Skip to main content
Topic: We're back! (Read 12811 times)

Re: We're back!

Reply #26
Something odd about these things. A couple of "lifeboat" systems went down at about the same time, came back up about the same time. Of course, DnD which is the "lifeboat" forum (or one of them, at any rate) for the old D&D boards from MyOpera-- and 2liv3 went down-- their servers couldn't even be found for awhile-- they're a sort-of-lifeboat for photos and light blogging that you don't intend anybody else to actually see (2liv3 doesn't have the concept of public availability down too well, you have to jump through fifteen hoops just to let friends see your stuff there). It could be coincidence of course. But, it's still peculiar all the same.
What would happen if a large asteroid slammed into the Earth?
According to several tests involving a watermelon and a large hammer, it would be really bad!

Re: We're back!

Reply #27
Quote from: Belfrager on

Banned members don't know how to do it / or don't have the needed resources.

I wouldn't be so sure about that. The attack consisted of constantly loading the user registration and unread topic pages, a couple times a second. This burns a lot of database CPU time and bandwidth without requiring much effort or bandwidth from the attacker. Anyone with half a brain could throw a script together to do that in about 5 minutes. Let that thing run non stop for a few days -> boom, bandwidth exceeded. Won't work on the likes of google or amazon but it's more than enough for small hosts like this.

So, resources needed:
- cable or DSL internet
- basic python skills
- the will to do it

Re: We're back!

Reply #28
Quote from: Macallan on
So, resources needed:
- cable or DSL internet
- basic python skills
- the will to do it

Quite true. For example, when I was copying all of My Opera I was pulling in what I guess amounted to about a GB a week. This was a deliberate holding back on my part, partially to be nice to their server and partially so as not to get banned for abuse.

But in this case I think it was more misuse of a pre-made spam script.[1] Plus, don't the several different locations from which the attack originated suggest at least a VPN or two as well?

[1] Misuse of a spam script? Yes, because the goal of a spammer is to get people to click their links. You can't do that if you take a site offline by generating 50 GB of traffic in two days.

Re: We're back!

Reply #31
Hey! Is otter-browser.org down now? :irked:

Re: We're back!

Reply #32
Quote from: ersi on

Hey! Is otter-browser.org down now? :irked:

It certainly looks that way.
The start and end to every story is the same. But what comes in between you have yourself to blame.

Re: We're back!

Reply #34
Quote from: Macallan on

The attack consisted of constantly loading the user registration and unread topic pages, a couple times a second. This burns a lot of database CPU time and bandwidth without requiring much effort or bandwidth from the attacker. Anyone with half a brain could throw a script together to do that in about 5 minutes. Let that thing run non stop for a few days -> boom, bandwidth exceeded.

How much brain does it take to throw together a script to watch out for such attacks, track down the real (or close enough) IP where it originates from and block it in time? I mean, don't hosts have responsibilities like this?

Re: We're back!

Reply #35
Quote from: ersi on

Quote from: Macallan on

The attack consisted of constantly loading the user registration and unread topic pages, a couple times a second. This burns a lot of database CPU time and bandwidth without requiring much effort or bandwidth from the attacker. Anyone with half a brain could throw a script together to do that in about 5 minutes. Let that thing run non stop for a few days -> boom, bandwidth exceeded.

How much brain does it take to throw together a script to watch out for such attacks, track down the real (or close enough) IP where it originates from and block it in time? I mean, don't hosts have responsibilities like this?


It's not as easy to track down the real attacker in a DDoS attack. The whole idea there is to assemble an army of zombie machines, set them to their task and then not worry too much about getting caught--- which one of several thousand machines is the "real" attacker?

About the only defense any of us have is to set our own machines up with anti-malware so we can discover and disable any bots that get on our machines, turning our machines into zombies. I think I'm "clean" because I've done a sweep, but these days anti-malware has a job and a half staying within one step of the fiends.
What would happen if a large asteroid slammed into the Earth?
According to several tests involving a watermelon and a large hammer, it would be really bad!

Re: We're back!

Reply #36
Quote from: mjmsprt40 on
It's not as easy to track down the real attacker in a DDoS attack. The whole idea there is to assemble an army of zombie machines, set them to their task and then not worry too much about getting caught--- which one of several thousand machines is the "real" attacker?

It looks like there might've been as few as a dozen IPs from about 4 or 5 different IP ranges. I'm inclined to side with ersi. More than 1 GB within a few hours from one IP made up out of thousands of requests of  less than 100 kB each? You'd think that'd just be auto-blocked for a bit, if only because it was overloading the SQL server.

I'm also quite annoyed that they decided to suspend the whole account instead of just DnD and that by moving us over to cPanel last month we seem to have lost the ability to set per-domain bandwidth limits. As a matter of fact I had set it up so that DnD couldn't use more than something like 10 or 15 GB without me knowing about it, albeit I wasn't thinking of abuse at the time. Similarly, in principle no single domain could take out the whole account. The switch to cPanel went so smoothly that I didn't even notice until several days later — my wife is the one who has the account and gets the e-mails. Besides some other cPanel annoyances, apparently this is the hidden price. The host probably savors the mistaken impression they did us a favor because you had to pay €5 extra for cPanel.

Re: We're back!

Reply #37
Would a modest log-in interval choice help? (I've bounced back and forth between one-hour and forever… I usually re-load the Central page to see what's new, rather than threads I'm particularly interested in — so as not to "bump" their viewed numbers.) It seems unlikely, but I thought I'd ask.
进行 ...
"Humor is emotional chaos remembered in tranquility." - James Thurber
"Science is the belief in the ignorance of experts!" - Richard Feynman
 (iBook G4 - Panther | Mac mini i5 - El Capitan)

Re: We're back!

Reply #38
Quote from: ersi on

Quote from: Macallan on

The attack consisted of constantly loading the user registration and unread topic pages, a couple times a second. This burns a lot of database CPU time and bandwidth without requiring much effort or bandwidth from the attacker. Anyone with half a brain could throw a script together to do that in about 5 minutes. Let that thing run non stop for a few days -> boom, bandwidth exceeded.

How much brain does it take to throw together a script to watch out for such attacks, track down the real (or close enough) IP where it originates from and block it in time? I mean, don't hosts have responsibilities like this?

One could limit the transactions per IP per time, but that would likely result in false positives from proxy servers ( I'm not sure how much of a problem that would actually be ). Watching out for IPs that request the same thing over and over again would help but then that's trivial to get around ( which doesn't mean they're smart enough to do that though ). Putting up a warning when database activity or host bandwidth usage spikes would probably be useful but likely too slow.

Which reminds me, I think I've seen something about SMF being able to cache requests for things like the recent posts overview so they can bypass the database entirely if requested in quick succession. That wouldn't solve the bandwidth abuse but at least take load off the database and it could possibly give an indication if another, similar attack is under way.

Re: We're back!

Reply #39
The DB on DnD itself wasn't really being overloaded I don't think, or at least the host only said something about the smfdev database. There I'd forgotten to disable registrations and a whole bunch managed to get through the default CAPTCHA. Which makes sense; writing should be more expensive than reading.

Re: We're back!

Reply #40
Quote from: Macallan on
One could limit the transactions per IP per time, but that would likely result in false positives from proxy servers ( I'm not sure how much of a problem that would actually be ).

It happens sometimes when I use Opera Turbo. I suppose it's a bit site-dependent. On a site like GitHub you might expect a whole team to be using the site from one outgoing IP at work generating tons of requests and traffic. On a forum like ours? Any IP that behaves like more than a hundred users sounds suspicious.

I don't know, perhaps just an automated e-mail to alert you a bit earlier? For instance, Google actually sent me an e-mail that the site was offline 60% of the time it tried to access it (while suspended/bandwidth limit exceeded). Yet with regard to the host I didn't find out until I visited the site for myself.

Re: We're back!

Reply #41
Quote from: ersi on

Hey! Is otter-browser.org down now? :irked:

Entire shared hosting was down for ~5 hours, somebody was sending spam and leaseweb decided to suspend all servers instead of sending request to deal with the culprit (and their abuse team cannot be reached too)...

Quote from: Belfrager on

This "crisis" made me thought that we should have an alternative way of contact.
Basically what the "Internet" was made for....

Some IRC channel perhaps?
Nadszedł już czas, najwyższy czas, nienawiść zniszczyć w sobie.
The time has come, the high time, to destroy hatred in oneself.

Re: We're back!

Reply #42
I was on the Otter IRC channel for a while.  :P

Re: We're back!

Reply #43
Quote from: Frenzie on

I was on the Otter IRC channel for a while.  :P

It could be a good idea to idle there more frequently. ;-)
Or maybe it would make sense to have own channel for DnD Sanctuary?
Nadszedł już czas, najwyższy czas, nienawiść zniszczyć w sobie.
The time has come, the high time, to destroy hatred in oneself.

Re: We're back!

Reply #44
Quote from: Emdek on

Quote from: Frenzie on

I was on the Otter IRC channel for a while.  :P

It could be a good idea to idle there more frequently. ;-)
Or maybe it would make sense to have own channel for DnD Sanctuary?


Hi!  I think the sites are very similar; half the time (more actually) I have no idea what people are talking about, me included - this applies to both! ;)

What do you mean by "channel" in that context by the way?

Re: We're back!

Reply #45
Quote from: string on
What do you mean by "channel" in that context by the way?

Simply IRC channel. ;-)
Nadszedł już czas, najwyższy czas, nienawiść zniszczyć w sobie.
The time has come, the high time, to destroy hatred in oneself.

Re: We're back!

Reply #46
Quote from: OakdaleFTL on


I usually re-load the Central page to see what's new, rather than threads I'm particularly interested in — so as not to "bump" their viewed numbers.) It seems unlikely, but I thought I'd ask.



You could preview the latest posts with the RSS url https://dndsanctuary.eu/index.php?action=.xml;type=rss It's possible to increase the number of posts by attaching ";limit={myfavnumber}" to the end of the url. This doesn't bump the viewed count of the thread, unless you click on a message.