DSLReports under attack

http://www.dslreports.com/forum/security

DDoS. Message that came up before I couldn't get to the site at all was that they were looking for help tracking/recording addresses of the botnet in question. Pete

 

Yes, the attack has being going for six hours now. Here's the front page message. I have removed the IP address as that is intended only for us members wanting to get to the site. I tried the IP address and was sent back to the front page message. Ping Plotter has been showing 100% packet loss on both nac.net's two hops and dslr's for the past six hours. When the site was first taken offline the message was simply that there was "something" that had to "be checked out offline" and then for several hours I would just get 404 error. Only recently have I gotten the message below:

Wed Mar 19 04:05:17 EDT 2008
============================

Valued users:

unfortunately we have a DDOS (distributed denial of
service attack) currently aimed at our pages, rather
than give you page timeouts and errors I've decided to
show this page so I have some time to work around the
problem (eta uncertain).

Since we recognize you have a login cookie, you
are reading a message pitched at existing users.
Feel free to use a temporary alternate path:

http://xxxxxxxxxxx/login

(you will need to login)

I am not sure if we will have to flip this around, so don't
be surprised if it also stops working for a while and
you have to return to www.dslreports.com for more info!

If a forensic engineer with ISP NOC contacts would be
interested in the partial list of client IPs that comprise
this botnet, please check out:

http://docs.google.com/Doc?id=dpbj3qz_10s6p5z4dn

I looked up a few of the IPs on the google list and they are Comcast, Road Runner, Charter...all cable broadband. I'll report the RR ones to RRabuse.

I looked up some more on that list and one is a googlebot.

 

I reported the two AT&T ones I noticed.

Is there a program anywhere that will automatically sort those listings out by provider? Pete

 

It's back up and running quite well, all things considered. I guess the hammering is still going on but the dslreports folks appear to mitigating things well.

It's too bad the joker that did this can't be found and appropriately "handled"...

 

Looks like it's down again. It just went totally dead for me.

The temp login above now goes to a porn site.

wow.

 

I can't get there. Nac.net is also out on Ping Plotter. I have not been able to get there since 10PM last night and it is now 12:35PM HST March 19.

 

Working here for me too...

I ran PP at work and while dslreports was resolving, packet loss was one out of four or more much of the time...

 

Where does that alternate temp link take you? I just tried it and was sent to a porn site. I think they've gotten to that too.

Yes, I'm getting a blank page as you described. The site has been working fine for me since I first logged in around 10-10:30AM (after the first round). It just conked out totally, boom, right before I posted here.

 

I get "the Proxomitron cannot find the site. It must be down or no longer exists".

 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XXXXX>ping www.dslreports.com

Pinging dslreports.com [209.123.109.175] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 209.123.109.175:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\XXXXX>

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Preferred User>ping www.dslreports.com

Pinging dslreports.com [209.123.109.175] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 209.123.109.175:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\XXXX>tracert www.dslreports.com

Tracing route to dslreports.com [209.123.109.175]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.100.2
2 7 ms 7 ms 7 ms 10.63.64.1
3 10 ms 9 ms 7 ms dstswr1-vlan-2.rh.wmfdnj.cv.net [67.83.252.33]
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 11 ms 15 ms 12 ms rtr4-tg11-1.in.nycmny83.cv.net [64.15.0.41]
8 * * * Request timed out.
9 13 ms 13 ms 11 ms 0.e1-3.tbr1.tl9.nac.net [209.123.10.73]
10 13 ms 12 ms 12 ms 0.e1-4.tbr1.mmu.nac.net [209.123.10.101]
11 14 ms 13 ms 13 ms 0.e-1-1.tbr1.oct.nac.net [209.123.10.17]
12 13 ms 13 ms 123 ms 0.ge-1-2-0.gbr1.oct.nac.net [209.123.10.58]
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

C:\Documents and Settings\XXXX>

Hi Mele!! Fancy meeting you here!

 

The alternate temp link early this morning let me login and then immediately flipped me back to the front page announcement. A few minutes ago, I refreshed that temp login and it said I was logged in already and did I want to logout but I could not get to the site only to that message that I was already logged in. Then right after that the Proxomtron began complaining that it could not find the site. Ping Plotter can't get to that temp address at all but it couldn't last night either. It is very strange routing to RCN corp in San Francisco as the last reachable hop and two hops below that with 100% packet loss.

 

Aloha La Luna.... I felt right at home when I saw your post.

If you can't get there and you are right there in New York....well...I guess I couldn't begin to hope to get there all the way from Hawaii. I remember earlier DDoS attacks on the site....this one appears severe.

 

Bugger! Someone give me a phone, who do we call about this?

Well, I'm here, so I guess I'll make myself at home and check the place out. Maybe I can be a pest here too.

 

No problem from here accessing the website.

 

At the date and time of this posting the profiles of both Mele20 and Lu Luna indicate they are both loggged in at DSLR

 

Yep, I'm fixed and in.

 

I have been over there for the last 45 minutes in their Ham radio section. All was working fine.

 

Sorry, I didn't come back sooner to report that I got in normally shortly after La Luna did and Ping Plotter cleared up with normal pings just before I was able to get in. I've been able to navigate the site normally now for about two and one-half hours.

 

More info on the attack

http://www.castlecops.com/t217741-dslreports_under_DDoS.html


The primary 8 source countries by attack IP address were


188 RUSSIA
168 USA
120 THAILAND
79 INDIA
38 UKRAINE
37 BELARUS
30 TAIWAN
23 GERMANY
http://www.dslreports.com/forum/r20194261-
Botnet hosting for Comparison

The aim of these charts is to provide a fingerprint of the botnets to detect relationships and non-relationships between one botnet and another.
http://www.spamtrackers.eu/wiki/index.php?title=Botnet_hosting#Botnet_Geography_Charts

 

DSLReports.com down?

Does anyone know if dslreports is currently under DDoS attack again?

 

Re: DSLReports.com down?

Working here.