Noiembrie 2010 - Atacul se confirma , serverul ne este blocat pentru a proteja pe cei care il impart cu noi . In perioada urmatoare , site-ul a mers din ce in ce mai greu .
4 Martie 2011 - La doar 2-3 zile de la inregistrarea domeniului .net si imediat dupa ce am anuntat pe audiofil.ro noua adresa .Gentile cliente,
come indicatole telefonicametne le confermiamo che il forum del suo dominio (hifi-stereo.eu) era vittima di un attaco DDOS provocando sia una mancata visibilità del forum stesso (non era possibile accedere al forum del suo dominio tramite qualsiasi browser) che problemi al server che le gestisce lo spazio web.
Il dominio in questione, per preservare il corretto funzionamento del server, è stato pertanto bloccato (come le ho indicato telefonicamente) e le era stata inserita on line una pagina web con dicitura "Sito web in manutenzione": a seguito della sua richiesta questa dicitura è stata sostituita con la scritta in Inglese di "Site Web Under Construction".
As you noticed your site is being DDoS'd. It was being hit with several
hundred megabits of bandwidth (directed at TCP port 80). We do not
provide DDoS protection and the attacks to your site brought down the
entire server causing downtime for other customers
5 Martie 2011 - Lucrurile sunt mai complicate decat credeam . Atacul e la scara larga
In zilele ce au aurmat , au fost furnizate mai multe informatii si sfaturi ( mai mult nici nu prea ai ce sa faci )I don't think you quite get the nature of the attack. Several hundred IP addresses were spamming junk packets to port 80 (on TCP) to the IP that runs the apache daemon that runs your site. They were sending around 500-600 megabits worth of packets. Because the server is only on a 100mbit interface it completely took down the entire server (nobody being hosted off the server had working sites when the bandwidth-based attack happened).
It was being hit by soo many IPs it wasn't even feasible for me block at our border router (I gave up after blocking around 50 IP addresses and the server was still being taken off line). I had to actually null-route
the IP address which is shared with about 30-40 other domains/customers and assign a new IP address to the apache daemon which means all the customers that suffered about a 40 minute downtime from the DDoS attack would also have an additional 1-12 hour downtime until DNS propagates to the new IP address for the ones that were hosted on the same IP as you.
Even after completely blocking the IP 5+ hours later I am *still* seeing several hundred megabits of traffic hitting our border-router (where it stops). You can see the spike at a bit past 2 AM on just one of our 5
transit providers
http://xxxxxxxx/xxxxxxxx.png" onclick="window.open(this.href);return false;
Blocking these types of attacks at this level effectively requires special hardware designed to mitigate DDoS attacks which we do not have which is why we do not provide DDoS protection.
When one customer is causing downtime for hundreds of others we simply can't continue to host them when they are a target for DDoS attacks as we can't allow one customer to keep causing downtime for our many other customers. Even if the first attack is blocked it typically just escalates. If it was double the size it came it would have actually taken out an entire switch which means 2 racks worth of servers (over 10,000 customers) would have had an outage.
You can contact the FBI but a DDoS will likely not be high on their
priority list I am afraid. You can also do a whois on the various IP
addresses that are attacking you and send emails to the abuse contact
telling them that the IP is being envovled in the DDoS but with how many
I doubt you will get too far on this either.
DDoS attacks are tricky and unfortunately the best option is generally to
find a host that provide DDoS protection. The hardware used to protect
from a DDoS is usually very expensive which is why there aren't a lot of
hosts that provide this and most that do specialize in it.
For example one of the IPs I saw attacking your site was:
81.190.43.149
Chosing whois and putting that IP in shows the email address to contact
in this case:
abuse-mailbox: abuse.ip@multimedia.pl
Some specifics of the attack (so you can get good recommendations on who
could actually handle it) are:
500-1000 mbits @ 200,000+ packets/sec
All aimed at TCP/port 80.
Most of them were junk packets (not initiating a HTTP connection) and
others were actual HTTP requests (mixed in). Since we don't specialize in
protecting our customers from DDoS attacks I am afraid I can't help out
more.
That was one of the IP addresses that was not making HTTP requests but
was basically packet-flooding the server. The DDOs appeared to be a mix
of IPs just bombarding the server with packets and other ones that kept
targetting a specific file on your site. A few IPs I saw both from. If
you want I can give you a full list of all the IP addresses I blocked
before I succumbed to null-routing the IP. And sorry for the delayed
response. It looks like this went to our general queue instead of back to
me.
Cam asta ar fi distractia . Sper ca persoanele care inca mai cred ca e o inventia de-a mea sa-si fi schimbat parerile . Intre timp , cu ajutorul providerului Italian si cel din SUA s-a facut un raport online la FBI ( nu cred ca aia au timp de banalitati de-astea , dar nu ne-a costat nimic ) , s-a facut plangere in Italia la Polizia Postale, de-altfel plangere catre alte parti implicate.Here is the list of IP addresses that were hitting your site which I had
to block at our border router (blocking from our entire network) before I
finally just null-routed the destination IP and renumbered it:
109.100.207.191
109.157.101.130
109.182.94.171
109.33.146.122
109.58.207.191
112.202.71.127
113.161.196.143
122.150.210.90
158.195.209.169
178.37.18.90
188.123.241.31
188.134.33.148
188.214.36.166
188.2.160.216
188.240.4.228
188.26.215.163
190.160.205.12
192.168.3.12
195.210.252.250
212.233.148.222
212.233.158.23
212.233.184.144
212.233.223.177
212.25.57.99
212.75.20.73
213.167.5.184
213.204.26.106
217.18.242.42
217.9.234.250
222.123.118.210
46.102.57.25
46.147.151.238
46.73.121.32
60.49.67.112
61.228.59.113
62.176.77.206
77.111.149.179
77.36.81.34
77.71.22.145
77.71.31.242
77.71.31.55
77.78.144.24
77.78.149.33
77.78.158.58
77.81.40.207
77.85.229.113
78.130.252.101
78.83.103.188
79.113.97.145
79.114.13.46
79.116.239.9
81.190.43.149
82.131.218.187
82.156.204.223
82.79.68.170
82.99.172.70
83.111.126.202
83.206.143.249
83.222.182.41
83.244.234.66
84.2.141.85
84.224.162.169
84.252.53.91
84.41.41.112
85.10.74.75
85.11.164.32
85.121.181.77
85.187.34.28
85.217.221.206
85.224.176.140
86.100.83.52
86.101.215.240
86.105.88.231
86.120.31.185
86.126.114.87
87.120.65.167
87.121.67.10
87.229.80.66
87.247.68.112
87.254.166.101
88.87.28.101
89.212.159.190
89.215.35.70
89.215.4.15
89.215.6.32
89.215.98.52
89.39.245.101
89.46.150.116
89.47.207.39
90.224.148.19
90.230.147.55
91.113.85.144
91.86.3.186
92.114.125.130
92.249.247.218
92.81.162.76
93.115.57.29
93.123.61.181
93.92.254.53
94.112.16.225
94.190.193.178
94.190.193.201
94.240.184.167
94.29.138.140
95.107.246.214
95.166.54.60
95.168.36.104
95.234.15.211
99.176.4.236
99.235.169.207
Este posibil ca toate acestea sa nu foloseasca la nimic , ba chiar din momentul in care am terminat de scris treburile astea sa mai primim o demonstratie de forta .
Solo