Short downtimes
Jan 30 2007, 07:49 PMHello,
Some bad news.
Over the past 2 days or so, the server has been hit with 3 short Denial of Service attacks. You can read more about it there. They haven't lasted more than 20 minutes or so, but this is still a while and I felt I needed to post about it.
You might have noticed the site loading slow, or you get a "too many connections" errors, or other various errors on loadup -- that's the purpose of this news post, to address that issue.
This is not an attack on the bandwidth -- but rather the server CPU resources. A flood of the HTTP server with lots and lots of connections to use up everything, rendering pages unavailable.
I am monitoring things and I hope to pinpoint who is doing it, and what can be done to stop it. I will probably be installing a new firewall software which will hopefully mitigate it. I already had setup software and the router settings to prevent attacks, but they are not working in this case.
As a note, these attacks are not dangerous in a sense that they cause data loss. It does not harm the system or any of the files, all of that stays safe. The problem is that they prevent me from getting the site, and other services to you.
Thanks for your time and patience, and apologies for any inconveniences.
Jan 30 2007, 07:52 PM
thanks for posting this
*hamlin11fan kicks those idiots
Jan 30 2007, 08:00 PM
This smells like robie
Jan 30 2007, 08:02 PM
teengeek, I know who you REALLY are. Jcink won't believe me, but I know the truth which lies in plane site. and yes, "plane" not "plain".
Jan 30 2007, 08:02 PM
yea it just happend a few mins ago
Jan 30 2007, 08:03 PM
QUOTE (Teengeek @ January 30, 2007 09:00 pm) This smells like robie
then leave the forums and clean it.
Jcink, any ideas who this could be? (besides Teengeek's person?) Also if you can't stop this, what are some of the predicted larger risks and ways you can stop this?
Jan 30 2007, 08:12 PM
DM what are you talking about
and Can are you watching the shoutbox he is installing an APF that will stop em COLD
Jan 30 2007, 08:15 PM
QUOTE (Teengeek @ January 30, 2007 09:12 pm) DM what are you talking about
and Can are you watching the shoutbox he is installing an APF that will stop em COLD
I tend to stay clear of the shout box, it seems to turn into a crazy ride every time I try to follow it. As soon as I read something, I refresh, and theres about 80 new shouts made by 3 people.
Jan 30 2007, 08:25 PM
QUOTE Jcink, any ideas who this could be? (besides Teengeek's person?)
I honestly don't know. I don't want to make any possible accusations right now until I have more information.
QUOTE Also if you can't stop this, what are some of the predicted larger risks and ways you can stop this?
Well, if I can't stop it, that'll be pretty bad... though I have faith that I'll find ways to stop it. I have some things in mind, when I get there, I'll figure out what the next step may be. If it gets very bad, I may even contact my ISP.
For now, this is what I have done:
Installed and configured APF Firewall.
http://www.webhostgear.com/61.html
It seems to work great. I set up the AntiDoS protection w/ DoS log, and I know where all the stuff is, it looks like a great firewall. So that way I can possibly catch these people. Also I tested the IP blocker myself and it works nicely so everything is a-go in that department. Even if it doesnt work the firewall is fantastic for server security so I'm keeping it.
Right now I have 2 measures against DoS attacks. One that is weak, another that seems to be stronger but we'll see.
If THAT doesnt work... Plan B
http://deflate.medialayer.com/
DoSdeflate which works with APF.
And if THAT doesn't work... well... I don't know, I'll read around some more and see what I can do.
Jan 30 2007, 08:35 PM
Once again, Jcink owns noobs.
Jan 30 2007, 08:43 PM
QUOTE (oGarYo @ January 30, 2007 08:35 pm) Once again, Jcink owns noobs.
thats true
Jan 30 2007, 09:03 PM
i woulda said pwns noobs
Jan 30 2007, 09:57 PM
Hey Jcink,
Just wanted to make sure you didn't suspect me for the attacks or software or anything. I know I have an extremely capable program for DoS attacks, but I assure you I have not taken part in any of these attacks. I would be happy, however, to help you test DoS-defense mechanisms using the program (with permission, of course) should the need arise. Just message me when I'm around on IRC or something.
I can also suggest a few quick ways of reducing page stress--in fact, with a quick MySQL table hack you can force all pages to be sent in "printer-friendly" mode if the number of queries per second rises too high, which might be useful in this case. You might also set PHP's max execution time to 3-4 seconds or so instead of 30 or 60, which will make it go ahead and terminate slow PHP processes instead of continuing to create more, which will make it even slower.
I can also tell you that Robie, Kesha, and Pajitnov all claim as well that they don't know who's doing it, in their own channel on IRC. It's up to you whether you believe them or not.
--Irayo
Jan 30 2007, 10:05 PM
Hey,
Nope, you're not anyone who I suspected to be doing it at all. I know you don't mess around with that script, even though it has a lot of power. And that'd be very cool of you if you would help me test it... I'll hop on IRC if I get the chance.
And those suggestions are pretty good... if I have to, I will give of them a shot if I really find myself being bombarded with no hope.
Jan 30 2007, 10:07 PM
this smells robieish to me
QUOTE Kesha's stupid wiki
For the past week now, Teengeek2008 has been discussing this with me on Skype. You know, he kind of brought it up like "So why is Kesha banned, etc?" He says he saw what I did and doesn't blame me. He wanted to try to bring everyone together again. I told him he'd be opening a can of worms, and that it may be a bad idea, but he told me to just let him try. I said "alright" and he says that Kesha and you guys hang out on IRC all the time. He didn't do it very well, but at least he tried. He said he was sorry for it.
KESHA COMMENT: Teengeek is a great guy with good intentions. etc. etc.
ROBIE COMMENT: Lol Teengeek, If only you could know. Soon. Very Soon.
Jan 30 2007, 10:18 PM
i think i figured out why it went down yesterday morning because my school did somthing i got all the logs over 50 ips logged within 3 minutes i am very upset because they are trying to get me in trouble for somthing i dident do and now they did this im like WTF
im serius look in the loggs at january 29th 9:30am
http://jchill.s1.jcink.com/thelog.html
Jan 31 2007, 05:40 PM
Sorry to hear Jcink. Hope everything goes good.
Feb 1 2007, 01:43 AM
You'll now notice the server is a bit faster and doesn't crumble under high loads, even 20+. I tried to Optimize apache config file, and MySQL and it seems to have done some good for this issue. Also I am testing some things with Mod_Evasive so if you get "Forbidden" errors let me know (it should in fact email me though, but just in case).
Feb 1 2007, 06:08 AM
QUOTE (Jchill @ January 30, 2007 09:18 pm) i think i figured out why it went down yesterday morning because my school did somthing i got all the logs over 50 ips logged within 3 minutes i am very upset because they are trying to get me in trouble for somthing i dident do and now they did this im like WTF
im serius look in the loggs at january 29th 9:30am
http://jchill.s1.jcink.com/thelog.html
How do you know it's your school that did it?
Feb 2 2007, 09:10 PM
I never noticed any downtime as im always playin Diablo 2 LOD
Feb 2 2007, 09:24 PM
Past few days we've been doing well, 3 blacklisted IPs so far have been emailed me to be by the firewalls as DoS attempts. So we're doing alright.
Feb 2 2007, 11:03 PM
QUOTE (oGarYo @ January 30, 2007 08:35 pm) Once again, Jcink owns noobs.
Um, the person that attacked him is NOT a noob.
Feb 3 2007, 10:47 AM
how do you know
Feb 3 2007, 02:21 PM
Thanks for fixing it
Feb 3 2007, 11:50 PM
Is this the problem that causes:
Aborting or w.e it says
Sometimes when ppl try to acess my site it says Aborting something..
Feb 4 2007, 02:14 AM
No, that's an entirely different problem than this DoS stuff.
That means you have something your board wrappers that's causing IE to mess up.