Verifying you are human…
When your church website is under attack, what do we do? (Activate safeguards for a bit, to fight back)
You may have noticed what we refer to as an interstitial page when coming to the livingtable.org website this week. It may have even asked you whether you are human. More likely, it briefly paused while displaying, “Verifying you are human…” (hence my unoriginal title to this write-up).
What Do You Need to Know?
You shouldn’t have to do anything differently at all. Just wait the few extra moments for that process to verify your humanity. In those moments, perhaps you may consider how amusing it is that a computer is questioning whether you are human. Even as someone who works with fairly sophisticated programs and coding almost daily, I do find these challenges amusing every single time.
But otherwise please just ignore it. When it’s no longer needed, I will turn it off. I expect that I should be able to turn these extra things off within one week. I don’t think that I’ve added any security that will interfere with any functionality of your website, newsletter, or directory, but please let me or Pastor Rachael know if something is blocked for you as a result of these short-term heightened security settings.
Appendix A: What is Going on?
Optional reading for the curious among you, this is what’s known as a Brute Force Attack. Imagine a thief trying to break-in to a house through the door, by testing every possible key, hoping that one will match the lock on your house. That’s essentially what happens in a brute force attack. Hackers use automated tools to repeatedly guess usernames and passwords, trying to get in. They try different combinations over and over until they find one that works, gaining access to the account or sensitive information.
Why would they be doing this? What they want is an admin-level account, so that they can take over the website and turn it into a hacked, spam machine.
This did not happen. There was no successful hack, just lots of futile effort.
While doing this, they also did what’s called a Distributed Denial of Service attack (DDoS Attack). Now that one is like a traffic jam on the internet, caused by bad actors. Imagine a restaurant that normally serves 100 customers. Suddenly, 12,000 people show up at the exact same time, pretending they want tater tot hotdish, but they really don’t (imagine that). They’re just there to cause trouble. Well, what does this do? It overwhelms the restaurant, making it impossible for the real customers to get in. It also offends the chef, who wants the regular 100 to get the hotdish.
In a DDoS attack, hackers use a whole bunch of computers to flood a website with so many requests that it gets overwhelmed and can’t work. As a result, that website either slows down a lot or crashes entirely, making it unusable for the legit users. The brute force attack is like someone trying to guess their way in. The DDoS attack is overwhelming the website with fake traffic so nobody can use it, including me, so that I cannot stop them.
Here? Your livingtable.org website was receiving attempts at the rate of 12,000 events in the same second. Those events were part of a DDoS, while the hundreds of “newsletter subscriptions” and attempted user registrations were more suggestive of brute force, since thousands of hits on the registration and sign-in pages are more targeted than DDoS. In all, hundreds of bogus user accounts were created on the website, and they signed up for the newsletter. To say that they swamped this restaurant would be an understatement.
I’ve cleaned the mess to date, and I’ve turned on several protections that should limit subsequent damage.
The reason that the bad actors creating hundreds of fake accounts is a problem is that your website is on what’s called shared hosting. Your shared hosting provider would very quickly boot you, within a day in my experience, if this activity was not stopped. It also bogs down your database with all the bogus entries. Lastly, the DDoS Attack makes your site mostly unreachable anyway.
As you may or may not be able to tell from the screenshot above here, the events are now merely trickling in, since I’ve set numerous firewall rules and various mitigation processes, in addition to the managed challenge and I’m confident this should end soon.
Isn’t technology fun?
Verifying I’m human…
About Erika Sanborne
Erika Sanborne (she/they) is the website administrator for Living Table. She is also a researcher, stats nerd, social science educator, UCC clergy, and a teaching consultant dedicated to population health and leaving no one behind. Her latest web project is Autistic PhD.
Copyright
Unless otherwise specified, all content on this site is copyrighted by the author, when designated, or by Living Table United Church of Christ. This means that you cannot copy-and-paste content from this website to reuse elsewhere without express written permission. All images are copyrighted and may not be used elsewhere. With any questions, please contact us. You can still share everything from this site by sharing a link to the exact page of interest. What is prohibited by this policy and standard U.S. copyright law is reusing or republishing our content without license.
You are not only brilliant at designing the website but also identifying and responding to this problem. And your explanations are so clear.
Thanks for all you do for LT!
Thanks for keeping our site safe & secure! It’s work that often goes unnoticed by us, yet you keep up with all of this nonsense happening.
*I like tator tot hotdish 😋
Oh I know all about the tater tot hotdish 🙂
It sounds delicious right about now actually…
Thank you for your humanness & all you do with it.