.

Every website captures all requests in their respective log files. Most malicious requests along with originating IP addresses can be easily identified programmatically in an automated manner.

Every IP address belongs either to an ISP (Internet Service Provider), a cloud service provider, a mobile service provider, or a company/organization. Most of the time, they know the exact location of such IP address, who it has been assigned to, and a number of other details.

With proper cooperation, an exact location and/or identity of an offender could be instantly known to law enforcement.

Let’s fantasize — future cyber security task force

Cyber security judge is slowly sipping her coffee while reviewing some documents.

Familiar sounding alert makes her look at the computer screen — yet another suspicious activity has just been reported. She starts reviewing evidence — a few dozen entries from the attached website log file.

After about 10 seconds, she has no doubt that presented evidence indicates malicious activity.

She clicks on ‘Enforce Action’ button, which starts the cyber security enforcement process. Then, goes back to continue reviewing the same documents. The whole affair took about 30 seconds.

In the meantime… Somewhere, in a different part of the country, designated police officer receives an alert about a possible cyber crime in progress. Alert is accompanied with details which include the address of the local coffee shop, IP address of offending computer, and some other details.

Ten minutes later, officer arrives at the coffee shop. There are about a dozen customers, but only two of them are using laptops. One of them is a girl, clearly having a video chat with someone. Another one is a guy in the corner who keeps glancing at the officer warily.

As officer spotted the guy in the corner and starts walking toward him, he abruptly closes his laptop, and tries to leave — to no avail — he is being temporarily detained for further investigation. In short — busted!

During brief investigation, which lasts for about 15 minutes, officer determines that malicious activity originated from that laptop, and therefore its owner is being arrested.

Is this achievable?

Let’s pause for a moment.

Of course, presented scenario is a bit simplified. But you get the point — 99.9% of most cyber crimes can be solved quickly and easily.

This would allow to put focus on more sophisticated cyber crimes.

Of course, such streamlined process may lead to abuse. And this is something that has to be addressed when designing such process.

Such process would require serious cooperation between multiple organizations, governments, and even different countries. What is interesting that countries which refuse to cooperate in such process would immediately be suspected of sponsoring cyber crimes.

A country where suspected malicious activity originated would have no choice, but to suppress such activity. They would not be able to claim that they cannot find an offender because we all know that IP address, physical location, and/or associated party can be instantly known.

You may be wondering about OiThis

As mentioned earlier, OiThis (oithis.com) developed novel web base application (oithis.com/app) which allows individuals, companies, and organizations creating simple websites or webpages without domains, web hosting, or coding. There is more useful functionality there, but this is the gist of it.

The main objective was to make it so simple and easy that an everyday person could use it. If you know how to click around, then you’ve got it.

You can literally create a website or a webpage in seconds, then add content in minutes. Interact with others via public conversations as well as private one-on-one conversations. Share your website or a webpage with others via a short link.

Here are a few real examples.

oithis.com/169 Funny animal videos (done in 12 min)

oithis.com/174 School Project (done in 35 min)

oithis.com/172 Lab Technician Resume (done in 10 min)

oithis.com/167 Doctor’s office (done in 18 min)

oithis.com/134 Chinese Restaurant (done in 22 min)

As with other fundamentally new inventions, people tend to have trouble categorizing it. Some may say it is a website builder. Others will argue it allows building a knowledge base. You will find many who say it is a unique social media platform. Yet, others will refer to it as a tool to create informational networks.

The power of Oithis application comes from layers of simplicity. You start using basic functionality. Then discover there is more. And so on.

The founding concept is based on important discovery of how we as humans perceive knowledge and information.

There are a number of other practical inventions and novel ideas like audience of interest, informational real estate, as well as enabling everyday people to have their own simple websites without the need for domain names, web hosting, or coding.

OiThis application gives voice to everyday people while providing simple and clear interface.

Do you know how it all started? By asking the right questions.