The latest war.

Well some people were quick to laugh at Steve Gibson's write ups of the attacks on his site, but it's clear that it involves considerable work, expense and coordination with his ISP to mitigate the effects of such attacks.

Even so that is not a solution, but goes to show if the average site owner is hit they need considerable expertise, resources and assistance to just mitigate against such attacks if they hope to stay on the net more often than not. If the attacks involve spoofed IP's it's that much more difficult.

Paul has it right, I think, since likely this is no short term problem.

 

Mike got taken down again.this is getting to be bull_ _ _!!!!been reading the thread here.And I guess that you guys have decided to unite....good hope you get the bas.....Paul hope your ready looks like your going to get draged in to the fight.Again?

 

Joseph V. Morris:

We think Norton is responsible for assigning 127.0.0.1 to www.merijn.org

I'll be back with more info and people.

 

Joseph V. Morris said:

The hosts issue is something that has no bearing in this at all.... and those sites were indeed being redirected to localhost at the time. I know, I tested it and wrote that writeup.... Coolwebsearch installed this hosts file with one of its variants, mainly the smartsearch one.
Coolwebsearch have shown they will stop at nothing to take down the help sites whether it is by redirecting people who need help to one of their domains or denying them access to these sites by sending them to 127.0.0.1. But that by no means make them the only possible source of attack....

Next issue, Norton and its firewall logs.......

It seems the Norton Firewall is using the DNS cache to resolve the IPs in its log.... so "any" connection to local host is switched to merijn.org after a visit of the site.

This was tested on a machine that had never been to merijn's before. Its firewall log had a lot of normal localhost traffic in it in the last days.... after trying to access merijn.org, "ALL" the local host connections in the log "changed" mysteriously to merijn.org. So those firewall logs are flawed in the fact that they show connections to the site even if they did not go to it.

Regards,

Gal

 

Hey Gal,

Good to see you in this neck of the woods!
Make sure to visit often.
Allow me to buy you a cookie, and say Welcome!

Take care

 

Thanks for the welcome

I'll try and do that. As long as it isn't a keebler cookie, I'll take it... I get plenty of those from my relatives....

You take care too!

 

No, not today, the reason SWI was down today was due to server relocation (yes, the host was actually unplugging and rearranging servers in the datacenter).

 

thought it was the nastties again. couldn't get to dogreader.

 

The bad guys are gonna lose and my money bets it's CoolWebSearch.

Net-Integration is down because Eagle1 lacks the funds to fight.

 

If we can please stay on track here....

Paul Wilder - Are you considering any plans to implement more secure log-in's (H.I.D.-wise) and registrations?

Eagle1 - I've related your offer to share logs over to the SI site.

Vorpal - Ditto (see above).

All - Can anyone respond to my suggestion of whether having people d/l and run Jason Levine's IRCBot Detector 1.0 would be a better choice for anyone suspecting being "bot"ed than trying to explain to them how to read logs, what to submit, getting them to learn complicated programs/commands for checking, etc? A good "first check", at the very least?

Joseph - I hope you're not telling me that this whole episode has been caused (innocently) by some kind of screwed up host re-direct, right? The attacks on SI started before any of that came into play, correct? Pete

 

Also, I'd like to know if anyone is actively pursuing/looking into the suggestion that was made regarding filtering out multiple, closely-spaced requests of any type right off-the-bat before they can even begin to bog down a server.

If you can use "flood control" for stopping multiple posts at the forum level, why can't it be done at the server level for multiple, too-frequent requests?

We've got an awfully lot of good ideas floating around here people - if we can keep up with and follow through on them all! Pete

 

yes please do that..and i am sure they will also tell you the solution to keep those sties up...when that happens please post the instructions in one of your posts .

Thanks.

 

Sarcasm, John? Do you really think that's necessary here?

Or was that just some kind of humor that's falling seriously short of the mark?

But to seriously (if that's possible) respond to your "remark" - they should have the courtesy to respond to my letter to them, don't you think? Or, is that too much to ask of them?

Is them getting involved and trying to help out the "little guys" beneath them? Not a matter of "national security" (even though though those same bots could be turned against any site - including government ones?) and thus not "important" enough for them to look into?

What, exactly, are you trying to say, John?

 

It is tongue in check since all of these webmasters know the problem has to do with the hardware they are leasing from their hosts. Some hardware can stand it and handle the problems..some can not. Most are running their operations on older hardware..has to do with cost vs. functionality.


Does not make a difference "who" is behind the rash of DDOS attacks or where they are coming from..figure it to be the advertising guys who are now P.O. ed you are cutting into their free enterprise and they do not like it.

Being a Director of marketing at one point, i can tell you that nothing really happens in this world until " Some one sell somthing to another person " that is what makes the world go around.


If a court case came up odd are in favor of sellers not the stopper.

I do not like the methods being practiced one bit..just like you. But i think the approach is totally wrong.


One solution is to buy your own server..but you have to shop right if you want a good one. Then you have to be located where you can get some big pipes.

 

That kind of filtering would be nice, except you will then block a huge number of legitemate users.

Namely, anyone who happens to come here (or anywhere using such techniques) with an empty browser cache. Most browsers will cache all the components of a page on the first visit to that page, so for that initial connection a huge number (especially on pages with a lot of graphic elelments, like Post Reply page....42 individual images for the buttons and smileys....42 individual requests in a very short period of time; Avatars add more....).

Most users will not tolerate a delay such as the filtering would impose, and most forum users will not want to give up the graphics....

While researching the attack at SWI I discovered that caching does account for a huge number of connections from a particular IP intially but the number drops rapidly as a few pages are read. And on very graphics laden pages this number can hit several hundred in a few seconds with someone who is on a fast broadband connection.

 

So what would you think about loading all of those from yet another server independent of their forum server ?

 

No, I'm not saying that.

Galadriel is right. The weird events in the NIS/NPF Connection logs (as opposed to the firewall logs) are an anomaly resulting from the way NIS automatically resolves IP addresses into DNS addresses if the rDNS is present in the DNS cache.

These are typically two paired events (one for Outbound Loopback and one for inbound loopback). The two events typically occur within the same second. Ignore these particular events; they are a distraction from the hunt.

 

That could be one possible solution, but then we are getting into the money question again....multiple servers are going to cost more.

Also it adds another layer of complexity...some else to be broken/messed with.

Filtering has a place, but a broad wide-brush application of it will not be THE answer...we need a little more surgical approach.

 

Yup agree..you have to either buy the hardware like this and do it yourself..

Mazu Enforcer is a dedicated system that protects networks from distributed denial of service (DDoS) attacks and other bandwidth-based threats. It is optimized for perimeter deployment, but is flexible enough to be deployed at any critical point in the network.
The Mazu Enforcer collects and analyzes statistics on network traffic distribution patterns and builds dynamic baselines of normal activity. It then "snapshots" current traffic and compares it in real time to the baseline to identify suspicious activity. Enforcer then surgically filters traffic to mitigate security threats.

http://www.mazunetworks.com/solutions/


Or you have to look at the farms that offer solutions for you.


web hosting sites
http://uptime.netcraft.com/perf/reports/performance/Hosters?tn=february_2004





and make sure they have they harware you do want..


Directory of Web Server Home Sites

http://www.netcraft.com/Survey/servers.html

the buzz words still are..



. "Load balancing, load sharing, and high-availability Web sites"


Protecting Web Servers from Distributed Denial of Service Attacks

http://www10.org/cdrom/papers/409/

and I would certainly be looking at something other than Apache if at all possible. ..but in most cases even after 1.3 they have problems and they are most abundant .




Find something else beside Apache


http://techrepublic.com.com/5100-6329-5058830-2.html


http://techrepublic.com.com/5100-6329-5058830-1.html


So I say thanks Paul for your consideration in having this thread..but I certainly agree the nitty gritty certainly is not for an open forum discussion.

Good Luck,

John

 

I hear what you're saying, Paul.

The only point about that is a caution on how not to unite:

If "joining forces" means everyone's going to be on the same server(s) (with maybe just a list of links to the different sites therein at the portal) - then it truly needs to be the best, most-well-maintained, totally up-to-date (patch-maintenance-hardware-wise) server set-up money can buy.

Because if it's not, and it gets attacked and goes down - not just one site will be affected - they all will.

That's all I'll have to say about that, since we all know that I know less-than-nothing about whatever it is I'm talking about! Pete

 

Well I for one see benefits of a united effort. I've been pondering the concept since I first heard of the concept last night.

I'm not sure I'm convinced it will work without more than a couple committed website owners. But I think the concept has promise and think its worth looking at more seriously.

This attack has a couple unique aspects to it no doubt but I certainly believe I wouldn't be down if I had a real robust server and the proper protection tools in place. But as Paul indicated there is no way I can afford to spend the money necessary to obtain one.

I believe this attack is probably just the tip of the iceburg. I think its becoming clear not just script kiddies will stoop to this level from this day forward. And if these people, whoever they are, get away with this who knows who'll consider doing something like this next, and then waht...how far will it go.

I think there is no doubt its going to take a collaborative effort in order to survive.