My site was recently attacked. What do I do?

Solution 1:

What type of software are you running on your site? Are these comment fields custom built, or some popular software package? Most popular packages have plugins to help defeat (known) spambots. If it's custom built, adding a CAPTCHA would definitely help cut down on spam.

Furthermore, if you know the "user's" IP, block it from your site (if you have that ability) and report it to your webhost (assuming you are hosted by a remote company.) Your host will (read: should) be glad to block 16,000 extra requests. Especially if you're on a shared host, as it may impact the performance of their other customers.

Solution 2:

first, try to find out what they did. Did they manage to inject code or SQL? Did they modify your DB? This they get access to data to which they shouldn't have access?

Your descriptions sound like they did only some random "attacks" without doing real harm. In that case, try to set up a defense for those attacks against which you where not secured yet. So arm your forum with some captchas.

Prevent: captchas can help. There are also tools which check your website agains some security problems. You may want to use such a tool.

Alert/Limit: depends on the environment and your hoster. You can always add an IP check to your pages and simply return an access denied for specific IPs, but a) I guess the IP will not be fixed and next time, someone innocent will get the IP and b) are there often several users behind one IP (company proxies). So blocking an IP doesn't seem to be a good idea.

Solution 3:

If you're using linux, 'iptables' allows you great freedom in choosing a policy for throttling new connections from IP addresses or IP address ranges. Try:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 120/minute -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP