• Blocking a phpBB page request DDoS?
    8 replies, posted
[url]http://stonedpotatoes.com[/url] Originally, the spam guests had no user agent. So we simply nullrouted anything without a useragent. The attacker's now added a (legit looking) user agent, so I need a new method to mitigate the attack. Is there anything that I can do? [code]In total there are 370 users online :: 8 registered, 0 hidden and 362 guests (based on users active over the past 15 minutes) Most users ever online was 701 on 23 Apr 2011 19:59[/code] [code]USERNAME FORUM LOCATION LAST UPDATED Guest IP: 69.254.36.175 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 71.236.32.222 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 98.202.199.147 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 24.9.242.84 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 67.11.92.152 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 173.217.163.38 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 76.31.134.81 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 76.120.207.180 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 69.127.53.245 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 98.220.17.63 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 24.98.80.31 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 65.29.97.126 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 71.63.76.106 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53 Guest IP: 74.138.116.207 » Whois Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Index page 24 Apr 2011 12:53[/code]
Is it a Linux server or Windows? If you have direct access to the box, there are numerous ways to block IPs from connecting to the server if it's a Linux server.
[QUOTE=bohb;29398124]Is it a Linux server or Windows? If you have direct access to the box, there are numerous ways to block IPs from connecting to the server if it's a Linux server.[/QUOTE] Linux. I don't have root access (or FTP for that matter), but I'll pester nick.
Then all you have to do is add the offending IPs to /etc/hosts.deny An example entry would be: ALL:192.168.0.1 You can also ban entire ranges like: ALL:67.0.0.0/24 If you have external SSH access, you can install denyhosts or fail2ban to automatically ban people that try and brute force the SSH login.
There's 700 different IPs.. [editline]24th April 2011[/editline] The attack's stopped for now anyway.
Damn... who did you piss off that has 700 different IP's to throw at you?
[QUOTE=mr.wolf;29420800]Damn... who did you piss off that has 700 different IP's to throw at you?[/QUOTE] Probably someone I caught cheating. I'm used to getting hit by devnull, but this is something completely different. [editline]25th April 2011[/editline] Best part is the skids using devnull don't know how to use their tools effectively. However, this attacker has changed their method of attack each time I block it. [editline]25th April 2011[/editline] On another note, they've now added a randomised legit-looking useragent. I'm waiting for nick to come online so as I can get FTP or SSH access.
Seems like the skids are just using a bunch of zombies. If they're butthurt about being banned, they usually grow bored of such attacks after awhile and move onto something else. You could try and reverse hack the zombies by scanning for vulnerabilities and taking over the machine in question. Skids are usually pretty dumb about security once they compromise a machine and leave unpassworded stuff open, or use retarded passwords like penis, dicks, vaginas, etc. (keep in mind that they're 12 year olds who probably won't get laid, ever.) Assuming you gain control of one of the machines (you have 700 to pick from, one of them is bound to have a blatantly obvious security hole) all you'd have to do is run a packet sniffer and scan for incoming traffic while the machine was idle, and you should find the skids IP, or their "private" IRC channel. I've reverse-hacked several skids and blatant idiots trying to either DDoS my network or run scanners to find vulnerabilities, and they're all idiots. One of them even had an unpassworded VNC server running with full admin credentials (needless to say, his system ceased functioning a few minutes after I found it.) You can also report them to the abuse department at their ISP with the logs and evidence and they'll usually be banned from the ISP for life for such abuse.
Downloading nmap to have a quick scan through a few zombies. I've also added a php script to autoban clients spamming page requests. [editline].[/editline] Found an online zombie. [img]http://gyazo.com/4f340fcbe9de3e86b99622fe935cd463.png[/img] Nothing too obvious. What I did find interesting was the tracert. [code]3 104.00 ms host-78-151-225-135.static.as13285.net (78.151.225.135) 4 44.00 ms host-78-151-225-134.static.as13285.net (78.151.225.134) 5 54.00 ms xe-11-1-0-rt001.the.as13285.net (62.24.240.6) 6 55.00 ms xe-11-1-0-rt001.sov.as13285.net (62.24.240.14) 7 52.00 ms abovenet.killercreation.co.uk (79.141.38.133) 8 51.00 ms ge-5-1-0.mpr1.lhr3.uk.above.net (64.125.28.94) 9 128.00 ms xe-4-3-0.cr2.dca2.us.above.net (64.125.24.41) 10 131.00 ms xe-1-3-0.cr1.dca2.us.above.net (64.125.29.21) 11 140.00 ms xe-1-1-0.er2.iad10.us.above.net (64.125.26.242) 12 ... 13 130.00 ms ae15.clevoh1-rtr0.mwrtn.rr.com (66.109.6.71) 14 144.00 ms pos3-0.lvnami1-rtr1.twmi.rr.com (65.25.137.150) 15 130.00 ms ae15.clevoh1-rtr0.mwrtn.rr.com (66.109.6.71) 16 138.00 ms 72-31-204-138.net.bhntampa.com (72.31.204.138) 17 151.00 ms png01-det-twc.mon.atdn.net (24.169.224.126) 18 138.00 ms 72-31-204-151.net.bhntampa.com (72.31.204.151) 19 142.00 ms cpe-65-29-97-126.mi.res.rr.com (65.29.97.126)[/code] That's a hell of a lot of what seems like private dedis (Killercreation etc). Bit odd. [editline].[/editline] Doing a UDP scan too. [img]http://gyazo.com/4b84edabf611cd34489605fe8767c984.png[/img] Nothing too obvious.
Sorry, you need to Log In to post a reply to this thread.