Blog

Detect Hacking attempts with Google Analytics

Written by Wil Reynolds 12 Comments < back to blog home

If someone was attempting to break into YOUR site, use YOUR bandwidth, or even use YOUR site to launch attacks against OTHER sites, would you know? How would you know? When would you know?

Would you be able to detect the attack and stop it before it caused any damage? Or would you be stuck trying to cleanup after the attack was finished?

Recently at SEER interactive while examining some unusual traffic to a client’s website, we discovered that Google Analytics was picking up an attack against the site as legitimate traffic. With a little digging we found several key indicators which can help you determine if the traffic to your site is actually traffic, or if some of it is an attack against your site. Also included in this post, is a recommendation on how to handle an attack once discovered, and the end of this post is an Alert you can setup in Google Analytics that should email you if someone starts to launch attacks against your site.

The site we were examining recently had a dramatic increase in direct traffic without an outside event to explain the increase such as a newsletter, TV appearance or marketing campaign. Since direct traffic gives us very little information, the best place to start is the Visitor report. Once inside the Visitor report, we can take a look at the map overlay, drilling down to the city level to see which cities are responsible for sending the most traffic to your site.

Carefully examine the top cities in this report, do the top cities seem appropriate to be your top cities? Does the amount of traffic from these seem to be much greater compared to the rest of cities sending you traffic? This is the first sign that you are suffering from an attack, as these top cities can be the launching point for these attacks.

You will often see a sudden sharp increase in traffic, starting on the day the attack was launched.

(Image no longer available)

Hmmm… Does this graph look strange? It should!

Simply seeing an increase in traffic from a city is not in itself enough evidence to say that you’re site is being attacked. If you drill down into the city report itself there may be a couple more indications that you’re site is being attacked. These factors are also useful if the attack has been sustained for a long period of time you and there is no sudden sharp increase of traffic to alert you of the attack.

(Image no longer available)

• Pages / Visit will be closer to 0 than site average.
• Time on Site will be closer to 0 seconds than site average.
• % Of New Visitors will be closer to 100% than site average.
• Bounce Rate for your site will be closer to 100% than site average.

Why do these numbers indicate that your site is suffering from some kind of an attack?

Most Bots do maintain sessions.

Since bots do not maintain sessions, each time the bot queries your site it appears as a new visitor, who immediately leaves, resulting in a bounced visit. This is also why the attack shows up as direct traffic in your reports. If you receive a significant number of these visits your numbers will be skewed to look like the results listed above.

It’s important to note that depending on the amount of traffic your site gets, and the nature of your site, you may not see all of these trends. However if you see a significant difference in these stats compared to other referring cities there is a good chance that your site is being attacked.

What Next?

You have determined that you’re site is suffering from an attack, or you suspect that it might be what are your next steps?

Since Google Analytics is just a reporting system, and it cannot collect the IP addresses of visitors, Google Analytics cannot do anything besides alert you that your site is suffering from an attack.

Since you can’t use Google Analytics for this, the best idea is to contact your hosting company. If you give your hosting company the cities from which you believe the attack is originating from they should be able to determine what IP addresses the attacks are coming from and block them, thus ending the attack.

Google Analytics Alert

If you would like to setup an Alert in Google Intelligence to email you if any of this behavior is detected follow these steps:

• Login to the Google Analytics profile you wish to setup the alert on.
• Select “Intelligence” (beta) from the left navigation.
• Select “Create Custom Alert”.
• Enter an Alert name such as “Hacking Monitor”.
• Select Period -> Day
• Check Receive Email Alert

Now for the fun part, the alert itself! Do not include quotes when entering these values in Google Analytics.

• Select this applies to -> “City”
• Select Condition -> “Matches Regular Expression”
• Enter Value -> “.*”
• Select Alert me when -> “Visits”
• Condition -> “% Increases by More than”

Example Alert:

(Image no longer available)

The final two values of this alert will depend on your preferences and your website. If your website doesn’t receive much traffic you are probably safe putting a high value here (500%+ increase) as any attack will likely result in this increase in percentage. However if you run a larger website, you’ll need to decrease this number, since the attack will be a smaller percentage of traffic from that city. The last value is if you want to compare to the previous day, or to the same day the previous week, this will depend on the traffic patterns of your website.

The end result of this alert will be Whenever any city sends you a dramatic increase in traffic, the primary indicator of an attack on your site, send an email alert.

The last thing to keep in mind is that this alert will only let you know of hacking attacks that run Javascript. If the attacks do not run Javascript then the Google Analytics code snippet will not trigger and the attack will not be recorded as a visit.

Have you noticed this kind of activity on your site before? Do you make use of any other Google Analytics alerts to protect against foul play?

Comments and Questions welcome!

Posted: 07.26.10