Slow Forums: PF Under DDOS Attack

[Borek]

Again, my IP seems to be blocked, I can use some random free proxy to connect to PF, but for some reason server doesn't like my current address. Previous post was from the IP assigned by my ISP, the one that is blocked. Pings don't pass through. Seems like nobody else has problems.

I wonder if I am not blocked because some of IPs in my range are blacklisted? They are assigned dynamically once per 24h, so blocking them doesn't make much sense.

I will try to reset modem, perhaps I will get a new IP this way.

 

[Borek]

Resetting modem helped, so there is no doubt it is IP related.

 

[I like Serena]

Resetting modem helped, so there is no doubt it is IP related.

Did you get a different IP?
Because usually you get a "lease", meaning you'll get the same IP until the lease expires.

 

[Borek]

Did you get a different IP?
Because usually you get a "lease", meaning you'll get the same IP until the lease expires.

Completely different, 79.185.*.* vs 83.6.*.*.

 

[Evo]

Resetting modem helped, so there is no doubt it is IP related.

Throws net over Borek.

Sit, stay!

Oh wait, this isn't chat.

 

[Evo]

Did you get a different IP?
Because usually you get a "lease", meaning you'll get the same IP until the lease expires.

Completely different, 79.185.*.* vs 83.6.*.*.

If you have a dynamic IP address, you'll only keep that address until you disconnect from your ISP, the next time you log on, you will be given another IP address from you ISP. ILS, is that what you mean by a *lease*?

 

[I like Serena]

Throws net over Borek.

Sit, stay!

Oh wait, this isn't chat.

:)

If you have a dynamic IP address, you'll only keep that address until you disconnect from your ISP, the next time you log on, you will be given another IP address from you ISP. ILS, is that what you mean by a *lease*?

I was just verifying that there was indeed an actual change in IP before assuming that the old IP was blocked.
It seemed unlikely that Borek wouldn't have checked, but sure is sure. :)

If you're interested, the concept of a lease in this context is for instance explained here:
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol"

 

[Evo]

:)



I was just verifying that there was indeed an actual change in IP before assuming that the old IP was blocked.
It seemed unlikely that Borek wouldn't have checked, but sure is sure. :)

If you're interested, the concept of a lease in this context is for instance explained here:
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol"

Ah, well I worked for AT&T that developed the internet for the US government. I worked on data networks from the early 70's. Never heard that term, we never used it. Someone posting on wikipedia wouldn't know that. <insert Aflac duck here> nah, nah. :tongue2:

This must be a term that cropped up after the 70's. (Shows how old I am). :(

 

[jhae2.718]

If, for some horrible, unfathomable reason, you are on Windows, maybe try:

ipconfig \release
ipconfig \renew

?

 

[StevieTNZ]

Ah, well I worked for AT&T that developed the internet for the US government.(

You must be smart!

 

[Borek]

If, for some horrible, unfathomable reason, you are on Windows, maybe try:

ipconfig \release
ipconfig \renew

?

My computer is not directly connected to the net, there is a router and a modem (it could be a single device, but for historical reasons there two separate ones). See traceroute output posted earlier.

So I can get a new IP from the router, but for PF I will be still using the same IP.

 

[I like Serena]

My computer is not directly connected to the net, there is a router and a modem (it could be a single device, but for historical reasons there two separate ones). See traceroute output posted earlier.

So I can get a new IP from the router, but for PF I will be still using the same IP.

Quite right!

But I believe that pathping and traceroute will not show the external IP address of your modem.
To see that you need an external server. Typically by browsing for instance to "http://www.whatismyip.com". That will tell you what your actual IP address is.
You may want to check if that changes after a reset of your modem.

Oh, and you can probably also see it on the admin web page of your modem.
Use http://<internal ip address of your modem> to see that.
Most modern modems contain a webserver to configure it.

I expect the external IP address to be dynamically assigned by the ISP. And I expect it might not change after a reset of your modem (not until the lease expires). But that really depends on how the DHCP of your ISP is set up.

(Sorry if I'm saying things here that you're already aware of.)

 

[Borek]

Quite right!

But I believe that pathping and traceroute will not show the external IP address of your modem.
To see that you need an external server. Typically by browsing for instance to "http://www.whatismyip.com". That will tell you what your actual IP address is.
You may want to check if that changes after a reset of your modem.

Actually I used my PF superpowers to check IP from which I posted - same effect. Ping and traceroute I used to check where the problem starts, and seems like I can blame PF server, not something in my path to the server.

Never seen whatismyip before, thanks for that. Now that I think about it, it is obvious someone did it, just like all those HTTP header checkers I used in the past. I guess I could setup such a site in a blink. Well, say 15 minutes, I hate browsing php manual.

I expect the external IP address to be dynamically assigned by the ISP. And I expect it might not change after a reset of your modem (not until the lease expires). But that really depends on how the DHCP of your ISP is set up.

It is dynamically assigned, and - as far as I know - it is automatically changed once a day. And as the test showed, it it assigned with each connection.

They assign IPs from two completely separate ranges, I have a feeling 79.blah.blah.blah works much better than the other one, but - as we know - the plural of anecdote is not data (thanks for LisaB for posting that).

 

[Borek]

Argh, still the same IP, again the same situation - my pings are not coming through, 100% packet lost. I am posting now using proxy.

borek@invincible ~ $ ./checkPF
PING physicsforums.com (74.86.200.109) 56(84) bytes of data.

--- physicsforums.com ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms

traceroute to physicsforums.com (74.86.200.109), 15 hops max, 40 byte packets
 1  192.168.0.7 (192.168.0.7)  0.631 ms  0.578 ms  0.540 ms
 2  10.0.0.138 (10.0.0.138)  1.008 ms  1.017 ms  0.973 ms
 3  * * *
 4  xxx.tpnet.pl (xxx.xxx.xxx.xxx)  55.796 ms  24.359 ms  30.486 ms
 5  hbg-b2-link.telia.net (213.248.89.93)  56.974 ms  41.270 ms  42.138 ms
 6  hbg-bb2-link.telia.net (80.91.246.8)  41.579 ms  45.743 ms  40.837 ms
 7  nyk-bb2-link.telia.net (80.91.247.125)  123.141 ms nyk-bb2-link.telia.net (80.91.247.123)  128.526 ms  127.521 ms
 8  dls-bb1-link.telia.net (213.155.130.209)  162.234 ms dls-bb1-link.telia.net (213.155.130.67)  224.847 ms  162.587 ms
 9  te3-3.bbr02.eq01.dal01.networklayer.com (213.248.102.174)  167.530 ms  170.632 ms  200.703 ms
10  po6.dar02.sr01.dal01.networklayer.com (173.192.18.213)  186.588 ms  165.011 ms  175.117 ms
11  po2.fcr03.sr04.dal01.networklayer.com (66.228.118.190)  169.002 ms  171.485 ms  180.097 ms
12  * * *
13  * * *
14  * * *
15  * * *[

 

[Borek]

Again - seems like modem reset and IP change helped.

This is problem only with PF, all other sites I am using work OK.

 

[Studiot]

Borek, I presume you are located somewhere in Europe, like me, so I may have been seeing similar problems during the last few days.

I have reported progress (they are all fixed now for me) in Greg's other thread.

https://www.physicsforums.com/newreply.php?do=newreply&noquote=1&p=3351219

go well

 

[I like Serena]

Argh, still the same IP, again the same situation - my pings are not coming through, 100% packet lost. I am posting now using proxy.

For your reference, here's my traceroute appended (from the Netherlands).
The last part is identical (as expected).

Furthermore my traceroute does not reach physicsforums.com either.
I think that means that it has been blocked by a firewall or something.
That should not be a problem though.

ping did come through the first time, but a second time it didn't.
And EEEWWWWW!
Since then I have lost the connection physicsforums.com entirely (at about 2011-06-11T18:30:00Z).
This never happened before!
I only got 502/504 gateway timeouts, and never for more than a couple of minutes.

I suspect the very test I did here triggered a DoS defense mechanism on PF!


I reset my modem, indeed getting a new external IP address in the same subnet, but the problem persists.


I tried from elsewhere with "telnet physicsforums.com 80" and that worked, but on my own computer this doesn't since I'm unable to connect.


Right now (2011-06-11T19:20:00Z) I'm still blocked entirely - posting through a proxy now.

Edit: Right now (2011-06-11T19:30:00Z) I can connect again.
Does the DoS perchance have a timeout of 1 hour?



For reference here are my trace results (before the disconnection):

traceroute to physicsforums.com (74.86.200.109), 30 hops max, 60 byte packets
 1  10.246.124.1 (10.246.124.1)  2.371 ms  2.516 ms  3.157 ms
 2  SpeedTouch.lan (10.0.0.138)  9.318 ms  9.720 ms  10.119 ms
 3  [I]<deleted>[/I]
 4  [I]<deleted>[/I]
 5  [I]<deleted>[/I]
 6  asd2-rou-1002.NL.eurorings.net (134.222.97.17)  46.770 ms  21.122 ms  54.049 ms
 7  asd2-rou-1022.NL.eurorings.net (134.222.230.34)  25.445 ms  33.176 ms  34.337 ms
 8  asd2-rou-1001.NL.eurorings.net (134.222.225.194)  34.847 ms asd2-rou-1001.NL.eurorings.net (134.222.229.101)  35.765 ms asd2-rou-1001.NL.eurorings.net (134.222.229.105)  36.241 ms
 9  adm-b5-link.telia.net (213.248.102.161)  36.820 ms  42.628 ms  42.782 ms
10  adm-bb2-link.telia.net (80.91.253.170)  43.610 ms adm-bb1-link.telia.net (80.91.246.220)  66.704 ms adm-bb2-link.telia.net (213.155.130.44)  44.507 ms
11  ldn-bb1-link.telia.net (80.91.245.106)  82.521 ms  82.648 ms ldn-bb2-link.telia.net (80.91.253.209)  56.086 ms
12  ash-bb1-link.telia.net (80.91.251.209)  108.333 ms ash-bb1-link.telia.net (213.248.65.210)  109.889 ms ash-bb1-link.telia.net (80.91.246.68)  109.196 ms
13  dls-bb1-link.telia.net (80.91.252.122)  143.052 ms dls-bb1-link.telia.net (213.155.130.69)  147.107 ms dls-bb1-link.telia.net (80.91.252.122)  147.089 ms
14  te3-3.bbr02.eq01.dal01.networklayer.com (213.248.102.174)  147.436 ms  150.523 ms  150.806 ms
15  po6.dar02.sr01.dal01.networklayer.com (173.192.18.213)  239.810 ms  239.577 ms  155.216 ms
16  po2.fcr03.sr04.dal01.networklayer.com (66.228.118.190)  139.120 ms  145.286 ms  145.737 ms
17  * * *
18  * * *
19  * * *

PING physicsforums.com (74.86.200.109) 56(84) bytes of data.
64 bytes from physicsforums.com (74.86.200.109): icmp_seq=1 ttl=47 time=137 ms
64 bytes from physicsforums.com (74.86.200.109): icmp_seq=2 ttl=47 time=136 ms
64 bytes from physicsforums.com (74.86.200.109): icmp_seq=3 ttl=47 time=139 ms

 

[Borek]

There are strange things happening, I believe they started to appear after nginx has been installed, but I can be easily wrong.

 

[I like Serena]

There are strange things happening, I believe they started to appear after nginx has been installed, but I can be easily wrong.

I suspect these are 2 separate things.

I think the very test with traceroute/ping triggered a hardware DoS on PF with presumably a timeout of 1 hour.
This means that you get the message: "unable to connect".

The gateway timeout suggests that the hardware is still functioning properly (PF is still reachable on HTTP), but that nginx (I presume it's configured as a proxy or as a load balancer?) can't reach the actual PF web server, generating a HTML gateway timeout message.

 

[Insanity]

i am getting a 400 Bad Request on my laptop.

 

[Evo]

No problem here.

 

[lisab]

No problem here.

I have a slight problem: I have a bit of sunburn on my back :tongue2:

No connection problems from beautiful Tacoma.

 

[dlgoff]

Some threads try to load i52.tinypic.com that never happens; I've noticed this for a few days. I using Firefox 5.

 

[Ivan92]

I get the occasional can't connect; something nginx 504 or something, but PF is running fine.

 

[Lancelot59]

Seems to be running fine to me.

 

[danR]

Has been going very slow (pages take a long time to display) for the past couple of days on Mac Safari/Opera/FF. I've checked other vBulletin run sites (medical, Engineering), no problems, lightning-fast.

Then, it has its moments where everything is back to normal.

I've tried clearing cookies, cache, browsing (not signed in). No difference.​

Addendum: I'm also in a university area, with exceptionally good internet service, on a very reliable ISP. I have never had an internet issue in 2 years. I had a Safari upgrade a week or so ago, but that doesn't explain Opera/FF anyway.

 

[Ivan92]

Has been going very slow (pages take a long time to display) for the past couple of days on Mac Safari/Opera/FF. I've checked other vBulletin run sites (medical, Engineering), no problems, lightning-fast.

Then, it has its moments where everything is back to normal.

I've tried clearing cookies, cache, browsing (not signed in). No difference.

I have been running on Mac Safari and no pages have been loading slowly these last couple of days.

 

[Studiot]

Was very slow about 10 days ago but been fine more recently.

South West UK.

Perhaps it's like a tide or other periodic phenomenon moving around the globe?

 

[Nik_2213]

Tonight's running slower than usual, IMHO.
(NW UK)

 

[Lancelot59]

I got 504'd while going to the reply input today.

 

[FeDeX_LaTeX]

No problems here.

Thanks for this, this was a good read.

 

[Ben Niehoff]

The last few days, pages have been loading incredibly slow. They hang on loading the ads. So either some advertiser out there has coded their Flash in some stupid way that causes it to hang, or the ad server itself is having problems. My guess would be with the former.

But in either case, this is not a DDoS attack. It's some stupid ad programmer who doesn't care whether the page his ad is displayed on is actually able to load.

 

[Greg Bernhardt]

The last few days, pages have been loading incredibly slow. They hang on loading the ads. So either some advertiser out there has coded their Flash in some stupid way that causes it to hang, or the ad server itself is having problems. My guess would be with the former.

https://www.physicsforums.com/payments.php

 

[DaveC426913]

https://www.physicsforums.com/payments.php

ba-zing!

 

[Jack21222]

The last few days, pages have been loading incredibly slow. They hang on loading the ads. So either some advertiser out there has coded their Flash in some stupid way that causes it to hang, or the ad server itself is having problems. My guess would be with the former.

But in either case, this is not a DDoS attack. It's some stupid ad programmer who doesn't care whether the page his ad is displayed on is actually able to load.

Ads? What ads?

http://adblockplus.org/en/