Jump to content

Archived

This topic is now archived and is closed to further replies.

greasemonkey

DDOS attack

Recommended Posts

What a badge of honor. Does this mean I'm successful? I'm currently experiencing my first DDOS attack.

 

What a learning experience.

 

The best part... I'm bring extorted by the hackers AND the protectors.

Share this post


Link to post
Share on other sites

It's unlikely it is a DDos attack, though it could be. Usually when this happens it is because of data skimmers and hackers gathering information from your site. If you have View Counter installed, it should show this. Otherwise, you can find them in the accounts raw access logs, though they are more difficult to see.

Share this post


Link to post
Share on other sites

@@Jack_mcs unfortunately it seems to be... I received an enquiry via our contact page asking which payment method we take... we replied within minutes. They replied to us almost instantly, but the tone of the email immediately change to extort money or they would take our site "down". I assumed it was just another spam email... This an hour before the attack.

 

My host took the site down with traffic over 1.2gpbs

 

I'm still working through it with my host.

Share this post


Link to post
Share on other sites

Such attack most likely comes from 1 person or a small group.

Tracking ip and blocking them could be sufficient.

But i leave such to the experts.

Your hosting provider should be able to block such.

 

@@Jack_mcs could you take a look @ nukesentinel (google search it pls), it might be a good resource to prevent such as what happened to @@greasemonkey.

 

Just a Tip ;)

Share this post


Link to post
Share on other sites

@@greasemonkey I'm sorry to hear that. The raw access log will show what's going on, though I would guess your host will know to look at that.

 

@@wHiTeHaT I remember looking at nukesentinel years ago. I just searched for it but doesn't look like it has been updated in 5 years. That's not to say it won't work now but I suggest anyone planning on using it to test it on a non-live site first. There are some server tools that can cut down on DDos attacks but I'm not aware of any that will stop them completely and the host would have to implement them. Hopefully the one @@greasemonkey is having problems with is just some idiot that can be blocked via his IP.

Share this post


Link to post
Share on other sites

@@Jack_mcs and @@wHiTeHaT thank you.

 

The attack is over... For now. My host null routed my ip's for several hours while the attack was going on.

 

In the end they/he were using 1200mbps of bandwidth with slightly more than 10,000 IP addresses.

 

I'm told the only way to stop an attack this big (which I'm also told isn't even that big... Just about avg) is with upstream filtering which can be very expensive.

 

Like I said... Learning experience.

Share this post


Link to post
Share on other sites

I worked with a site that was victim of a DDOS attack a few years ago. What a mess. There were several IP's pinging in at once, many from the area of Turkey.  I switched the site to a back up host and the attack still followed through the domain names propagation. I think it went on for 5 days solid, with a few burst of attacks here and there for the following couple of weeks. The backup host did some blocking that slowed things down, but it was a rough one.

 

The site owner was very sure that one of his ex-partners and now competition had financed the attack. Just for kicks I setup some redirects of the incoming pings to the ex-partners site, then watched it go offline for a bit. Nothing I condone, but about halfway in I needed some entertainment.

 

Overall it was a major blow to the site I worked with. It was down for so long that they lost a lot of their affiliates, who pushed probably 80% of the traffic and sales. When the site went down so long, a lot of money was lost. Needless to say, affiliates that had spent money advertising the site were not happy, and with the follow up attacks taking the site down here and there the next week after, they just lost confidence and quit marketing for that site.

 

Looking back, I should have quite working for that site then too, but thats another thing.

 

Anyhow, I wish you best of luck getting back online @@greasemonkey. Keep us informed of how things fare for you.

 

GL


Follow the community build:

BS3 to osCommerce Responsive from the Get Go!

Check out the new construction:

Admin Gone to Total BS!

Share this post


Link to post
Share on other sites

Well the extortion attempt continues this morning - with 2 more emails;

 

 

Hi sir please send me update on when you will get the paysafecard vouchers to the value of $300

After that there is no problem

 

and then


 

We wait for fair negeciation from u soon to resolve the situation

 

Again, all as I keep repeating - what a learning experience.

 

My still very basic understanding of this type of attack is; they flood my host (directed at my IP's...but I'm on a VPS so I would presume it would effect all others around me) with millions of small requests taking tons of bandwidth (in my case 1.2gbps on 10,000 ip addresses) overwhelming not only my server, but also (if big enough - I don't think this attack is big enough) all traffic in and out of their connection/tunnel/T1 (whatever there connection is called?).

 

So, at the end "upstream" (preventing the millions of requests from getting to your host) protection is the only key to protection?

 

So, upstream protection is so ridiculous it is almost as bad as the extortion... I have had quotes of $5000.00/month USD for my size attack. Obviously they think I print money... lol. We don't make $5000/month "net" profit this time of year.

 

I've just signed up for an account with CloudFlare - a pro account (cost about $20/month) and i'm now waiting to see if the attack starts back up again. CloudFlare (again from my basic understanding) provides new DNS info re-routing all my traffic to their servers where it can be "scrubbed/filtered" prior to sending the traffic to my host. Apparently the "pro" plan will not withstand an attack the same size as yesterday - but offers some level of protection of small attack and filtering similar to @@Jack_mcs View Counter (which I do have install)  but "upstream". And can be upgraded to a more robust ddos protection filter easily.

 

We shall see what happens as I monitor the traffic today! Hopefully this guy is full of shit and has used up all his resources....

Share this post


Link to post
Share on other sites

Try sucuri, they have been very good with a couple of sites I'm involved in.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

@@greasemonkey I'm just curious but are you on an unmanaged VPS? If not, your host really should be responsible for handling such attacks, especially on a VPS, since it is affecting other sites besides yours. Just something to consider. If they won't/can't isolate the cause, I still suggest you take a look at the raw access log. DDos attacks are usually done using more than one IP and it can take a while to get them all blocked, unless they are using a specific range. But that is a better approach than spending the money you mentioned, at least in my mind. Please see my PM regarding the log.

Share this post


Link to post
Share on other sites

HI Jack, I sent you a snipit of the log just as the host took us off line... Doesn't mean much to me... but I can see something funny/different was going on.

5.153.10.226 - - [19/Nov/2014:17:06:55 -0500] "-" 408 - "-" "-"

This is a timeout isn't it?

Share this post


Link to post
Share on other sites

Yes, the 408 is the apache header status code for a timeout, which would be expected for a server busy while under attack.

Share this post


Link to post
Share on other sites

I found this thread because I'm dealing with the same thing, except to extortion letters.......

In the past, these types of ddos things last a few hours, usually my host blocks a few IP addresses and everything's fine. A few hours downtime at the most.

This time it's gone on for 4 days. Host started by nullrouting everything for an hour at a time, then eventually three hours, then eight hours. If the attacks trickled down to an IP or two, they'd get blacklisted and everything would seem OK, then everything would be down again.

 

Host techs (steadfast) say, "Not much you can really do, but cloudflare is better at this type of thing." Eventually I set up with cloudflare and everything seemed OK, but what a bewildering learning curve of crap to have to absorb there about how to properly configure this and tweak that.......I'm already frazzled from days of lost business. Then the site's down again. I learn that if attackers already know your IP address, they can just attack that and go right around cloudflare. So I ask host tech guys, "I've got an IP that's been publicly knowable for years, and these scumbags have been attacking me for days. Am I correct to assume that the current attackers already know my IP and can just attack it directly and render cloudflare essentially useless?"

 

Answer? "Yeah, that would be correct."

 

So, steadfast can say there is no way to stop this, and cloudflare can say the attacks are not going through them so it's not their responsibility. Both companies offer to do more if I upgrade my accounts to the more expensive options, of course.

 

Meanwhile, I'm losing about $600 a day in lost sales and I can't shake the feeling that this is probably just a hussle to make me upgrade my accounts with steadfast and cloudflare to try to salvage my business.

 

So now I guess I have to shut everything down, get a new IP, try to learn everything on the server that has to be tightened up, and then run it through cloudflare again and hope I can hide my IP from all but the most savvy attackers and hope they find something else to do.......

 

I guess as long as I can't process orders and deal with customers I can spend the time learning hosting and internet security so I don't have to rely on people who apparently amuse themselves by being as unhelpful as they can when I need them the most.

 

What's the best way to learn all this? I don't know anything about tcp/ip and nullrouting and tweaking ports and re-routing pings or whatever all this stuff is.....

 

Anyway, sorry for the rant, it's just frustrating............

Share this post


Link to post
Share on other sites

You can't hide the IP of a site since that is public information. As mentioned previously, if you are on a managed server the responsibility of handling this should be the hosts. If you are not on a managed server, it is best to pay them to manage it, or fix this problem, since, presumably, they know what they are doing and you don't with regards to stopping this. If you can find the IP's, or range of IP's, causing the attack, you can block them though such attackers can have a large arsenal of IP's and doing this may require a lot of attention. They also usually spoof the connection so the IP's may be useless. Changing the nameservers may help, depending upon the type of attack, but that is what you do when you use CloudFlare. If it continues while using them, their reports might be able to identify the source and allow you to filter them out.

Share this post


Link to post
Share on other sites

@@osc_ar I feel your pain... Although my attacker seems to have moved on. Being extorted on 2 fronts sucks.

 

@@Jack_mcs I'm on a managed VPS - this was the answer (partial answer) I received the when pressed for more help;

 

 

DDoS attacks are serious *hostname* AUP violations and could be considered grounds for termination

 

What I read here is - NOT our responsibility, and if the attack continues and "I" don't fix it we will drop you...

 

I'm not sure what other hosts typically say?

 

I know you host - I presume you are re-selling and don't own your servers? So, would you not be in the same situation if one of your customers started clogging up their tunnel/T1 (sorry not sure what the internet connection is called at a hosts level.... its not dsl or cable that is for sure... lol) lines with a ddos attack (feel free to not answer... I don't mean to put you on the spot... I just curious more than anything)?

 

Fixing it upstream with a robust ddos filter seems to be the only solution if the attacker is hell bent? Switching hosts/ip will only help temporarily - unless you pay the big bucks to the "big name" protectors.

Share this post


Link to post
Share on other sites

You can't hide the IP of a site since that is public information.

 

Hmmm, I saw a website: http://ddosattackprotection.org/blog/protection-from-ddos-attacks/

 

Where it said:

 

First, all you need to do is request a clean IP address from your ISP or hosting provider. Once it’s installed

 

on your server, you would notify your DDoS protection provider and they will issue one of their IP addresses.

 

Afterwards, your domain is pointed to the mitigation company’s IP and all traffic to your website is routed

 

through “scrubbing” centers that block DDoS traffic from reaching your site, while at the same time allowing

 

access to human visitors.

 

Your server becomes hidden entirely and only communicates with the DDoS mitigation company, absolutely no one

 

else. This prevents attackers from finding your IP and continuing the attack, giving you absolute protection

 

from all types of DDoS attacks.

 

 

 

I wonder if it's that easy to really hide your IP..........

Share this post


Link to post
Share on other sites

Our policy is to help the site as much as possible. For any host, if the account is on a shared or vps server, the affect it has on the other accounts has to be considered. We would try null routing and any other thing that might help. We do have software in place to help fight such attacks but, as I mentioned previously, there isn't a method available to stop them completely if the person causing the attack is determined. I can say that we have experienced attacks before but never had to terminate an account. But what you went through may have been ten times worse than the ones we had so it isn't fair to your host to compare the two situations without knowing the details.

Share this post


Link to post
Share on other sites

I know that sometimes when my host seems to be having problems and I am working on a site after ftp uploading or page hits

 

because I am checking / changing  a site that I have made (testing) so many checks from the same ip

 

I will suddenly be on the blacklist so can not access the site anymore now does not seem to be happening in this case

 

Why does this not be work to include DOS attacks ?

 

Now I do not know the in and outs but why can something like action_recorder  not be changed to include a time out when the page

 

hits go over 200 - 500 from same ip and the .htaccess allow  the important bots

 

Probably impossibile just annoyed that the spammers can have so much power

 

Regards

Joli

 

Now I know  I am seeing this to simple just an interesting theme so like the info can happen to all of us


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

@@osc_ar When I said it can't be hidden, I meant a normal site. Going through a third-party will hide it. I wasn't aware of the site you mention but it sounds similar to CloudFlare. Though they seem to focus more on attacks so maybe it is more powerful. 

Share this post


Link to post
Share on other sites

×