July 14, 2010 Update

#1 iBotPeaches

General Grade 6

Owner
6,570 posts
Joined: 29-July 07

Gender:Male
Location:Kansas

Posted 14 July 2010 - 09:14 PM

As of now and over the past 2 days we've been under a DDoS attack. My bet is that it is the same person as last time. After I called no-ip (DNS service for botnets) I got his first account suspended, but its been about a month and he could re-spread in that time. It seems his army now is just re-loading the logo image trying to "bandwidth rape" us.

I've been writing a great deal of htaccess rules in order to prevent this. So far my rules have not only affected the bots, but also the legitimate users. I will continue to master this script to block all loads with maybe a 404 error to prevent resource consumption.

The attacks have had random IPs and 1 IP that visited the site far too much. I am hoping that IP was the attacker trying out his idea, before he plugged it into his booter.

#2 Rogue Modder

Class of 2008

VIP
1,328 posts
Joined: 02-January 09

Gender:Male
Location:London, UK

Posted 14 July 2010 - 09:17 PM

Some kids really are so sad.

#3 iBotPeaches

General Grade 6

Owner
6,570 posts
Joined: 29-July 07

Gender:Male
Location:Kansas

Posted 14 July 2010 - 09:22 PM

Update:

Fixed it. All of his bots now return a pathetic 380 byte 403 error page, instead of returning the large image per request. I took my bandwidth limit and converted it to bytes, and then divided by 380 bytes and got 254,307,274. So thats about 250 million requests he will have to do before we hit our limit. That attack idea was just squashed.

#4 jmdalmighty

Admin

VIP
1,242 posts
Joined: 15-May 08

Gender:Female
Location:UK/ UR MUMS HOUSE (BURN)

Posted 14 July 2010 - 09:28 PM

Wow that kid needs to get a life! I hope he gets caught and his parents take away all technology away from him

#5 XSChris

Apprentice Grade 1

Members+
6 posts
Joined: 21-June 10

Gender:Male
Location:Silicon Valley, California

Posted 14 July 2010 - 09:50 PM

Yes Peaches, Those addresses do in fact look similar to the prior botnet attack. I'll try to find logs from the old system of addresses banned so we can push shaw on disabling his internet. He had his first strike now I believe they'll revoke his internet permanently.

jmdalmighty- He has been caught, his ISP has served a formal abuse notice and only has 1 or 2 strikes left before he cannot buy internet again in Canada. This is why you don't run a botnet and let your residential ISP ip address be leaked out.

Edit: Just pumping 100req/sec + :|

Edited by XSChris, 15 July 2010 - 01:35 AM.