Site down due to attacks
Moderator: Moderators
-
otseng
- Savant
- Posts: 20591
- Joined: Thu Jan 15, 2004 1:16 pm
- Location: Atlanta, GA
- Has thanked: 197 times
- Been thanked: 337 times
- Contact:
Site down due to attacks
Post #1The site has been under attack recently by constantly overloading the web server. I've put some preventive measures in place, but it is only a short term solution. Again, sorry for the inconveniences.
Last edited by otseng on Fri Mar 14, 2008 10:35 am, edited 1 time in total.
-
otseng
- Savant
- Posts: 20591
- Joined: Thu Jan 15, 2004 1:16 pm
- Location: Atlanta, GA
- Has thanked: 197 times
- Been thanked: 337 times
- Contact:
Post #2
The site is still under attack. I keep blocking IPs, but of course they can find new IPs to use. Still trying to find a better defense against these attacks...
-
otseng
- Savant
- Posts: 20591
- Joined: Thu Jan 15, 2004 1:16 pm
- Location: Atlanta, GA
- Has thanked: 197 times
- Been thanked: 337 times
- Contact:
Post #3
Here are some of the IPs the attacker has been using:
12.5.173.125
24.4.31.38
72.135.114.17
75.65.252.231
66.91.203.180
69.209.153.44
69.208.113.43
69.209.133.19
69.209.133.169
69.209.137.232
69.209.154.36
69.209.156.201
70.189.140.64
71.87.184.44
72.135.114.17
75.65.252.231
98.25.76.191
204.210.115.209
And this is not even the complete list!
I've contacted abuse@sbcglobal.net about it.
12.5.173.125
24.4.31.38
72.135.114.17
75.65.252.231
66.91.203.180
69.209.153.44
69.208.113.43
69.209.133.19
69.209.133.169
69.209.137.232
69.209.154.36
69.209.156.201
70.189.140.64
71.87.184.44
72.135.114.17
75.65.252.231
98.25.76.191
204.210.115.209
And this is not even the complete list!
I've contacted abuse@sbcglobal.net about it.
-
McCulloch
- Site Supporter
- Posts: 24063
- Joined: Mon May 02, 2005 9:10 pm
- Location: Toronto, ON, CA
- Been thanked: 3 times
Post #4
Examine everything carefully; hold fast to that which is good.
First Epistle to the Church of the Thessalonians
The truth will make you free.
Gospel of John
First Epistle to the Church of the Thessalonians
The truth will make you free.
Gospel of John
-
Simon_Peter
- Student
- Posts: 98
- Joined: Wed Mar 12, 2008 7:32 pm
Post #5
Hello McCulloch,
In order to determine how to solve this problem, you must first figure out what type of attacks have been going on, and where the attacks originated from. You mentioned that the server is being ''overloaded'', this could be a DoS Attack, how is the server being overloaded? are there too many visitors, which your server cannot handle, if so then, this is not malicious.
You might want to consider upgrading your hardware...
Or is it the software that is being overloaded? if so, what programs on your server are vulnerable. If you are confident it is malicious, then how is the software being maliciously attacked?. If you are unsure about the details, than just do an overall update on your servers technology. which should sort this problem out, make sure your system is systematically patched.
However if you need to upgrade the version of your fourm, then you must keep the database intact, whilst you upgrade. If this forum is on a server you own and manage yourself, then it will be down to you to fix the hardware. However if this site runs on a Dedicated server, which is owned by another company, the company will do this for you.
Or if this forum uses a shared server, it could be another user from a different user account, on the same server, that is attacking you. However since you have provided IP's then this is obviously a remote attack, meaning that the attacker has not got an account on your server. However just Listing those IP's and whois info, will do no Good what-so-ever.
However since it could be your systems software that is vulnerable, it must mean the software is out-of-date, or inadequate for the job. If no one has been updating the softwares security, or modifying it, to make it more efficient. Then that is a concern.
Most attackers, use other machines to launch remote attacks from. Called Slave machines. It is highly likely that most of those Machines, you have listed, are not the actual attackers, they could be unaware that they have been involved with a computer crime. I suggest emailing those people, and letting them know that they have a possible security breach. Rather than giving away confidential information.
However some things you tell me just dont make sense, how do you know this forum is being attacked?, are you unable to connect to your forum?, meaning that the server is down.., the server can be down for several reasons, and one of those include malicious attacks, however that is not the only reason for a server to be down.
Is this fourm unresponsive at times? again it could be malicious, but it is not the only reason...
Have you checked your bandwidth limit?
Have you asked the server admin, if there is any reason for the servers downtime?
How do you know these IP's have attacked, or been used for an attack?
Is there any software bugs in your forums programming?
Such questions like these should be considered..
However i suggest that you remove these IP's, By listing these Ip's, you are telling everyone that these computers are vulnerable to attack, and will perpetuate computer crime. By giving away other victims.
Kindest Regards
Simon Peter
In order to determine how to solve this problem, you must first figure out what type of attacks have been going on, and where the attacks originated from. You mentioned that the server is being ''overloaded'', this could be a DoS Attack, how is the server being overloaded? are there too many visitors, which your server cannot handle, if so then, this is not malicious.
You might want to consider upgrading your hardware...
Or is it the software that is being overloaded? if so, what programs on your server are vulnerable. If you are confident it is malicious, then how is the software being maliciously attacked?. If you are unsure about the details, than just do an overall update on your servers technology. which should sort this problem out, make sure your system is systematically patched.
However if you need to upgrade the version of your fourm, then you must keep the database intact, whilst you upgrade. If this forum is on a server you own and manage yourself, then it will be down to you to fix the hardware. However if this site runs on a Dedicated server, which is owned by another company, the company will do this for you.
Or if this forum uses a shared server, it could be another user from a different user account, on the same server, that is attacking you. However since you have provided IP's then this is obviously a remote attack, meaning that the attacker has not got an account on your server. However just Listing those IP's and whois info, will do no Good what-so-ever.
However since it could be your systems software that is vulnerable, it must mean the software is out-of-date, or inadequate for the job. If no one has been updating the softwares security, or modifying it, to make it more efficient. Then that is a concern.
Most attackers, use other machines to launch remote attacks from. Called Slave machines. It is highly likely that most of those Machines, you have listed, are not the actual attackers, they could be unaware that they have been involved with a computer crime. I suggest emailing those people, and letting them know that they have a possible security breach. Rather than giving away confidential information.
However some things you tell me just dont make sense, how do you know this forum is being attacked?, are you unable to connect to your forum?, meaning that the server is down.., the server can be down for several reasons, and one of those include malicious attacks, however that is not the only reason for a server to be down.
Is this fourm unresponsive at times? again it could be malicious, but it is not the only reason...
Have you checked your bandwidth limit?
Have you asked the server admin, if there is any reason for the servers downtime?
How do you know these IP's have attacked, or been used for an attack?
Is there any software bugs in your forums programming?
Such questions like these should be considered..
However i suggest that you remove these IP's, By listing these Ip's, you are telling everyone that these computers are vulnerable to attack, and will perpetuate computer crime. By giving away other victims.
Kindest Regards
Simon Peter
Last edited by Simon_Peter on Thu Mar 13, 2008 11:16 am, edited 2 times in total.
-
otseng
- Savant
- Posts: 20591
- Joined: Thu Jan 15, 2004 1:16 pm
- Location: Atlanta, GA
- Has thanked: 197 times
- Been thanked: 337 times
- Contact:
Post #6
It is definitely a malicious user.Simon_Peter wrote: In order to determine how to solve this problem, you must first figure out what type of attacks have been going on, and where the attacks originated from. You mentioned that the server is being ''overloaded'', this could be a DoS Attack, or it could be Buffer Overflows.. how is the server being overloaded? are there too many visitors, which your server cannot handle, if so then, this is not malicious.
The attacks are HTTP DoS attacks. A flood of requests from a single IP overloads the server. All requests are for the forum index page. There is no possible way a normal user would make so many requests at one time. It would require some program to do this. The attacker also I guess wants to leave his "signature" by having "lolyousuck.com" in the user agent. (For anyone with this in your user agent, you'll get automatically blocked) And as I block the offending IP, he finds a new IP to use. And he changes the user agent to another signature.
So it is definitely an intentional and directed attack against this forum.
Using another forum would not really be an option. There's been too much time invested in customizing this forum.If this Fourm is custom coded then you might want to consider getting another forum.
This site is on a VPS. So though I can't control the hardware, I do have significant control over the software.If it is an attack, and this forum is on a server you own and manage yourself, then this will be down to you to fix the hardware. However if this site runs on a Dedicated server, which is owned by another company, the company will do this for you.
-
Simon_Peter
- Student
- Posts: 98
- Joined: Wed Mar 12, 2008 7:32 pm
Post #7
Hey,
Thanks for your reply
with HTTP-based attacks it is often difficult to distinguish attack traffic from legitimate HTTP requests. Unless of cause the attacker leaves a signature, and floods from the same IP. And because this attack consumes resources from the webserver, not just the system TCP/IP stack, it can quickly bring even a well-tuned webserver to its knees.
So even upgrading from Apache/2.0.59 will not do the trick. and neither will banning user agents. Fortunately, most HTTP-based DoS attacks have a particular weakness - they are vulnerable to a technique known as "tarpitting". Since your running CentOS, then you can use this technique. As it only works on Linux based systems. The quickest way to implement tarpitting is in the Linux netfilter source code. http://www.netfilter.org/
FYI: Tarpitting can be configured for any HTTP DoS based attack. Usually its for email spammers, slowing down the emails. but it can be configured to stop multiple user requests.
Basically just set a packet flood limit in the iptables rules so if it exceeds a certain amount of packets then drop all tcp/ip packet requests for that host.
Since your on a VDS/VPS, i dont think there is any limitation from modifying your firewall, to stop this attack.
I hope that works
Regards,
Thanks for your reply
with HTTP-based attacks it is often difficult to distinguish attack traffic from legitimate HTTP requests. Unless of cause the attacker leaves a signature, and floods from the same IP. And because this attack consumes resources from the webserver, not just the system TCP/IP stack, it can quickly bring even a well-tuned webserver to its knees.
So even upgrading from Apache/2.0.59 will not do the trick. and neither will banning user agents. Fortunately, most HTTP-based DoS attacks have a particular weakness - they are vulnerable to a technique known as "tarpitting". Since your running CentOS, then you can use this technique. As it only works on Linux based systems. The quickest way to implement tarpitting is in the Linux netfilter source code. http://www.netfilter.org/
FYI: Tarpitting can be configured for any HTTP DoS based attack. Usually its for email spammers, slowing down the emails. but it can be configured to stop multiple user requests.
Basically just set a packet flood limit in the iptables rules so if it exceeds a certain amount of packets then drop all tcp/ip packet requests for that host.
Since your on a VDS/VPS, i dont think there is any limitation from modifying your firewall, to stop this attack.
I hope that works
Regards,
-
otseng
- Savant
- Posts: 20591
- Joined: Thu Jan 15, 2004 1:16 pm
- Location: Atlanta, GA
- Has thanked: 197 times
- Been thanked: 337 times
- Contact:
Post #8
Good idea. I've implemented a variation on this. Let's see how well it works.Simon_Peter wrote:Basically just set a packet flood limit in the iptables rules so if it exceeds a certain amount of packets then drop all tcp/ip packet requests for that host.
Inviting someone back
Post #10I don't know why I am placing this here.
But I'd like to appeal for someone. Unbar him.
This user:
http://debatingchristianity.com/forum/v ... php?t=6688
Even if he has used some nasty language or not considered the opponent's case/argument, I feel he should be given a second chance.
Thanks,
Jiansia
But I'd like to appeal for someone. Unbar him.
This user:
http://debatingchristianity.com/forum/v ... php?t=6688
Even if he has used some nasty language or not considered the opponent's case/argument, I feel he should be given a second chance.
Thanks,
Jiansia
