WordPress.org

Ready to get started?Download WordPress

Forums

DDoS Attacks Take Our Site Down - The Whole Story (4 posts)

  1. bondageradio
    Member
    Posted 6 years ago #

    Several days ago our Host Site was completely demolished by a DDoS attack against our SQL server and several other servers on our network.

    We know who the Attacker is, oddly enough because they were braggadocios enough to come in and announce themselves BEFORE the attack.

    They suggested that we switch from a simple home hosted server for our chat, to a paid server with better protection. Interestingly enough, they just happen to have access to a paid host, who specializes in IRC hosting, and even offers 'PROTECTION' from DDoS attacks.

    When the attack took place exactly as threatened a short time later, we reported the offender and his company to the company's service providers, Level3.com and Above.net (which was no easy chore seeing as no direct abuse line or contact phone number was listed anywhere).

    They said they would "Look into it", while we attempted to switch servers for our chat services.

    Apparently, during the week long wait for the attack to stop, a copy of our report made it back to the attacker, who upscaled the attack to a full blown assault on our site and SQL server.

    This time the report was sent to the FBI's Internet Crime Unit.

    While we waited for more 'Nothing' to happen we again attempted to switch server locations. This time the attack followed the DNS move, we could not get away so easily.

    Finally, during a 'low tide' in the ongoing attack, we redirected all of our domain names to a single IP at the FBI's Internet Crimes Unit.

    Still, nothing has happened, but we are able to get our message out from our home connections, to let all of you know why we are down, and why our site redirects to the FBI.

    If Loss of our wp-live-chat plugin function on your wordpress blog has caused you any problems what so ever, you are ENCOURAGED to fill out the complaint form that you are directed to when using older versions of our plugin, or the form presented when you visit our homepage.

    Please fill it out using the information on Mr. K. Hall, as presented in the FAQ in the plugins repository here.

    -OPOPC-
    (One PO'd Plugin Coder)

  2. bondageradio
    Member
    Posted 6 years ago #

    In a direct response to our 'Concerns' about DDoS 'Issues', The FBI and their Internet Crimes Unit contacted me by telephone to tell me they will 'Look Into' the issue.

    However, My directing the attackers AT their computer system 'May be construed as an Assault on the Federal Government'

    They recommended that I return the IP addresses to normal and log all connections.

    I simply responded "No problem, in the mean time, I want to see a log of every shooting victim in the DC area, with date and time of impact for every bullet. I'll get around to capturing the shooters after I see the logs.." and then I hung up.

    Our Tax Dollars at work.

  3. theapparatus
    Member
    Posted 6 years ago #

    I've been thinking about a reply to your original post for most of the day but, without knowing the physical aspects of your account and your host, it comes down to me with you having a rather bad host. Granted I don't know what your setup was but to me, it really sounds like your host didn't have enough security measures in place. I know a strong firewall isn't a cureall but we run a wonderful pair of Intel routers on our racks and yesterday they blocked well over 3 million bad connections. Granted 1.4 million were in spam alone but those boxes are a lifesaver. We don't have DDoS attacks and, yes, we've been targeted a number of times.

    You never mention contacting your host which for us would have been the first step. Again, not knowing the specifics to your attack, most DDoS attacks we've seen follow some sort of pattern that we've in the past have been able to come up with a filter to block them at the routers. Heck, we've blocked some attacks simply by changing some IP addresses around.

    And I've got to agree: Forwarding on attacks to the FBI website was just dumb. You've now admitted publicly and for the record that you yourself have assocatied yourself with an attack onto their servers. Congrats, you just admitted to a felony. (Adding a modlook at this. Maybe the mods will be nice enough to edit out this thread.)

    And anyone who is familiar with IRC knows that there's a lot of trouble with running a server on an IRC network. You need someone in there and watching over the server 24/7 to prevent stuff like this.

    Again, I'm not aware of everything that occured but I've got to admit, it really sounds like you went the wrong way on this.

  4. bondageradio
    Member
    Posted 6 years ago #

    I was deliberately vague on my connection information, I'll admit that much.

    As for contacting my providers, it was they who first notified me about the DDoS attack on the chat server, by telephone.

    When the notice/warning/threat had come in, I was asleep ... the attack started at 1 am.

    Back Tracking the information and compiling it for whomever would listen I found out all I could about the kid who made the threat and his server and his host's information.

    I would publish that info here, but most would say that's just bad taste.

    When I could not get through to his host on their contact form or their help chat, or even the phone number they have listed on their site and in their domain whois, I found out a little more about what was going on.

    It turns out that the address they list as their address in the whois information reaches back to an empty parking lot (Google Maps Lookup, satalite view) in IL.

    A reverse phone number lookup revealed that the toll free number they published several places, including on their domain whois, network node info and on their website, dials through to a Urologists Office in California.

    One section of their site, reveals that for $150/month this same network provider will offer you protection against DDoS attacks, even if you are not on their network. (How exactly does THAT work again? Protect me from attacks by NOT attacking Me.)

    The next step was going up the network food chain to both Above.net and Level3.com to gain access to their Abuse and or Technical contact information.

    Find a published phone number, e-mail address, or contact form to fill out, when you are under DDoS assault. Try... please...

    I finally wrote to every e-mail address I could find published on their site (mostly sales) until I got to one sales person with an email-auto-responder that listed his Home number... I called him at home (I could hear his kids in the background) and he directed me to the VP of Network Operations, and gave me the unlisted numbers to both tech support and his direct line. (Tech Support?... unlisted?... what?)

    As soon as I got this information I called, it was 6PM and he was going out the door, done for the day.

    I talked with him for 2 hours and then he finally said "Oh!!! Distributed Denial of Service... wow, those are tough to track down." (Vice President Of Network Opperations? Who did you sleep with?)

    I wanted to kill some one.

    Long story shorter... a week later I'm still getting hammered and then the hacker pointed at my main SQL server.

    48 MILLION HITS in 4 HOURS

    I don't care what network or firewall you have... your site is going down. 3 million hits in a day is a SLOW day for most sites with a pr 5 or better. I'm a pr 3 site... 5000 hits in a day is average.

    I pointed at the FBI because I didn't want my servers CATCHING FIRE.

    I hid behind the guys with the guns and badges, and where with all to make headway against that kind of assault.

    And... I checked... The Local Tampa office of the FBI still hasen't gotten the complaint yet... no one called... and no, it's not a crime to direct my DNS names to their IP addresses... so long as I don't mind my visitors seeing their website.

    So, it turns out, the phone call I got was a Social Engineering Hack, to get my DNS off the FBI IP's, till the order to halt the attack propagated through their bot net.

    Tampa Office is looking forward to reviewing the complaint.

    -Still PO'd-

Topic Closed

This topic has been closed to new replies.

About this Topic