16 replies to this topic

[arbman]

Enough already! Mark, if you can publish the IPs of the servers attacking to this website, I would like to start a counter attack, I have access to a pipeline with a wide bandwith and I believe I can at least try to take them down. At least we can slow them down to a point that they can not attack anymore as much. If I can't succeed, I believe we can do it all together even from our home computers. First, I want to try a few scripts to see how effectively I can cripple their servers. I am sure everyone here would like to do something about it, actually if you have a simple broadband service, we can, we just need to coordinate the timing... - kisa

[Jnavin]

Please let me know how I can help.

[Russ]

Good plan Kisa. Must go on the offensive when under attack, must be an Art of War thing.

[arbman]

I wonder these are a few university kids abusing the labs or more expert types. Any attack from the static IPs will also expose them, it is better done through a large pipeline or several ISPs that will not be affected by a counter attack. I administered several networks during my college years, I know how stupid these kids can be, they leave traces all over the place, but I have this suspicion that they are a bit more than that, especially if these are related to the recent global attacks. The best action is to find the originating servers and report to their authorities (by reverse IP mapping to the domain name), they would eventually ban the access to the malicious users, if it is that simple. Otherwise, starting a counter attack through several IPs and we have at least 100 people here visiting daily, should be a matter of minutes to hours to take them down. All you need is a multi-threaded program that sends a couple thousand packets per second, and if coordinated via a 100 people here for about an hour, the attacking gateway server would be crippled, hopefully crashes. This generally wouldn't interrupt you much from working though... Whoever is doing this has actually researched the traders-talk server and used especially the search querries, this is very deliberate since it exhausts the server the most. - kisa

[Sentient Being]

This may fall under the heading of two wongs don't make a wright? Speaking of getting it wong, I got stopped out of my effort at real estate with a loss, dang market dipped low below the trend, took me out then popped back above the trend line. Oh that pisses me off. NOw I have to update my blog, when I get home and get some sleep, with a failure.

[pdx5]

Kisa...I am retired and have plenty time on my hands....well atleast until weather gets better for golf LOL Just show me what I can do to help.

[DRYALLS]

Enough already!

Ditto.

This is not one or 2 IPs who are attacking. There have been attacks from every continent on the planet (except possibly Australasia), from countries some of whom embrace democracy, some of whom do not. Over the last couple of weeks, we have banned HUNDREDS of IPs. I wish I could tell you that's there's a consistent pattern so I can ban whole ranges of addresses, but there isn't.

The attackers are not exhausting the search queries. Switching off search here was to just help the CPU have some extra grunt when the attacks get blocked, and we get hit with a surge of legitimate people who want information. That's when we need the CPU. When we're being flooded by attacks, the CPU load is low because of the network bottleneck.

At the moment, the average the number of visits to the site, is double our run rate. On bad days, it is a factor of 3 or 4 more, on 2 especially bad days, it's been 6.

All we can do is hope that these people are going to get bored and try and break somebody else's site. All this time they have NEVER seen an error 500 returned (which would tell them they've crashed the server), in my opinion that's what they're trying for.

But that ain't gonna happen.

We ARE contacting the attackers' ISP about their abuse of the internet.

If you really want to help, make a BIG donation from your retirement fund, and we'll be able to put some much more serious barriers in their way.

[bobalou]

I'm in .. a ?? how does bernie's add come up when I though I had it blocked...how does that work......I'm starting to see him in my sleep.....

[arbman]

It almost sounds like a bad joke, perhaps somebody hid a redirection in one of the banner ads or something that circulates around the web and everytime that somebody either clicks on or opens the page with the ad, perhaps there is a hidden request that also bounces over here from the server hosting the ad or banner. Is it a bitter advertiser that is kind of taking a revenge here? This could explain why you are getting very random IPs, did you do an nslookup on the IPs? Are they registered sites? Is is possible for you to post 15-20 of the recent IPs you blocked? Thanks for your hard work...

Edited by kisacik, 02 March 2007 - 05:07 AM.

[Sentient Being]

Ditto.

This is not one or 2 IPs who are attacking. There have been attacks from every continent on the planet (except possibly Australasia), from countries some of whom embrace democracy, some of whom do not. Over the last couple of weeks, we have banned HUNDREDS of IPs. I wish I could tell you that's there's a consistent pattern so I can ban whole ranges of addresses, but there isn't.

The attackers are not exhausting the search queries. Switching off search here was to just help the CPU have some extra grunt when the attacks get blocked, and we get hit with a surge of legitimate people who want information. That's when we need the CPU. When we're being flooded by attacks, the CPU load is low because of the network bottleneck.

At the moment, the average the number of visits to the site, is double our run rate. On bad days, it is a factor of 3 or 4 more, on 2 especially bad days, it's been 6.

Is it possible this is something else? I can't imagine this site would be the victim of such a relentless attack. Maybe it's automated and spreading. Like a virus that moves around and keeps other computers going back to you? So they kick off the attack and it spreads and grows with no effort on their part? Are they able to store any data on your system or have they cached any ad graphics on your system? I've heard of some sneaky ad programs that can create a D.O.S. like result. I think they park or use ads on your system to then feed their AD WARE that spreads from system to system. The Ad Ware has you as one possible site to snag the ad from and once it spreads wide enough you wind up with adenial of service like situation.

Hey, I don't know. I'm not trained in this stuff. But I've heard a few things. You guys have your hands on it so you probably have eliminated a lot of stuff.

Edited by Sentient Being, 02 March 2007 - 05:21 AM.