DSLReports under attack

Discussion in 'other software & services' started by spy1, Mar 19, 2008.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    http://www.dslreports.com/forum/security

    DDoS. Message that came up before I couldn't get to the site at all was that they were looking for help tracking/recording addresses of the botnet in question. Pete
     
  2. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Yes, the attack has being going for six hours now. Here's the front page message. I have removed the IP address as that is intended only for us members wanting to get to the site. I tried the IP address and was sent back to the front page message. Ping Plotter has been showing 100% packet loss on both nac.net's two hops and dslr's for the past six hours. When the site was first taken offline the message was simply that there was "something" that had to "be checked out offline" and then for several hours I would just get 404 error. Only recently have I gotten the message below:

    Wed Mar 19 04:05:17 EDT 2008
    ============================

    Valued users:

    unfortunately we have a DDOS (distributed denial of
    service attack) currently aimed at our pages, rather
    than give you page timeouts and errors I've decided to
    show this page so I have some time to work around the
    problem (eta uncertain).

    Since we recognize you have a login cookie, you
    are reading a message pitched at existing users.
    Feel free to use a temporary alternate path:

    http://xxxxxxxxxxx/login

    (you will need to login)

    I am not sure if we will have to flip this around, so don't
    be surprised if it also stops working for a while and
    you have to return to www.dslreports.com for more info!

    If a forensic engineer with ISP NOC contacts would be
    interested in the partial list of client IPs that comprise
    this botnet, please check out:

    http://docs.google.com/Doc?id=dpbj3qz_10s6p5z4dn

    I looked up a few of the IPs on the google list and they are Comcast, Road Runner, Charter...all cable broadband. I'll report the RR ones to RRabuse.

    I looked up some more on that list and one is a googlebot.
     
    Last edited: Mar 19, 2008
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I reported the two AT&T ones I noticed.

    Is there a program anywhere that will automatically sort those listings out by provider? Pete
     
  4. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    It's back up and running quite well, all things considered. I guess the hammering is still going on but the dslreports folks appear to mitigating things well.

    It's too bad the joker that did this can't be found and appropriately "handled"...
     
  5. La Luna

    La Luna Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    6
    Location:
    Hewitt, New Jersey
    Looks like it's down again. It just went totally dead for me.

    The temp login above now goes to a porn site.

    wow.
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Actually, its working fine for me here. Up and very fast at the moment.

    If you are getting absolutely nothing but a blank page and browser loading image turning, then you could be on a broken or 'mitigated' network route, or coming in on an overloaded interface - one that the DDoS is hitting.
     
  7. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I can't get there. Nac.net is also out on Ping Plotter. I have not been able to get there since 10PM last night and it is now 12:35PM HST March 19.
     

    Attached Files:

  8. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Working here for me too...

    I ran PP at work and while dslreports was resolving, packet loss was one out of four or more much of the time...
     
  9. La Luna

    La Luna Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    6
    Location:
    Hewitt, New Jersey
    Where does that alternate temp link take you? I just tried it and was sent to a porn site. I think they've gotten to that too.

    Yes, I'm getting a blank page as you described. The site has been working fine for me since I first logged in around 10-10:30AM (after the first round). It just conked out totally, boom, right before I posted here.
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I get "the Proxomitron cannot find the site. It must be down or no longer exists".
     
  11. La Luna

    La Luna Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    6
    Location:
    Hewitt, New Jersey
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\XXXXX>ping www.dslreports.com

    Pinging dslreports.com [209.123.109.175] with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 209.123.109.175:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    C:\Documents and Settings\XXXXX>

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\Preferred User>ping www.dslreports.com

    Pinging dslreports.com [209.123.109.175] with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 209.123.109.175:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    C:\Documents and Settings\XXXX>tracert www.dslreports.com

    Tracing route to dslreports.com [209.123.109.175]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms 192.168.100.2
    2 7 ms 7 ms 7 ms 10.63.64.1
    3 10 ms 9 ms 7 ms dstswr1-vlan-2.rh.wmfdnj.cv.net [67.83.252.33]
    4 * * * Request timed out.
    5 * * * Request timed out.
    6 * * * Request timed out.
    7 11 ms 15 ms 12 ms rtr4-tg11-1.in.nycmny83.cv.net [64.15.0.41]
    8 * * * Request timed out.
    9 13 ms 13 ms 11 ms 0.e1-3.tbr1.tl9.nac.net [209.123.10.73]
    10 13 ms 12 ms 12 ms 0.e1-4.tbr1.mmu.nac.net [209.123.10.101]
    11 14 ms 13 ms 13 ms 0.e-1-1.tbr1.oct.nac.net [209.123.10.17]
    12 13 ms 13 ms 123 ms 0.ge-1-2-0.gbr1.oct.nac.net [209.123.10.58]
    13 * * * Request timed out.
    14 * * * Request timed out.
    15 * * * Request timed out.
    16 * * * Request timed out.
    17 * * * Request timed out.
    18 * * * Request timed out.
    19 * * * Request timed out.
    20 * * * Request timed out.
    21 * * * Request timed out.
    22 * * * Request timed out.
    23 * * * Request timed out.
    24 * * * Request timed out.
    25 * * * Request timed out.
    26 * * * Request timed out.
    27 * * * Request timed out.
    28 * * * Request timed out.
    29 * * * Request timed out.
    30 * * * Request timed out.

    Trace complete.

    C:\Documents and Settings\XXXX>

    Hi Mele!! Fancy meeting you here! :D
     
    Last edited: Mar 19, 2008
  12. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    The alternate temp link early this morning let me login and then immediately flipped me back to the front page announcement. A few minutes ago, I refreshed that temp login and it said I was logged in already and did I want to logout but I could not get to the site only to that message that I was already logged in. Then right after that the Proxomtron began complaining that it could not find the site. Ping Plotter can't get to that temp address at all but it couldn't last night either. It is very strange routing to RCN corp in San Francisco as the last reachable hop and two hops below that with 100% packet loss.
     
  13. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii

    Aloha La Luna.... I felt right at home when I saw your post. ;)

    If you can't get there and you are right there in New York....well...I guess I couldn't begin to hope to get there all the way from Hawaii. I remember earlier DDoS attacks on the site....this one appears severe.
     
  14. La Luna

    La Luna Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    6
    Location:
    Hewitt, New Jersey
    Bugger! Someone give me a phone, who do we call about this? o_O

    Well, I'm here, so I guess I'll make myself at home and check the place out. Maybe I can be a pest here too. :)
     
  15. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    No problem from here accessing the website.
     
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    There is a lot of activity at DSLR right now, so, it looks to me that most people are getting in just fine.

    My best guess is that those people who can not get in at all, who are probably seeing a timeout and/or totally blank browser screen, that it is possible that you are on a route that was mitigated by their efforts to stop the DDoS.

    Let's say there are a few thousand IP addresses from all kinds of ISPs around the world. When you fight a DDoS, the common thing is to start blocking the sources. Sometimes as simply as blocking IP addresses thought to be part of the attack, or, sometimes ranges or direct connections somewhere upstream from your webserver(s). It is possible that those effected are being blocked by the protective rules being put in place to block the botnet boxes. :doubt:
     
  17. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    At the date and time of this posting the profiles of both Mele20 and Lu Luna indicate they are both loggged in at DSLR
     
  18. La Luna

    La Luna Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    6
    Location:
    Hewitt, New Jersey
    Yep, I'm fixed and in.
     
  19. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I have been over there for the last 45 minutes in their Ham radio section. All was working fine. :thumb:
     
  20. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Sorry, I didn't come back sooner to report that I got in normally shortly after La Luna did and Ping Plotter cleared up with normal pings just before I was able to get in. I've been able to navigate the site normally now for about two and one-half hours.
     
  21. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    More info on the attack

    http://www.castlecops.com/t217741-dslreports_under_DDoS.html


    The primary 8 source countries by attack IP address were


    188 RUSSIA
    168 USA
    120 THAILAND
    79 INDIA
    38 UKRAINE
    37 BELARUS
    30 TAIWAN
    23 GERMANY
    http://www.dslreports.com/forum/r20194261-
    Botnet hosting for Comparison

    The aim of these charts is to provide a fingerprint of the botnets to detect relationships and non-relationships between one botnet and another.
    http://www.spamtrackers.eu/wiki/index.php?title=Botnet_hosting#Botnet_Geography_Charts
     

    Attached Files:

  22. Pentangle

    Pentangle Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    46
    DSLReports.com down?

    Does anyone know if dslreports is currently under DDoS attack again?
     
  23. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Re: DSLReports.com down?

    Working here.
     
  24. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Re: DSLReports.com down?

    The site is currently down depending where your based
     
  25. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Re: DSLReports.com down?

    The site is now back up !
     
Thread Status:
Not open for further replies.