Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
About Those Occassional FGO DOS Attacks
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Sun Aug 29, 2010 3:49 am    Post subject: About Those Occassional FGO DOS Attacks Reply with quote

Backstory

There's a group in the U.K. called Brandwatch that has the worst spider bot ever. It has been reported to send 178 simultaneous HTTP requests to a single host. This bot occassionally brings down FGO for periods of about five minutes.

Just Now

I took a visit to #gentoo-forums and asked desultory what was up. He told me about the spider, and about why hard-dropping their IP range in iptables may be a bad idea: They'll just flood us. I did some digging and found a post where someone reported the iptables trick to work.

So now he says it looks promising. :D

Now of course, I don't care about the rest of the forums, I just need constant 24/7 access to OTW! :lol:
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Sun Aug 29, 2010 4:40 am    Post subject: Re: About Those Occassional FGO DOS Attacks Reply with quote

wswartzendruber wrote:
Backstory

There's a group in the U.K. called Brandwatch that has the worst spider bot ever. It has been reported to send 178 simultaneous HTTP requests to a single host. This bot occassionally brings down FGO for periods of about five minutes.

Just Now

I took a visit to #gentoo-forums and asked desultory what was up. He told me about the spider, and about why hard-dropping their IP range in iptables may be a bad idea: They'll just flood us. I did some digging and found a post where someone reported the iptables trick to work.

So now he says it looks promising. :D

Now of course, I don't care about the rest of the forums, I just need constant 24/7 access to OTW! :lol:


Wow. And to think that all this time I've been blaming ichbinsysphos or Naib for that, and was thinking I was the only one. :P

If this works, you should get like a little Gentoo Commendation Medal to put below your avatar.
Back to top
View user's profile Send private message
notageek
Tux's lil' helper
Tux's lil' helper


Joined: 05 Jun 2008
Posts: 135
Location: India

PostPosted: Sun Aug 29, 2010 5:09 am    Post subject: Reply with quote

Fans of Obama in UK, what a surprise. :roll:
_________________
"Defeat is a state of mind. No one is ever defeated, until defeat has been accepted as a reality." -- Bruce Lee
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Sun Aug 29, 2010 5:49 am    Post subject: Reply with quote

notageek wrote:
Fans of Obama in UK, what a surprise. :roll:

:lol:
Back to top
View user's profile Send private message
ichbinsisyphos
Guru
Guru


Joined: 08 Dec 2006
Posts: 547

PostPosted: Sun Sep 05, 2010 7:54 pm    Post subject: FGO server problem? Reply with quote

Several times every day, the forum is not reachable for me. For a couple of minutes each time. Does this happen to anybody else or is it a problem with my provider?
Back to top
View user's profile Send private message
Muso
Veteran
Veteran


Joined: 22 Oct 2002
Posts: 1052
Location: The Holy city of Honolulu

PostPosted: Sun Sep 05, 2010 7:55 pm    Post subject: Re: FGO server problem? Reply with quote

ichbinsisyphos wrote:
Several times every day, the forum is not reachable for me. For a couple of minutes each time. Does this happen to anybody else or is it a problem with my provider?


http://www.downornot.com/

Use that to check when you have issues. It's been down for me (and according to http://www.downornot.com/ everyone else too) on occasion... including about 2 minutes ago.
_________________
"You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop!
Back to top
View user's profile Send private message
ichbinsisyphos
Guru
Guru


Joined: 08 Dec 2006
Posts: 547

PostPosted: Sun Sep 05, 2010 8:02 pm    Post subject: Re: FGO server problem? Reply with quote

The Earth wrote:
... including about 2 minutes ago.
ok, seems to be a common problem then.
Back to top
View user's profile Send private message
Muso
Veteran
Veteran


Joined: 22 Oct 2002
Posts: 1052
Location: The Holy city of Honolulu

PostPosted: Sun Sep 05, 2010 8:13 pm    Post subject: Re: FGO server problem? Reply with quote

ichbinsisyphos wrote:
The Earth wrote:
... including about 2 minutes ago.
ok, seems to be a common problem then.


It seems to come in waves. A month of no problems, and then off and on for a few days.
_________________
"You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop!
Back to top
View user's profile Send private message
speeddemon
Apprentice
Apprentice


Joined: 27 Sep 2003
Posts: 162

PostPosted: Sun Sep 05, 2010 10:18 pm    Post subject: Reply with quote

Happens to me every so often too, I just dismissed it since nobody else had ever mentioned it. It will be unreachable for several minutes, then its fine.
_________________
Cats are deadly animals. If you stick your nose up their crotch and snort their piss, THEY CAN KILL YOU!!!
Back to top
View user's profile Send private message
marens
Apprentice
Apprentice


Joined: 05 Aug 2004
Posts: 173

PostPosted: Sun Sep 05, 2010 10:39 pm    Post subject: Reply with quote

didn't wswartzendruber mention some evil crawler that "attacks" the forum?

edit:

RELEASE DEN KRAKEN :lol:
_________________
If English was good enough for Jesus, then it's good enough for you!
Back to top
View user's profile Send private message
skellr
l33t
l33t


Joined: 18 Jun 2005
Posts: 975
Location: The Village, Portmeirion

PostPosted: Sun Sep 05, 2010 11:41 pm    Post subject: Reply with quote

There is enough iptables kung fu around here...
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Sun Sep 05, 2010 11:58 pm    Post subject: Reply with quote

This has been going on for a while.

EDIT: Click me.
Back to top
View user's profile Send private message
ichbinsisyphos
Guru
Guru


Joined: 08 Dec 2006
Posts: 547

PostPosted: Mon Sep 06, 2010 12:14 am    Post subject: Reply with quote

Y?

It doesn't look like the group has any harmful intentions. Why would the send so many requests that the server temporarily craps out?
Back to top
View user's profile Send private message
skellr
l33t
l33t


Joined: 18 Jun 2005
Posts: 975
Location: The Village, Portmeirion

PostPosted: Mon Sep 06, 2010 12:42 am    Post subject: Reply with quote

wswartzendruber wrote:
This has been going on for a while.

EDIT: Click me.


What can you expect from something in a gutter.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Sep 06, 2010 1:11 am    Post subject: Reply with quote

marens wrote:
didn't wswartzendruber mention some evil crawler that "attacks" the forum?

edit:

RELEASE DEN KRAKEN :lol:

:lol:

It may be fairly trivial to blacklist the bot if it is using identifiable useragent(s), which many do.

Here's a good little how-to-ish article about doing that:
http://perishablepress.com/press/2009/03/29/4g-ultimate-user-agent-blacklist/
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Mon Sep 06, 2010 2:45 am    Post subject: Reply with quote

desultory has just confirmed that he is adding their known IPs to a block list.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Sep 06, 2010 3:12 am    Post subject: Reply with quote

wswartzendruber wrote:
desultory has just confirmed that he is adding their known IPs to a block list.

Maybe you could check to see if the user agent blacklisting (as mentioned in the link above) would work. It might be more thorough and more efficient.
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Mon Sep 06, 2010 3:18 am    Post subject: Reply with quote

BoneKracker wrote:
wswartzendruber wrote:
desultory has just confirmed that he is adding their known IPs to a block list.

Maybe you could check to see if the user agent blacklisting (as mentioned in the link above) would work. It might be more thorough and more efficient.

Besides the lower overhead of just dropping all packets from a certain address, he seems to have a "Fuck the mother fuckers!" mentality.

EDIT: They're the only ones doing this.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Sep 06, 2010 3:25 am    Post subject: Reply with quote

wswartzendruber wrote:
BoneKracker wrote:
wswartzendruber wrote:
desultory has just confirmed that he is adding their known IPs to a block list.

Maybe you could check to see if the user agent blacklisting (as mentioned in the link above) would work. It might be more thorough and more efficient.

Besides the lower overhead of just dropping all packets from a certain address, he seems to have a "Fuck the mother fuckers!" mentality.

EDIT: They're the only ones doing this.

If it's a just a bot coming from a limited number of addresses, and the addresses don't change, then I would agree.

If it's coming from a botnet, on the other hand, then it's likely the addresses will not remain constant, and dynamically blacklisting them will probably ultimately create a massive blacklist. Based on what you're saying, I'll assume this is not the case.
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Mon Sep 06, 2010 3:42 am    Post subject: Reply with quote

BoneKracker wrote:
wswartzendruber wrote:
BoneKracker wrote:
wswartzendruber wrote:
desultory has just confirmed that he is adding their known IPs to a block list.

Maybe you could check to see if the user agent blacklisting (as mentioned in the link above) would work. It might be more thorough and more efficient.

Besides the lower overhead of just dropping all packets from a certain address, he seems to have a "Fuck the mother fuckers!" mentality.

EDIT: They're the only ones doing this.

If it's a just a bot coming from a limited number of addresses, and the addresses don't change, then I would agree.

If it's coming from a botnet, on the other hand, then it's likely the addresses will not remain constant, and dynamically blacklisting them will probably ultimately create a massive blacklist. Based on what you're saying, I'll assume this is not the case.

No, desultory has a relatively static set of addresses he's blocking.
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Mon Sep 06, 2010 5:43 am    Post subject: Reply with quote

Quote:
<wswartz> BoneKracker's suggesting a user-agent based approach.
<desultory> we already have their ua on a steady diet of 403s.
<desultory> they're getting one last day (slight tweak being made) and if tthey still keep coming, it's iptable drop time.
<desultory> /tthey/they/
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Sep 06, 2010 6:30 am    Post subject: Reply with quote

wswartzendruber wrote:
Quote:
<wswartz> BoneKracker's suggesting a user-agent based approach.
<desultory> we already have their ua on a steady diet of 403s.
<desultory> they're getting one last day (slight tweak being made) and if tthey still keep coming, it's iptable drop time.
<desultory> /tthey/they/


Good. Thanks.
Back to top
View user's profile Send private message
tomk
Bodhisattva
Bodhisattva


Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer

PostPosted: Mon Sep 06, 2010 9:16 am    Post subject: Reply with quote

Moved from Off the Wall to Gentoo Forums Feedback and merged from here.
_________________
Search | Read | Answer | Report | Strip
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Mon Sep 06, 2010 4:37 pm    Post subject: Reply with quote

tomk wrote:
Moved from Off the Wall to Gentoo Forums Feedback and merged from here.

Woohoo! postcount++; :D

Anyway, it looks like seeing FGO lockup one more time means they get IP banned. I should keep a steady stream of pings leaving just to be sure, and because I have nothing better to do today (besides discrete mathematics homework).
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Tue Sep 07, 2010 3:12 am    Post subject: Reply with quote

Seems to be working so far. I haven't seen that behavior lately.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum