EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #10161

Re: [EP-tech] DDoS on simple search

• To: <eprints-tech@ecs.soton.ac.uk>, Martin Brändle <martin.braendle@uzh.ch>
• Subject: Re: [EP-tech] DDoS on simple search
• From: David R Newman <drn@ecs.soton.ac.uk>
• Date: Fri, 27 Jun 2025 10:56:13 +0100

Hi Martin,

I have to admit, I was surprised that simple search had been somewhat untouched during the DDoS that has been occurring on some repositories' advanced search.  I assume like the DDoS on advanced search, the range of IPs is so wide that it is impossible to block without blocking large chunks of the Internet.

The interesting thing here is that unless you have bespoke configured your simple search, the search _expression_ (i.e. exp in the GET header) looks like what I would expect to see for an advanced search, below is a more like what I would expect to see for a simple search:

/cgi/search/simple?screen=Search&_action_search=1&exp=0%7C1%7C-date%2Fcreators_name%2Ftitle%7Carchive%7C-%7Cq%3A%3AALL%3AIN%3Afrog%7C-%7C&order=-date%2Fcreators_name%2Ftitle&search_offset=20

As the only search field in simple search is usually called 'q'.  Approve is a search for the word frog as this appears regularly in the test data.  It looks like they are using the same _expression_ that might use on advanced search and sending it simple search.  Therefore, it may be sufficient to modify the  LocationMatch from "^/cgi/search/archive/advanced" to just "^/cgi/search/" and then the if statements on the QUERY_STRING inside would apply to search expressions for any search.  Obviously, even though the search _expression_ used on simple search looks like that for advanced search, it may not exactly match those previous DDoS search requests that you originally blocked.

Regards

David Newman

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Dear all,

 

after the attack on advanced search, we see now a similar attack on simple search. That was for a while under our radar, hidden by the attacks from alibaba-inc.com.

 

grep -c /cgi/search/simple /var/log/httpd/access_log_zora-20250*

/var/log/httpd/access_log_zora-20250403:272

/var/log/httpd/access_log_zora-20250410:225

/var/log/httpd/access_log_zora-20250417:848

/var/log/httpd/access_log_zora-20250424:474

/var/log/httpd/access_log_zora-20250501:531

/var/log/httpd/access_log_zora-20250508:1249

/var/log/httpd/access_log_zora-20250515:1660

/var/log/httpd/access_log_zora-20250522:2277

/var/log/httpd/access_log_zora-20250529:1565

/var/log/httpd/access_log_zora-20250605:6203

/var/log/httpd/access_log_zora-20250612:50389

/var/log/httpd/access_log_zora-20250619:44590

/var/log/httpd/access_log_zora-20250626:73182

 

(numbers of accesses to cgi/search/simple is usually very low in our case because we don’t offer the link to /cgi/search/simple in a user’s browser because of our use of Elasticsearch as main search engine).

 

The queries are of a similar format as with advanced search: filling in some terms in the search field and cycling through pages, e.g.

 

/cgi/search/simple?_action_search=1&cache=22035948&exp=0%7C1%7C-date%2Fcreators_name%2Feditors_name%2Ftitle%7Carchive%7C-%7Cq%3Aabstract%2Fbook_title%2Fcreators_name%2Fcreators_orcid%2Fdate%2Fdocuments%2Fdoi%2Feditors_name%2Feditors_orcid%2Fisbn%2Fkeywords%2Fpublication%2Fpubmedid%2Ftitle%3AALL%3AIN%3Aulrich+mehnert%7C-%7Ceprint_status%3Aeprint_status%3AANY%3AEQ%3Aarchive%7Cmetadata_visibility%3Ametadata_visibility%3AANY%3AEQ%3Ashow&order=-date%2Fcreators_name%2Feditors_name%2Ftitle&screen=Search&search_offset=60

 

Measures taken: Similar to https://www.eprints.org/eptech/msg10122.html

 

Kind regards

 

Martin

 

--

Dr. Martin Brändle
Zentrale Informatik
Universität Zürich
Pfingstweidstrasse 60B
CH-8005 Zürich

mail: martin.braendle@uzh.ch
phone: +41 44 63 56705
https://orcid.org/0000-0002-7752-6567
https://www.zi.uzh.ch

 

Interessiert an Neuigkeiten zu Open Science an der UZH?

Folgen Sie UZH Open Science auf LinkedIn

 

 

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/

• Follow-Ups:
  • Re: [EP-tech] DDoS on simple and advanced search
    • From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>

• References:
  • [EP-tech] DDoS on simple search
    • From: Martin Brändle <martin.braendle@uzh.ch>

• Prev by Date: [EP-tech] DDoS on simple search
• Next by Date: Re: [EP-tech] Ask about upload error and https
• Previous by thread: [EP-tech] DDoS on simple search
• Next by thread: Re: [EP-tech] DDoS on simple and advanced search
• Index(es):
  • Date
  • Thread