View previous topic :: View next topic |
Author |
Message |
wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Sun Aug 29, 2010 3:49 am Post subject: About Those Occassional FGO DOS Attacks |
|
|
Backstory
There's a group in the U.K. called Brandwatch that has the worst spider bot ever. It has been reported to send 178 simultaneous HTTP requests to a single host. This bot occassionally brings down FGO for periods of about five minutes.
Just Now
I took a visit to #gentoo-forums and asked desultory what was up. He told me about the spider, and about why hard-dropping their IP range in iptables may be a bad idea: They'll just flood us. I did some digging and found a post where someone reported the iptables trick to work.
So now he says it looks promising.
Now of course, I don't care about the rest of the forums, I just need constant 24/7 access to OTW! |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Sun Aug 29, 2010 4:40 am Post subject: Re: About Those Occassional FGO DOS Attacks |
|
|
wswartzendruber wrote: | Backstory
There's a group in the U.K. called Brandwatch that has the worst spider bot ever. It has been reported to send 178 simultaneous HTTP requests to a single host. This bot occassionally brings down FGO for periods of about five minutes.
Just Now
I took a visit to #gentoo-forums and asked desultory what was up. He told me about the spider, and about why hard-dropping their IP range in iptables may be a bad idea: They'll just flood us. I did some digging and found a post where someone reported the iptables trick to work.
So now he says it looks promising.
Now of course, I don't care about the rest of the forums, I just need constant 24/7 access to OTW! |
Wow. And to think that all this time I've been blaming ichbinsysphos or Naib for that, and was thinking I was the only one.
If this works, you should get like a little Gentoo Commendation Medal to put below your avatar. |
|
Back to top |
|
|
notageek Tux's lil' helper
Joined: 05 Jun 2008 Posts: 135 Location: India
|
Posted: Sun Aug 29, 2010 5:09 am Post subject: |
|
|
Fans of Obama in UK, what a surprise. _________________ "Defeat is a state of mind. No one is ever defeated, until defeat has been accepted as a reality." -- Bruce Lee |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Sun Aug 29, 2010 5:49 am Post subject: |
|
|
notageek wrote: | Fans of Obama in UK, what a surprise. |
|
|
Back to top |
|
|
ichbinsisyphos Guru
Joined: 08 Dec 2006 Posts: 547
|
Posted: Sun Sep 05, 2010 7:54 pm Post subject: FGO server problem? |
|
|
Several times every day, the forum is not reachable for me. For a couple of minutes each time. Does this happen to anybody else or is it a problem with my provider? |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Sun Sep 05, 2010 7:55 pm Post subject: Re: FGO server problem? |
|
|
ichbinsisyphos wrote: | Several times every day, the forum is not reachable for me. For a couple of minutes each time. Does this happen to anybody else or is it a problem with my provider? |
http://www.downornot.com/
Use that to check when you have issues. It's been down for me (and according to http://www.downornot.com/ everyone else too) on occasion... including about 2 minutes ago. _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
ichbinsisyphos Guru
Joined: 08 Dec 2006 Posts: 547
|
Posted: Sun Sep 05, 2010 8:02 pm Post subject: Re: FGO server problem? |
|
|
The Earth wrote: | ... including about 2 minutes ago. | ok, seems to be a common problem then. |
|
Back to top |
|
|
Muso Veteran
Joined: 22 Oct 2002 Posts: 1052 Location: The Holy city of Honolulu
|
Posted: Sun Sep 05, 2010 8:13 pm Post subject: Re: FGO server problem? |
|
|
ichbinsisyphos wrote: | The Earth wrote: | ... including about 2 minutes ago. | ok, seems to be a common problem then. |
It seems to come in waves. A month of no problems, and then off and on for a few days. _________________ "You can lead a horticulture but you can't make her think" ~ Dorothy Parker
2021 is the year of the Linux Desktop! |
|
Back to top |
|
|
speeddemon Apprentice
Joined: 27 Sep 2003 Posts: 162
|
Posted: Sun Sep 05, 2010 10:18 pm Post subject: |
|
|
Happens to me every so often too, I just dismissed it since nobody else had ever mentioned it. It will be unreachable for several minutes, then its fine. _________________ Cats are deadly animals. If you stick your nose up their crotch and snort their piss, THEY CAN KILL YOU!!! |
|
Back to top |
|
|
marens Apprentice
Joined: 05 Aug 2004 Posts: 173
|
Posted: Sun Sep 05, 2010 10:39 pm Post subject: |
|
|
didn't wswartzendruber mention some evil crawler that "attacks" the forum?
edit:
RELEASE DEN KRAKEN _________________ If English was good enough for Jesus, then it's good enough for you! |
|
Back to top |
|
|
skellr l33t
Joined: 18 Jun 2005 Posts: 976 Location: The Village, Portmeirion
|
Posted: Sun Sep 05, 2010 11:41 pm Post subject: |
|
|
There is enough iptables kung fu around here... |
|
Back to top |
|
|
wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Sun Sep 05, 2010 11:58 pm Post subject: |
|
|
This has been going on for a while.
EDIT: Click me. |
|
Back to top |
|
|
ichbinsisyphos Guru
Joined: 08 Dec 2006 Posts: 547
|
Posted: Mon Sep 06, 2010 12:14 am Post subject: |
|
|
Y?
It doesn't look like the group has any harmful intentions. Why would the send so many requests that the server temporarily craps out? |
|
Back to top |
|
|
skellr l33t
Joined: 18 Jun 2005 Posts: 976 Location: The Village, Portmeirion
|
Posted: Mon Sep 06, 2010 12:42 am Post subject: |
|
|
wswartzendruber wrote: | This has been going on for a while.
EDIT: Click me. |
What can you expect from something in a gutter. |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Mon Sep 06, 2010 1:11 am Post subject: |
|
|
marens wrote: | didn't wswartzendruber mention some evil crawler that "attacks" the forum?
edit:
RELEASE DEN KRAKEN |
It may be fairly trivial to blacklist the bot if it is using identifiable useragent(s), which many do.
Here's a good little how-to-ish article about doing that:
http://perishablepress.com/press/2009/03/29/4g-ultimate-user-agent-blacklist/ |
|
Back to top |
|
|
wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Mon Sep 06, 2010 2:45 am Post subject: |
|
|
desultory has just confirmed that he is adding their known IPs to a block list. |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Mon Sep 06, 2010 3:12 am Post subject: |
|
|
wswartzendruber wrote: | desultory has just confirmed that he is adding their known IPs to a block list. |
Maybe you could check to see if the user agent blacklisting (as mentioned in the link above) would work. It might be more thorough and more efficient. |
|
Back to top |
|
|
wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Mon Sep 06, 2010 3:18 am Post subject: |
|
|
BoneKracker wrote: | wswartzendruber wrote: | desultory has just confirmed that he is adding their known IPs to a block list. |
Maybe you could check to see if the user agent blacklisting (as mentioned in the link above) would work. It might be more thorough and more efficient. |
Besides the lower overhead of just dropping all packets from a certain address, he seems to have a "Fuck the mother fuckers!" mentality.
EDIT: They're the only ones doing this. |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Mon Sep 06, 2010 3:25 am Post subject: |
|
|
wswartzendruber wrote: | BoneKracker wrote: | wswartzendruber wrote: | desultory has just confirmed that he is adding their known IPs to a block list. |
Maybe you could check to see if the user agent blacklisting (as mentioned in the link above) would work. It might be more thorough and more efficient. |
Besides the lower overhead of just dropping all packets from a certain address, he seems to have a "Fuck the mother fuckers!" mentality.
EDIT: They're the only ones doing this. |
If it's a just a bot coming from a limited number of addresses, and the addresses don't change, then I would agree.
If it's coming from a botnet, on the other hand, then it's likely the addresses will not remain constant, and dynamically blacklisting them will probably ultimately create a massive blacklist. Based on what you're saying, I'll assume this is not the case. |
|
Back to top |
|
|
wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Mon Sep 06, 2010 3:42 am Post subject: |
|
|
BoneKracker wrote: | wswartzendruber wrote: | BoneKracker wrote: | wswartzendruber wrote: | desultory has just confirmed that he is adding their known IPs to a block list. |
Maybe you could check to see if the user agent blacklisting (as mentioned in the link above) would work. It might be more thorough and more efficient. |
Besides the lower overhead of just dropping all packets from a certain address, he seems to have a "Fuck the mother fuckers!" mentality.
EDIT: They're the only ones doing this. |
If it's a just a bot coming from a limited number of addresses, and the addresses don't change, then I would agree.
If it's coming from a botnet, on the other hand, then it's likely the addresses will not remain constant, and dynamically blacklisting them will probably ultimately create a massive blacklist. Based on what you're saying, I'll assume this is not the case. |
No, desultory has a relatively static set of addresses he's blocking. |
|
Back to top |
|
|
wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Mon Sep 06, 2010 5:43 am Post subject: |
|
|
Quote: | <wswartz> BoneKracker's suggesting a user-agent based approach.
<desultory> we already have their ua on a steady diet of 403s.
<desultory> they're getting one last day (slight tweak being made) and if tthey still keep coming, it's iptable drop time.
<desultory> /tthey/they/ |
|
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Mon Sep 06, 2010 6:30 am Post subject: |
|
|
wswartzendruber wrote: | Quote: | <wswartz> BoneKracker's suggesting a user-agent based approach.
<desultory> we already have their ua on a steady diet of 403s.
<desultory> they're getting one last day (slight tweak being made) and if tthey still keep coming, it's iptable drop time.
<desultory> /tthey/they/ |
|
Good. Thanks. |
|
Back to top |
|
|
tomk Bodhisattva
Joined: 23 Sep 2003 Posts: 7221 Location: Sat in front of my computer
|
Posted: Mon Sep 06, 2010 9:16 am Post subject: |
|
|
Moved from Off the Wall to Gentoo Forums Feedback and merged from here. _________________ Search | Read | Answer | Report | Strip |
|
Back to top |
|
|
wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Mon Sep 06, 2010 4:37 pm Post subject: |
|
|
tomk wrote: | Moved from Off the Wall to Gentoo Forums Feedback and merged from here. |
Woohoo! postcount++;
Anyway, it looks like seeing FGO lockup one more time means they get IP banned. I should keep a steady stream of pings leaving just to be sure, and because I have nothing better to do today (besides discrete mathematics homework). |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Tue Sep 07, 2010 3:12 am Post subject: |
|
|
Seems to be working so far. I haven't seen that behavior lately. |
|
Back to top |
|
|
|