The dev subdomain was generating a 200% load on the MySQL server, which caused the hosting account to be suspended. Unfortunately I don't know what was causing it.
Wasn't aware that there had been a problem, as I was having my own kind of downtime. (https://dl.dropboxusercontent.com/u/253164678/Sleep2.gif)
I wonder if the thing was hacked? Possible strange code?
Longstanding question with me...who is paying for keeping this site up and running?
who is paying for keeping this site up and running?
Frans Enterprises. I believe it's a Dutch conglomerate of skilled and dedicated entities.
Good morning state mate!
Is this causing a loss of Rubles, Krugerrands, Marks or Dollars? Pounds? Kroner?
Longstanding question with me...who is paying for keeping this site up and running?
The (shared) hosting is paid for by my wife and I. My blog and one or two other domains are all part of the same account. The domain name is funded through generous private contributions. There's enough for another year, but I'm open to securing the future further in advance. However, I haven't investigated if there would be any legal complications.
Keep us posted. I'm willing to help if needed. I'm a big bucks kinda guy.
(https://dndsanctuary.eu/imagecache.php?image=http%3A%2F%2Fwww.spyghana.com%2Fwp-content%2Fuploads%2F2013%2F08%2Fwpid-dollars2.jpg&hash=f634e80039fbc1413d60eab9032f2931" rel="cached" data-hash="f634e80039fbc1413d60eab9032f2931" data-warn="External image, click here to view original" data-url="http://www.spyghana.com/wp-content/uploads/2013/08/wpid-dollars2.jpg)
Good morning state mate!
Morning, Sir.
Did you move already?
Good to know it wasn't the fault of one of my devices. :yes:
Frans Enterprises. I believe it's a Dutch conglomerate of skilled and dedicated entities.
(https://dndsanctuary.eu/index.php?action=reporttm;topic=548.4;msg=29808)
Sorry ensbb3 but I suspect they want to dominate the world. Dutch always do that, fortunately they always fail. :)
I feel better already.
I thought I must have been banned.
I feel better already.
I thought I must have been banned.
That thought crossed my mind too. Fortunately, I have ways of checking that. Unfortunately, the wording of the display page was such that anybody would wonder if this was personal.
Here, I tried the page on other browsers-- browsers I never sign in on, so no cookies. Nope, no good. So, I went to my blog, where Franz had replied to one of my posts and therefore I had an email address to try. I wrote and asked what happened, and he replied back that there was a problem with the servers. So-- it wasn't anything I said, it wasn't personal. I didn't think it could be, I've said nothing that should give rise to a suspension. But, accounts can be hacked and it's possible a nogoodnik said some stuff under my username-- can't tell about things like that these days.
But, accounts can be hacked and it's possible a nogoodnik said some stuff under my username
Like... just what you said?
:)
Joking. :lol:
Unfortunately I don't know what was causing it.
The NSA. Or was it Putin? :irked:
:rip: I thought is was ISIS! :ninja:
Well, the host reset the bandwidth for the month. You know that high MySQL load? It was caused by something visiting about 6 pages/second along with trying to register an account a second. Besides overloading the MySQL server, it also ate all of our bandwidth for the month. After complaining the host decided to reset the bandwidth.
I can't say I'm very pleased by the host's response to the situation. We were clearly being targeted, but they don't seem to be very interested in investigating if we can know anything about the perpetrator at all, complain to their ISP, that kind of thing. Instead we were punished twice for being abused.
Edit: btw, the whole domain was being targeted.
HTTP usage thedndsanctuary.eu 18.94 Gig
HTTP usage dev.thedndsanctuary.eu (deleted) 30.16 Gig
Clearly the goal was to take out this site either through overloading the CPU or by exceeding our bandwidth. Annoyingly, thanks to the host's response they (temporarily) succeeded in doing both.
Regular bandwidth use barely even scratches 2 GB on a busy month.
uhmmm that has to be the nsa, putin and isis all together...
Welcome back. This was the seriousest downtime yet. Make your host cooperate on finding the perpetrator, Frenzie.
And thanks for taking good care of our precious intellectual material even when it was targeted :)
So somebody's trying to do a DDOS attack and the host doesn't care? Can you complain to the attacker's ISP yourself?
This "crisis" made me thought that we should have an alternative way of contact.
Basically what the "Internet" was made for....
Point two, who the fuck is trying to destroy DnD?
The host is not important, the attacker is.
Unfortunately I don't know what was causing it.
The NSA. Or was it Putin? :irked:
Maybe it was a Banned Member??? (https://www.smileyfaze.tk/slides/2mafiahit02.gif)
So somebody's trying to do a DDOS attack and the host doesn't care? Can you complain to the attacker's ISP yourself?
It seems to have originated from a number of data centers in Poland and in Ukraine. I'll send off an e-mail to to their abuse departments after collecting their e-mail addresses.
Maybe it was a Banned Member???
Banned members don't know how to do it / or don't have the needed resources.
I think this is more serious and I believe that I know why.
I think this is more serious and I believe that I know why.
I beg your pardon?
I think this is more serious and I believe that I know why.
I beg your pardon?
;) Competition
Something odd about these things. A couple of "lifeboat" systems went down at about the same time, came back up about the same time. Of course, DnD which is the "lifeboat" forum (or one of them, at any rate) for the old D&D boards from MyOpera-- and 2liv3 went down-- their servers couldn't even be found for awhile-- they're a sort-of-lifeboat for photos and light blogging that you don't intend anybody else to actually see (2liv3 doesn't have the concept of public availability down too well, you have to jump through fifteen hoops just to let friends see your stuff there). It could be coincidence of course. But, it's still peculiar all the same.
Banned members don't know how to do it / or don't have the needed resources.
I wouldn't be so sure about that. The attack consisted of constantly loading the user registration and unread topic pages, a couple times a second. This burns a lot of database CPU time and bandwidth without requiring much effort or bandwidth from the attacker. Anyone with half a brain could throw a script together to do that in about 5 minutes. Let that thing run non stop for a few days -> boom, bandwidth exceeded. Won't work on the likes of google or amazon but it's more than enough for small hosts like this.
So, resources needed:
- cable or DSL internet
- basic python skills
- the will to do it
So, resources needed:
- cable or DSL internet
- basic python skills
- the will to do it
Quite true. For example, when I was copying all of My Opera I was pulling in what I guess amounted to about a GB a week. This was a deliberate holding back on my part, partially to be nice to their server and partially so as not to get banned for abuse.
But in this case I think it was more misuse of a pre-made spam script.[1] Plus, don't the several different locations from which the attack originated suggest at least a VPN or two as well?
[1] Misuse of a spam script? Yes, because the goal of a spammer is to get people to click their links. You can't do that if you take a site offline by generating 50 GB of traffic in two days.
So, resources needed:
- cable or DSL internet
- basic python skills
- the will to do it
Plus an infantile mind
Plus an infantile mind
A script kiddie threw a temper tantrum.
Hey! Is otter-browser.org down now? :irked:
Hey! Is otter-browser.org down now? :irked:
It certainly looks that way.
Hey! Is otter-browser.org down now? :irked:
Works for me now.
The attack consisted of constantly loading the user registration and unread topic pages, a couple times a second. This burns a lot of database CPU time and bandwidth without requiring much effort or bandwidth from the attacker. Anyone with half a brain could throw a script together to do that in about 5 minutes. Let that thing run non stop for a few days -> boom, bandwidth exceeded.
How much brain does it take to throw together a script to watch out for such attacks, track down the real (or close enough) IP where it originates from and block it in time? I mean, don't hosts have responsibilities like this?
The attack consisted of constantly loading the user registration and unread topic pages, a couple times a second. This burns a lot of database CPU time and bandwidth without requiring much effort or bandwidth from the attacker. Anyone with half a brain could throw a script together to do that in about 5 minutes. Let that thing run non stop for a few days -> boom, bandwidth exceeded.
How much brain does it take to throw together a script to watch out for such attacks, track down the real (or close enough) IP where it originates from and block it in time? I mean, don't hosts have responsibilities like this?
It's not as easy to track down the real attacker in a DDoS attack. The whole idea there is to assemble an army of zombie machines, set them to their task and then not worry too much about getting caught--- which one of several thousand machines is the "real" attacker?
About the only defense any of us have is to set our own machines up with anti-malware so we can discover and disable any bots that get on our machines, turning our machines into zombies. I think I'm "clean" because I've done a sweep, but these days anti-malware has a job and a half staying within one step of the fiends.
It's not as easy to track down the real attacker in a DDoS attack. The whole idea there is to assemble an army of zombie machines, set them to their task and then not worry too much about getting caught--- which one of several thousand machines is the "real" attacker?
It looks like there might've been as few as a dozen IPs from about 4 or 5 different IP ranges. I'm inclined to side with ersi. More than 1 GB within a few hours from one IP made up out of thousands of requests of less than 100 kB each? You'd think that'd just be auto-blocked for a bit, if only because it was overloading the SQL server.
I'm also quite annoyed that they decided to suspend the whole account instead of just DnD and that by moving us over to cPanel last month we seem to have lost the ability to set per-domain bandwidth limits. As a matter of fact I had set it up so that DnD couldn't use more than something like 10 or 15 GB without me knowing about it, albeit I wasn't thinking of abuse at the time. Similarly, in principle no single domain could take out the whole account. The switch to cPanel went so smoothly that I didn't even notice until several days later — my wife is the one who has the account and gets the e-mails. Besides some other cPanel annoyances, apparently this is the hidden price. The host probably savors the mistaken impression they did us a favor because you had to pay €5 extra for cPanel.
Would a modest log-in interval choice help? (I've bounced back and forth between one-hour and forever… I usually re-load the Central page to see what's new, rather than threads I'm particularly interested in — so as not to "bump" their viewed numbers.) It seems unlikely, but I thought I'd ask.
The attack consisted of constantly loading the user registration and unread topic pages, a couple times a second. This burns a lot of database CPU time and bandwidth without requiring much effort or bandwidth from the attacker. Anyone with half a brain could throw a script together to do that in about 5 minutes. Let that thing run non stop for a few days -> boom, bandwidth exceeded.
How much brain does it take to throw together a script to watch out for such attacks, track down the real (or close enough) IP where it originates from and block it in time? I mean, don't hosts have responsibilities like this?
One could limit the transactions per IP per time, but that would likely result in false positives from proxy servers ( I'm not sure how much of a problem that would actually be ). Watching out for IPs that request the same thing over and over again would help but then that's trivial to get around ( which doesn't mean they're smart enough to do that though ). Putting up a warning when database activity or host bandwidth usage spikes would probably be useful but likely too slow.
Which reminds me, I think I've seen something about SMF being able to cache requests for things like the recent posts overview so they can bypass the database entirely if requested in quick succession. That wouldn't solve the bandwidth abuse but at least take load off the database and it could possibly give an indication if another, similar attack is under way.
The DB on DnD itself wasn't really being overloaded I don't think, or at least the host only said something about the smfdev database. There I'd forgotten to disable registrations and a whole bunch managed to get through the default CAPTCHA. Which makes sense; writing should be more expensive than reading.
One could limit the transactions per IP per time, but that would likely result in false positives from proxy servers ( I'm not sure how much of a problem that would actually be ).
It happens sometimes when I use Opera Turbo. I suppose it's a bit site-dependent. On a site like GitHub you might expect a whole team to be using the site from one outgoing IP at work generating tons of requests and traffic. On a forum like ours? Any IP that behaves like more than a hundred users sounds suspicious.
I don't know, perhaps just an automated e-mail to alert you a bit earlier? For instance, Google actually sent me an e-mail that the site was offline 60% of the time it tried to access it (while suspended/bandwidth limit exceeded). Yet with regard to the host I didn't find out until I visited the site for myself.
Hey! Is otter-browser.org down now? :irked:
Entire shared hosting was down for ~5 hours, somebody was sending spam and leaseweb decided to suspend all servers instead of sending request to deal with the culprit (and their abuse team cannot be reached too)...
This "crisis" made me thought that we should have an alternative way of contact.
Basically what the "Internet" was made for....
Some IRC channel perhaps?
I was on the Otter IRC channel for a while. :P
I was on the Otter IRC channel for a while. :P
It could be a good idea to idle there more frequently. ;-)
Or maybe it would make sense to have own channel for DnD Sanctuary?
I was on the Otter IRC channel for a while. :P
It could be a good idea to idle there more frequently. ;-)
Or maybe it would make sense to have own channel for DnD Sanctuary?
Hi! I think the sites are very similar; half the time (more actually) I have no idea what people are talking about, me included - this applies to both! ;)
What do you mean by "channel" in that context by the way?
What do you mean by "channel" in that context by the way?
Simply IRC channel (http://en.wikipedia.org/wiki/Internet_Relay_Chat#Channels). ;-)
I usually re-load the Central page to see what's new, rather than threads I'm particularly interested in — so as not to "bump" their viewed numbers.) It seems unlikely, but I thought I'd ask.
You could preview the latest posts with the RSS url https://dndsanctuary.eu/index.php?action=.xml;type=rss It's possible to increase the number of posts by attaching ";limit={myfavnumber}" to the end of the url. This doesn't bump the viewed count of the thread, unless you click on a message.