Using Sueetie Site Access Control To Identify Suspicious Activity by IP

When I announced the Sueetie Site Activity Reports earlier I mentioned how I wanted to take them a step further, to the page level of reporting.  The Site Activity Reports display site access by agent and IP.  What we now need is the session activity of unknown IPs and agents to view the pages and resources they requested. The session data will tell us the tale of the visitor’s true intentions.

Let’s look at the Sueetie.com logs for access by IP, using the Site Access Control module coming in the Sueetie v3.1 Addon Pack.  The Activity Report below is shown on the Block Access by IP page to identify high trafficked agents that are not used by any known community member.  That is an important to remember. Activity Report IPs and agents are 100% anonymous.

Given that fact, the first indicator of suspicion is that a user representing an anonymous IP or Agent with 1342 page views who is not a member of your community is probably dirty.

We’re going to view the IP’s Geo-Location by clicking on the Remote IP address.  Chicago, Illinois.  That doesn’t tell us much.  No warning bells there.

Now we’re going to look at the session history for this IP and Agent by clicking on the Site Activity Report’s UserAgent hyperlink shown above.

Several warning bells should be going off now. When you see this many hits on your community login and registration pages, you know something evil is afoot.

Another clue (not shown here) is the time sequence of page views.  When 2 or more pages are requested during the same second, this isn’t someone interested in your product.  They’re looking for vulnerabilities to exploit using some sort of script.

I think we’ve seen enough.  Time to shut this bastard down.  We’re going to be conservative and enter a small IP range so as to not block out legitimate users from Chicago.  We love Chicago.

I mentioned in a recent post that a great thing about app development is the constant room for improvement. Reviewing the session data tells me we can take IP access monitoring even further by employing Sueetie background tasks. Our tasks would look for aberrant access indicators, like when an anonymous IP hits a login page 6 or more times, or when 3 pages are requested during the same second. An alerting mechanism would complete the process, or automatic blocking depending on the criteria.  One less thing.

Article written by

A long time developer, I was an early adopter of Linux in the mid-90's for a few years until I entered corporate environments and worked with Microsoft technologies like ASP, then .NET. In 2008 I released Sueetie, an Online Community Platform built in .NET. In late 2012 I returned to my Linux roots and locked in on Java development. Much of my work is available on GitHub.