That's because it's not a hacker; it's a script. It's either running in a loop or on a schedule. There's not much point in trying to block the IP address, since they could just change the IP address. It's probably onion routed or otherwise obfuscated through a proxy of some sort; they can just change proxy. Remember that any blocked IP address could be dynamically assigned, so you can end up blocking legit users that way.
I've seen scripted attacks go on for months with the IP addresses changed frequently. If you want to block attempts, you would have to use a tool that would detect the pattern and add IP addresses automatically, or you could reject the IP block that it's coming from if the country is blockable per your business requirements. Depending on your business model that may or may not be appropriate but it ultimately may not work since there are proxies and zombies in the US that could used for this. I've blocked IP blocks before but they can change IP blocks too. If you need to buy time to close some holes, you can block the IP block that contains the IP. It will take a little while for the block to get worked around. I've seen one day turn around circumventing that. Blocking a single IP is faster to get around, but they'll get around it. The code needs to be fixed. Anything else is cat and mouse. One thing that I noticed in my last attack was that there was a simultaneous attack on production and on dev, with attempts to log into both via Remote Desktop. You may want to also check your system logs to make sure that they aren't trying to brute force onto the servers as well. If they are, you'll need to implement something at the firewall. (Yes, I know that should have been firewalled to begin with. Don't get me started.) On Mon, Jul 22, 2013 at 11:28 AM, Dave Hatz <daveh...@hatzventures.org>wrote: > > Russ, > The query never processed. The hacker was relentless though. For about 5 > straight hours he kept trying. > > Which brings up another security question. How does other sites handle > something like this automatically? I mean, if I see an attack from an IP > address, is it even worth blocking at the firewall? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356280 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
