Attack

Punishment DDOS attacks on online server

Member for

1 year 5 months
Submitted by AlReaud on Sat, 12/24/2011 - 08:16

NOTE: Updated 11/15/2016

Attacks have ceased pretty much on the testing server, but I must have pissed somebody off last night. WOOT!

DDOS attacks started in the late evening, starting probably around 21:00 through at least probably midnight. Can't actually tell because I can't access the httpd logs. The positive note is this lead to me asking GoDaddy where the httpd logs are, something I wasn't aware of (in FTP Manager). Bluehost allow access to the server logs, but Yahoo did not when I used them. It's a virtual machine so the logs don't compromise any hosting provider confidential data...

The offending IP addresses were:

  • 91.121.170.124 - FR, I know the bot-net there, and they have been getting inverse “Pavlovian Dog” training. I am almost willing to bet the control node resides in this general IP area,

Sea Change in Attack Vectors

Member for

1 year 5 months
Submitted by AlReaud on Thu, 12/08/2011 - 12:29

NOTE: Updated 11/15/2016

There's been a sea change in the attack vectors coming into the testing server, and some interesting characters.

For approximately two weeks, we've been subject to "IP Agile" attacks. The term "IP Agile" is something borrowed from a piece of high end R&D lab equipment, a Fluke frequency-agile signal generator. The "IP Agile" attackers use numerous IP addresses that repeat only occasionally over a span of hours, evading tools like fail2ban. There also seems to be a specific cycle through countries, China, Brazil, Japan, EU (UK or France),  Taiwan, then repeating, though I don't yet have enough data.

This set of attackers seems to be hitting mail servers and phone branch exchange (PBX) servers mostly. Found a great site at a church in Lafayette, IN that had their website infested. The trick was that you only saw the spam if you had javascripts disabled. Called them up and spoke to a parishioner manning the phones, and followed