Slow Forums: PF Under DDOS Attack

[ladykrimson]

Did you recently suspend or ban any users?

 

[Greg Bernhardt]

Did you recently suspend or ban any users?

we do every day

 

[ladykrimson]

we do every day

That might be a good place to begin looking for suspects.

 

[nismaratwork]

we were attacked this morning/afternoon. the firewall is still catching up, so things might still be a little slow for a bit

Was this an attack on PF itself, or its bandwidth provider? It seems... odd to attack a forum with a sledgehammer when a knife would do the job (nothing personal).

I'm familiar however, with being hosted by a company that makes the mistake of hosting some IRC channel or network, or a similar target; it gets DDOS'ed, and everyone hosted suffers.

@Ladykrimson: someone would need a botnet ready to do this, and be willing to use it up too. I've been pissed at PF before, but this is... stupid and bizarre.

edit: I'd add... it's not exactly effective, so maybe it's some exceptionally incompetant script kiddy? Who the hell can't DDOS a website anyway? I'm annoyed and disgusted.

 

[rhody]

For what it is worth:

http://www.buzzle.com/articles/free-ddos-detection-and-mitigation-tools-for-linux-servers.html"
By David Foreman
Published: 2/11/2011

From his supplied link:

David Foreman
University Of Pennsylvania graduate in 1985. Self employed real estate investor for 10 years. Now owner of Foreman and Pike Consulting, an Internet Marketing Firm.

Rhody...

P.S. Wouldn't it be cool if traceroute endroute of the responsible party(s) computer(s) were possible and to send them a little PF present of of our own.

 

[Greg Bernhardt]

Was this an attack on PF itself, or its bandwidth provider? It seems... odd to attack a forum with a sledgehammer when a knife would do the job (nothing personal).

I'm familiar however, with being hosted by a company that makes the mistake of hosting some IRC channel or network, or a similar target; it gets DDOS'ed, and everyone hosted suffers.

They are targeting PF's IP addy. We are on a dedicated server.

 

[Greg Bernhardt]

For what it is worth:

http://www.buzzle.com/articles/free-ddos-detection-and-mitigation-tools-for-linux-servers.html"

Thanks rhody. We are doing everything we can on the server and the firewall is blocking everything, but there will still be performance issues as the traffic although blocked, is still hitting the server. We need measures to be taken further up the network chain.

 

[nismaratwork]

They are targeting PF's IP addy. We are on a dedicated server.

Damn it... that's just stupid and cruel.

In my experience, there are limited ways to respond to a DOS attack:

1.) Report to authorities
2.) If you have a set number of attackers, block traffic from those subnets.
3.) Notify people and entities who's computers have been compromised
---- From here, this is speculation, hypothetical, and not an endorsement ----
4.) Compromise the botnet and sniff incoming packets directing the bots
-Backtrace... a putz like this isn't going to be on a decent networks of BNCs
-Leave a message, or disable controller
4.2) Compromise the botnet, use tools from packetstorm security, and turn it on the attacker
5.) Identify. Juno.
6.) If in a country outside of reasonable jurisdiction, identify critical resources affiliated with the botnet owner and attack them.
7.) Compromise the botnet, then shut it down without malicious means (change passwords, update, etc)
7.) Compromise with a worm.

 

[nismaratwork]

Oh, on the off chance that you don't take a militant route:

http://www.broadbandreports.com/shownews/93820

http://www.networkworld.com/community/node/42289

The first I think especially useful for such a large community of cooperative people.

 

[mugaliens]

But what for? Why would a bunch of geeks attack a bunch of nerds? It’s like running a protection racket against bums. What are they going to pay you with? Dirty socks? It makes no sense I tells ya.

Apparently, these particular geeks don't appreciate open platform discussions about some things.

Greg, have you contacted the FBI, or the RCMP? Don't know whether your server is in the U.S. or Canada. Regardless, any sustained attack like this violates some key U.S. laws of the kind the FBI takes interest. I'm also aware of certain edge (as in U.S. electronic border) tracking stations which record anything bound for any IP in the U.S. If it's routed, it can be tracked back to at least the station immediately prior. On the other hand, if it's a DDoS attack originating from virii/trojans/worms within the U.S., a call to Symantec and a couple other leading antivirus manufacturers might prove helpful. Might be helpful if it's a DDoS from the outside, as well.

 

[Greg Bernhardt]

Greg, have you contacted the FBI, or the RCMP?

I'm not sure they'd care. DoS attacks are quite common.

To make this day even worse, the FedEx man just put a package under my door handle effectively locking me in. I seriously can't get out of my apartment now. I may have to jump off my 2nd floor balcony.

 

[nismaratwork]

Apparently, these particular geeks don't appreciate open platform discussions about some things.

Greg, have you contacted the FBI, or the RCMP? Don't know whether your server is in the U.S. or Canada. Regardless, any sustained attack like this violates some key U.S. laws of the kind the FBI takes interest. I'm also aware of certain edge (as in U.S. electronic border) tracking stations which record anything bound for any IP in the U.S. If it's routed, it can be tracked back to at least the station immediately prior. On the other hand, if it's a DDoS attack originating from virii/trojans/worms within the U.S., a call to Symantec and a couple other leading antivirus manufacturers might prove helpful. Might be helpful if it's a DDoS from the outside, as well.

In my experience, if this is a sustained attack by a "pro", it's going to originate outside of the west, and beyond any kind of meaningful enforcement. Each bot might be anywhere, but not the controller of the network... still, contacting authorities is the right move... it just won't usually help.

I offer Dalnet as an example, and also as an indicator that this is just a script kiddy with only slightly more bots than brains.

 

[nismaratwork]

I'm not sure they'd care. DoS attacks are quite common.

To make this day even worse, the FedEx man just put a package under my door handle effectively locking me in. I seriously can't get out of my apartment now. I may have to jump off my 2nd floor balcony.

Jesus Greg... did you piss off a gypsy fortune teller or something?!

Um... and don't jump, just call a neighbor!

 

[vela]

Seriously though, what has this forum ever done to anybody?

Rumor has it it involves Julian Assange and Anonymous.

 

[mugaliens]

After using an exhaustive suite of computer forensics tools, I've discovered the cause of the slowdown...

It's all these posts in this thread!

 

[Evo]

I'm not sure they'd care. DoS attacks are quite common.

To make this day even worse, the FedEx man just put a package under my door handle effectively locking me in. I seriously can't get out of my apartment now. I may have to jump off my 2nd floor balcony.

Call Fedex and have them send the guy back to untrap you.

 

[Studiot]

This has escalated into a very serious attack. I appreciate everyone's patience!

Patience and whatever support we can.

That probably means just sitting the misceants out - So be it.

In particular, Greg, don't take this personally, you are doing a great job with a great site.

 

[Grep]

It's a good habit to hit <ctrl A> and <crtl C> (windows) before clicking 'post reply'.

then when disaster strikes <ctrl V> does the trick, unstriking.

Or if you run Firefox, the "Lazarus" addon saves form information for you as you go so it can be recovered if something happens. I almost never need it, but when I do, it's nice to have. It's pretty annoying typing out a long post and losing it!

 

[lurky]

I'm being patient. At this point, though, I'm curious as all heck.

 

[nismaratwork]

Rumor has it it involves Julian Assange and Anonymous.

I wish... known targets make life so much easier, and hackers have rivels.

Whoever this is...well... I hope their personal information finds it way into the hands of unscrupulous Turkish or Romanian hackers.

 

[rhody]

I'm not sure they'd care. DoS attacks are quite common.

To make this day even worse, the FedEx man just put a package under my door handle effectively locking me in. I seriously can't get out of my apartment now. I may have to jump off my 2nd floor balcony.

Greg,

Sorry, but that is a funny, makes you wonder about the intellect of the FedEx Delivery person though. Good to see you are still keeping your wits and sense of humor, kick the damn door, (it will relieve stress from the DOS attack too, lol) the package may fly a bit, but so what, or call a neighbor close by.

Rhody...

 

[G01]

This is getting really annoying. However, as I am not trapped in my apartment, I guess things can get worse...(good luck with that Greg!)

 

[blakstealth]

Yeah, it's pretty bad. But I have faith that it'll get fixed.

 

[Greg Bernhardt]

Keep the updates coming. We are continually making adjustments.

 

[turbo]

I have been trying to swap PMs with another member. That is an exercise in futility. If you PM, save your message in NotePad or similar so you won't have to re-type it.

 

[turbo]

Plus getting tons of 101 errors when trying to view a thread, or view a new post, or search to see if new posts have been made in a thread.

 

[caffenta]

They are targeting PF's IP addy. We are on a dedicated server.

That's easy to fix:
[hidefromhackers]
1) Ask your ISP for a new static IP with no DNS listing
2) Send an e-mail to all unbanned members saying: "this is where the real party's at: (new IP address)
3) Leave a shell server on the normal PF address to make the hackers think that their hacking is actually working
[/hidefromhackers]

Problem: solved

Apparently, these particular geeks don't appreciate open platform discussions about some things.

Interestingly (sort of), I did a little google search to see if there was some kind of loser movement going on to block PF and all I could find was about "censorship" on PF from some banned member *cough*crackpot*cough* but it was a few years old.

 

[nismaratwork]

The problem is that much like an assassin, you need to either buy off a DDOS'er, or better, neutralize them. One is just inviting blackmail, and the latter is illegal.

 

[caffenta]

The problem is that much like an assassin, you need to either buy off a DDOS'er, or better, neutralize them. One is just inviting blackmail, and the latter is illegal.

See my earlier post about the protection racket against bums. It makes no sense to target a place like this if the goal is blackmail. What are we going to pay them with? Gluons?

 

[turbo]

That's easy to fix:
[hidefromhackers]
1) Ask your ISP for a new static IP with no DNS listing
2) Send an e-mail to all unbanned members saying: "this is where the real party's at: (new IP address)
3) Leave a shell server on the normal PF address to make the hackers think that their hacking is actually working
[/hidefromhackers]

Problem: solved

Interestingly (sort of), I did a little google search to see if there was some kind of loser movement going on to block PF and all I could find was about "censorship" on PF from some banned member *cough*crackpot*cough* but it was a few years old.

Not "problem solved" but problem exacerbated. If Greg can't maintain a stable open site with which to interact with advertisers, there goes all the advertising income for views, click-throughs, etc.

 

[caffenta]

It wasn't a serious "solution". Just trying to keep people's spirits up in these difficult times, is all.

 

[nismaratwork]

See my earlier post about the protection racket against bums. It makes no sense to target a place like this if the goal is blackmail. What are we going to pay them with? Gluons?

Presumably privelages... that's the ususal goal beyond mere destruction of these kind of underdeveloped bridge troll-snot.

Your idea, while interesting, is so easily circumvented as to be impractical; the reality is that you have fragmentation of the community... again, see Dalnet.

Anyway, you could reverse what you said, or rather, invert it, and make a canary trap out of it, but that would take more work than just using a few illegal tools to remove the problem directly. A botnet is, by definition, not a secure entitiy; it can be subverted and turned.

 

[caffenta]

Anyway, you could reverse what you said, or rather, invert it, and make a canary trap out of it, but that would take more work than just using a few illegal tools to remove the problem directly. A botnet is, by definition, not a secure entitiy; it can be subverted and turned.

Trap, eh? It gives me an idea: the PF Sisterhood that lisab alluded to earlier in the thread.

It's very likely that the hacker is just some geek or a collection of geeks living in their parent's basement, yes? When confronted by girls, said geeks will either:

a) Run away in fear and leave us alone
b) Be attracted by the Sisterhood's beautiful Siren songs. Then we can trap them with some kind of confinement field. We know how to build a confinement field, right? We're physicists. Of course we know! And if the confinement field fails, the Sisterhood will just kick their sorry butts like lisab said. In fact, forget the confinement field altogether.

 

[nismaratwork]

Trap, eh? It gives me an idea: the PF Sisterhood that lisab alluded to earlier in the thread.

It's very likely that the hacker is just some geek or a collection of geeks living in their parent's basement, yes? When confronted with girls, said geeks will either:

a) Run away in fear and leave us alone
b) Be attracted by the Sisterhood's beautiful siren songs. Then we can trap them with some kind of confinement field. We know how to build a confinement field, right? We're physicists. Of course we know! And if the confinement field fails, the Sisterhood will just kick their sorry butts like lisab said. In fact, forget the confinement field altogether.

What if it IS a girl?


Hmmm... actually... :bushing:

ANYWAY... Greg: You could just post all relevant IPs here... it's not traffic protected by your TOS, right? Share, and who knows, maybe some enterprising PF'ers read, and unconnected to that, things happen?

 

[Greg Bernhardt]

What if it IS a girl?


Hmmm... actually... :bushing:

ANYWAY... Greg: You could just post all relevant IPs here... it's not traffic protected by your TOS, right? Share, and who knows, maybe some enterprising PF'ers read, and unconnected to that, things happen?

what if I slipped in your IP by mistake?

 

[turbo]

What if it IS a girl?


Hmmm... actually... :bushing:

ANYWAY... Greg: You could just post all relevant IPs here... it's not traffic protected by your TOS, right? Share, and who knows, maybe some enterprising PF'ers read, and unconnected to that, things happen?

My new neighbor is a networking geek with his own company. Maybe if some of us knew more about the DoS, we could help resolve it. I'd ask him - he and his new bride are smitten with this neighborhood and their new neighbors. Maybe I can get my wife to bribe him with some garlic/rosemary/sun-dried tomato infused artisan bread...

 

[nismaratwork]

what if I slipped in your IP by mistake?

Hmmmmm...

1.) Which one?
2.) I'd hate to lose a good BNC... routing traffic isn't as fun as it used to be.
3.) It would be worth the trade.

 

[caffenta]

What if it IS a girl?

Have you ever met a girl that would waste her time on something as pointless as a DoS attack? I mean, honestly. Even the geekiest girl is nowhere near the geek level of a geeky guy. There's a geekness bandgap or something.

I stand by my hypothesis: the hacker is a guy in his parents' basement.

 

[nismaratwork]

Have you ever met a girl that would waste her time on something as pointless as a DoS attack? I mean, honestly. Even the geekiest girl is nowhere near the geek level of a geeky guy. There's a geekness bandgap or something.

I stand by my hypothesis: the hacker is a guy in his parents' basement.

Actually, yeah, I've met a few, but they are rare creatures, and very shy. You can coax them out with strawberries in a goblet with fresh whipped cream, but the slightest noise startles them.

 

[caffenta]

Actually, yeah, I've met a few, but they are rare creatures, and very shy. You can coax them out with strawberries in a goblet with fresh whipped cream, but the slightest noise startles them.

Well, if they are the culprit, there is an even easier solution: we just start typing in ALL CAPS. That'll freak them out.

 

[Pengwuino]

Is PF fixed?

FIX IT FIX IT FIX IT FIX IT

 

[Greg Bernhardt]

we keep tweaking the firewall. keep giving me updates on site performance

 

[lisab]

we keep tweaking the firewall. keep giving me updates on site performance

Still slow loading pages. I get that "Oops, Chrome can't load the page" error about 10% of the time.

It seemed nearly normal about an hour ago, though.

 

[lisab]

we keep tweaking the firewall. keep giving me updates on site performance

Still slow loading pages. I get that "Oops! Google Chrome could not connect to www.physicsforums.com" error about 10% of the time.

It seemed nearly normal about an hour ago, though.

 

[Grep]

Still slow loading pages. I get that "Oops! Google Chrome could not connect to www.physicsforums.com" error about 10% of the time.

It seemed nearly normal about an hour ago, though.

Your double post says more about site performance than the contents of your post ever could.

 

[KrisOhn]

My new neighbor is a networking geek with his own company. Maybe if some of us knew more about the DoS, we could help resolve it.

A denial of service attack is a pretty low tier attack. It could by run by anyone, with a small amount of knowledge, and more easily run by a script kiddie (someone who runs scripts to hack). There are much more devastating hacks that can be done using subtler methods, but with that comes a large increase in the knowledge needed.

I think the best thing that we could probably do for now is honestly stay away from the forums for a bit, let them sort it out on their own without nonthreatening IP's requesting service also. (heh, this just happens to be the exact thing I'm not doing)

And Greg, just a couple minutes ago, when I came to this thread, the forums were working relatively smoothly, but now, they are back to loading slowly.

 

[nismaratwork]

Your double post says more about site performance than the contents of your post ever could.

This is true. It's slow, but you can tell this is not exactly a masterpiece DOS... I hate halfwits and hacks, but I'm glad in this case.

 

[lisab]

Your double post says more about site performance than the contents of your post ever could.

Yeah...sigh. Right after I posted...those...it got really bad, I had to bail out.

Hang in there, Greg...give em hell! The PF Sisterhood is itchin' for a fight now!

 

[OmCheeto]

Isn't there a law against this...

 

[OmCheeto]

Where's Char...

He'd kick some Ninja butt...

https://www.youtube.com/watch?v=3KVf49FkqHo