Posts Tagged ‘Distributed Denial-of-Service attack (DDoS)’

Did I Get a DDos Attack From Russia?

Tuesday, September 27th, 2022

At some point during yesterday’s diagnosis of my ongoing technical difficulties, the BlueHost technician asked if 185.122.204.37 was my IP, because there were something like 30,000+ hits from it that day. I verified it wasn’t mine, and that it wasn’t Instapundit (which had linked me that day), and did a reverse DNS lookup, which brought up the following:

IP Location: 185.122.204.37

185.122.204.37 appears to be located in Moscow, Russia and allocated to Chang Way Technologies Co. Limited. Autonomous System Number (ASN) code for 185.122.204.37 is AS57523. IP Address local time zone is Europe/Moscow (+0300). PTR record is set to 185.122.204.37.

That’s a very curious site to be sending me traffic, since I’m seeing none of it in my stats counter. Could I be receiving a low-grade DoS attack due to my criticisms of Putin’s war in Ukraine, or even my coverage of China’s slow-motion economic collapse, given the Chinese-sounding company? Possibly, though given BlueHost’s history, there are certainly far more prosaic explanations for my ongoing difficulties.

Also, speaking of Internet bogusity, if you search for “Battleswarm” and some topic I’ve covered (say, “Beto”), the top links are not from my blog, but from some BS “https://jawabansmk.my.id” domain that’s scraping my content and then doing all sorts of clickjacking redirect bullshit. This may be entirely unrelated to the slowness issues and the Russian/Chinese IP above, but if you would, do a Google search “BattleSwarm” and something I’ve covered, and if that site comes up, click on those three dots next to the results that send feedback to Google to remove that result. Something like: “This is not battleswarmblog.com, this is a clickjacking malware site scraping the content of battleswarmblog.com. Please delete this domain from your listings.”

Also, normally I like everything to go to my posts, but given the recent difficulties, please feel free to reprint this entire message when linking, so regular readers will know what’s up.

As for a tech update on the ongoing problems, my dashboard actions are still dog slow, but the issue has been escalated.

Netcraft Confirms It: Slashdot is Dying

Friday, March 2nd, 2018

It is now official. Netcraft has confirmed: Slashdot is dying.

One more crippling bombshell hit the already beleaguered Slashdot community when posters confirmed that the site had not been updated since March 1 and that much of the functionality (including login) was broken. Coming on the heels of a yet another slew of Social Justice Warrioring posts about women in tech, this news serves to reinforce what we’ve known all along. Slashdot is collapsing in complete disarray.

You don’t need to be the Amazing Kreskin to predict Slashdot’s future. The handwriting is on the wall: Slashdot faces a bleak future. In fact there won’t be any future at all for Slashdot, because Slashdot is dying. Things are looking very bad for Slashdot. As many of us are already aware, Slashdot continues to lose readership. Red ink flows like a river of blood.

(Supposedly parent SourceForge is undergoing a widespread DDOS attack, but for longtime Slashdot readers, the “Netcraft confirms it” meme was too tempting to pass up…)

3/3/18: Edited to add:

3/3/18, 9:30 PM CST: The front page has finally started updating again, but some stories still seem 404, and there’s no story about the outage itself, which is odd…

3/4/18: They’ve now put up a story about the outage. Evidently the DDOS attack happened during a hardware migration.

A Few Points on Yesterday’s Big DDos Attack

Saturday, October 22nd, 2016

If you had trouble getting to a various websites yesterday it was probably fallout from a huge distributed Denial-of-Service (DDoS) attack:

Criminals this morning massively attacked Dyn, a company that provides core Internet services for Twitter, SoundCloud, Spotify, Reddit and a host of other sites, causing outages and slowness for many of Dyn’s customers.

In a statement, Dyn said that this morning, October 21, Dyn received a global distributed denial of service (DDoS) attack on its DNS infrastructure on the east coast starting at around 7:10 a.m. ET (11:10 UTC).

More coverage of the attack here. “At the peak of the attack, average DNS connect times for 2,000 websites monitored by Dynatrace went to about 16 seconds from 500 milliseconds normally.”

Internet-of-Things-enabled devices appear to be at the heart of the DDoS attack:

According to Dan Drew, the chief security officer at Level 3 Communications, the attack is at least in part being mounted from a “botnet” of Internet-of-Things (IoT) devices.

Drew explained the attack in a Periscope briefing this afternoon. “We’re seeing attacks coming from a number of different locations,” Drew said. “An Internet of Things botnet called Mirai that we identified is also involved in the attack.”

The botnet, made up of devices like home Wi-Fi routers and Internet protocol video cameras, is sending massive numbers of requests to Dyn’s DNS service. Those requests look legitimate, so it’s difficult for Dyn’s systems to screen them out from normal domain name lookup requests.

Earlier this month, the code for the Marai botnet was released publicly. It may have been used in the massive DDoS attack against security reporter Brian Krebs. Marai and another IoT botnet called Bashlight exploit a common vulnerability in BusyBox, a pared-down version of the Linux operating system used in embedded devices. Marai and Bashlight have recently been responsible for attacks of massive scale, including the attack on Krebs, which at one point reached a traffic volume of 620 gigabits per second.

Matthew Prince, co-founder and CEO of the content delivery and DDoS protection service provider CloudFlare, said that the attack being used against Dyn is an increasingly common one. The attacks append random strings of text to the front of domain names, making them appear like new, legitimate requests for the addresses of systems with a domain. Caching the results to speed up responses is impossible.

At least some commenters have pointed to a possible connection between DDoS attacks and web services firm BackConnect Inc.:

The latest comes the day after Doug Madory, director of Internet Analysis at Dyn, gave a presentation at an industry conference about research he had done on questionable practices at BackConnect Inc., a firm that offers web services, including helping clients manage DDoS attacks. According to Madory, BackConnect had regularly spoofed Internet addresses through a technique known as a BGP hijack, an aggressive tactic that pushes the bounds of industry.

Madory’s research was conducted with Brian Krebs, a well-known writer on computer-security issues. Krebs also published an article based on the research last month. Within hours, his website was hit by a “extremely large and unusual” DDoS attack, he wrote.

Perhaps someone with more computer security knowledge than I (Dwight? Borepatch?) might comment on how best to defend from these attacks in the future. Spin up big on-demand cloud clustered DNS VMs when a DDoS attack is detected?