| Submit your comments on this article | ||
| 2006-04-07 | ||
Yesterday's outage was courtesy of bvoe.de (195.243.0.0/16 and 62.156.0.0/15), in Munich, who decided to send a continuous stream of queries to Thugburg for Abu Musab Zarqawi. Give them a big
| ||
| Posted by:Fred |
| #56 Bullshit! You are a cocksucker and a fucking pimp. Since 9-11: only 1 person per day has died at the hands of a terrorist. Does that justify the $500,000,000,000 costs? You cockroaches are the fucking trolls. Don't eat your children you wild pigs. |
| Posted by: .com 2006-04-07 18:42 |
| #55 *** |
| Posted by: Conservative Dining 2006-04-07 16:52 |
| #54 [This comment not actually posted by RB regular] |
| Posted by: .com 2006-04-07 16:58 |
| #53 Suddenly, I don't have anything to say. |
| Posted by: Yusef Islam 2006-04-07 13:20 |
| #52 Suddenly, I got nothin' to say. |
| Posted by: Yusef Islam 2006-04-07 05:46 |
| #51 Hi Bombay, I don't do VPN so haven't had probs that I notice. TZ-170 is slow compared to others that cost more (packets processed/sec, yes?) but bang for buck is good all things considered for single server if not a bank. If Fred isn't doing VPN (Fred please correct), and is only doing this server, with those constraints (correctable by Fred) what is best then? I am ALWAYS willing to listen to others solutions who have same probs, and only want to help Fred here. |
| Posted by: Whiskey Mike 2006-04-07 22:28 |
| #50 To be honest, we had to ditch SonicWall in favor of Cisco because of problems with a full time VPN we needed to establish with LM (Lockheed). Security and Performance were far better as a side benifit, though cost was pretty high compared. Anyway, you might want to look at PIX (there are some issues, but you can take care of easily via rules and proper setup). If you are considering a swap or addition give it a consider and let me know as I got some great vendors who can get you a deal on minimially used (ie. 6 months). |
| Posted by: bombay 2006-04-07 21:37 |
| #49 TZ-170. Good enough, usually. If anyone knows of better, specify. How much do you need? |
| Posted by: Whiskey Mike 2006-04-07 20:26 |
| #48 It wasn't a Sonic Wall. I cheaped out. |
| Posted by: Fred 2006-04-07 19:48 |
| #47 Fred, I related the port attack problems to the brother-inlaw [the best I could]. He said bombays approach would work in most instances but that it would depend on the seriousness of the attack, you may eventually need a SonicWALL packet-filtering Gateway... but if memory serves you purchased one a few months ago correct? |
| Posted by: RD 2006-04-07 19:34 |
| #46 do wild pigs eat their children? |
| Posted by: 2b 2006-04-07 19:22 |
| #45 He's just killing time before meeting with his probation officer. Obviously another Religion of Peace-phyllic pedophile. |
| Posted by: ed 2006-04-07 19:17 |
| #44 I think his blood pressure is rising. Let's see if the moderators can make it pop his head off. |
| Posted by: Darrell 2006-04-07 19:03 |
| #43 LtD, right? Posting from a court library in B.C.? |
| Posted by: SA4511 2006-04-07 18:59 |
#42
| |
| Posted by: .com 2006-04-07 18:42 |
| #41 One ping, Vasily. Just 1. |
| Posted by: anonymous2u 2006-04-07 18:39 |
| #40 Just to make clear, the '.com' above isn't THE .com. Just a troll trying to be clever. |
| Posted by: lotp 2006-04-07 18:37 |
| #39 Full sinktrap today. Must have something to do with free speech advocating supressive lefty moonbat sun spot activity. |
| Posted by: wxjames 2006-04-07 18:02 |
| #38 Send a nasty message to Deutche Telecom. The Germans have nasty laws about this kind of sh$$. They also have the option of pressing legal charges and HEAVY billing costs (EU3000/min) to someone doing this. They also have the NEED to put a stop to this, because it reflects badly upon them and their clients. Who knows, they may even decide to mirror your site for a year for free to recompense you for your troubles. Or, they might decide you're a nuisance and ignore you. If the latter happens, wait until you're hit again, and report it and DT GMBH refusal to do anything to the German government. SH$$ will REALLY happen, then. Oh, and they'll do the investigating to see if it's more than just a routine DoS attack. |
| Posted by: Old Patriot 2006-04-07 15:22 |
| #37 Yuseless islame gets the fleas of a thousand camels award. |
| Posted by: Inspector Clueso 2006-04-07 13:50 |
| #36 I banned Thessaloniki Sounds like a first person tell all or an Ouzo Punk song. |
| Posted by: 6 2006-04-07 12:45 |
| #35 I'm considering him a bad bot, rather than a DOS. I've seen him before, before I learned how to use IP Tables. He and a machine out of U. of Thessaloniki were the reason I had Thugburg closed down before. I reopened it after I banned Thessaloniki. |
| Posted by: Fred 2006-04-07 12:24 |
| #34 A good explaination of what is happening here. I don't think it is those two sites (bvoe.de). Symptoms sound like a reflection attack. See the link above for an explaination. In a reflection attack you point to a null site, closed sockets or whatever as yourself. (HE DID IT -->) |
| Posted by: 3dc 2006-04-07 12:11 |
| #33 trailing wife, "ping" is a Unix operating system term that describes one user port sending out a signal to detect if another specific port address on the system (or internet) is functioning / available. It comes from the old sonar term for bouncing acoustic signals off of an underwater object and looking for reflected signals in order to determine range and heading. Some definitions: (from the e blogger site) ACK /ak/ interj. [from the ASCII mnemonic for 0000110] 1. Acknowledge. Used to register one's presence (compare mainstream *Yo!*). An appropriate response to {ping} or {ENQ}. The opposite of ACK would be NAK or "not acknowledge". |
| Posted by: Zenster 2006-04-07 12:10 |
| #32 Should this be reported to the relevent authorities? I mean this guy sure seems like a Zealot of some sort, the Osamanaut type. lol wouldnt it be funny if you read in a few years about the man they caught meddling with net sites and now sits in Gauntanamo Bay ,lol. |
| Posted by: ShepUK 2006-04-07 11:01 |
| #31 look at the large amount of traveling this guy does. These poor oppressed muslims are real globe trotters ! |
| Posted by: jim#6 2006-04-07 10:24 |
| #30 Thanks for the reminder, 49Pan. I just dropped $20. It's not enough by a long shot, but hope it helps. Fred, have I mentioned that not only are you a mensch, you are a GOD!? ;-p |
| Posted by: Barbara Skolaut 2006-04-07 10:05 |
| #29 Time to hit the paypal site here. Hope it helps. |
| Posted by: 49 Pan 2006-04-07 09:29 |
| #28 That sounds like it might be a good solution. I'll look into it over the weekend. |
| Posted by: Fred 2006-04-07 09:26 |
| #27 Here is an example, ironic actually, but geektools had problems with their WhoIS DB being DoS and used for malicious reasons. They've recently gone to an image generator. Anyway, you can see what I am talking about in action here : http://www.geektools.com/whois.php |
| Posted by: bombay 2006-04-07 09:21 |
| #26 Don't need to do that (user, pass, seurity), one little 4 or 3 char image generator is all that is needed. The system generates an image with a word in it as part of the image, not text. Humans can read this, and enter the word / chars. Bots cannot. Each time the search page is rendered, a new word is generated in the image. The user then enters the word/chars generated plus their search params. This will kill DB DoS attacks in their tracks. Another huge plus, Fred, will NOT have to maintain a user security module (passwords, etc). These image generators are well known and proven to stop these types of attacks. |
| Posted by: bombay 2006-04-07 09:17 |
| #25 I'm an amature at this but it seems you keep getting hit on the search end of the site, Thugburg etc... Password protect that part of your site and charge us to use it. Might stop the trolls from attacking. |
| Posted by: 49 Pan 2006-04-07 09:12 |
| #24 Fred, Your site is the finest and most complete open source site out there. Thats why they are after you. Hang in there, we need your services here. |
| Posted by: 49 Pan 2006-04-07 09:09 |
| #23 You should probably look at publish through proxy and/or packet filtering on your FW / DMZ. Ultimatley you are going to have to use one of those sentinel generators, as RB allows query direct from web. We all know these, basically generates a random image with text in it, when you search you put that text string in and your params. I doubt this is too much impact to real users of the site, as when a Human searches for something they really mean it, the bots are just trying DB / Connection DoS attack. Anyway, you add the image generator to your search logic and this mostly goes away. |
| Posted by: bombay 2006-04-07 09:03 |
| #22 I wouldn't block off at the country level, either Germany (TGA) or France (JFM): They're the poor people who NEED the information you provide and the insights we provide on this wonderful site of yours, Fred. Many, many thanks. Do know that you have an influence wider than you imagine. That's WHY they are going after you. |
| Posted by: Ptah 2006-04-07 08:25 |
| #21 You must bedoing something awfully good for these folks to try so hard to stop it. |
| Posted by: Nimble Spemble 2006-04-07 08:01 |
| #20 Flatterer! ;-) |
| Posted by: trailing wife 2006-04-07 07:40 |
| #19 Pinging is geek for "change in life." You're far to junior to experience pinging. |
| Posted by: Besoeker 2006-04-07 07:29 |
| #18 What is pinging, and how would I know if it happened to me? |
| Posted by: trailing wife 2006-04-07 07:09 |
| #17 The hit counter shows the current IPs onbord, does anyone else get pinged at RB besides me? I was pinged a few days ago. |
| Posted by: 2b 2006-04-07 02:46 |
| #16 role: Deutsche Telekom LIR Role Account address: Deutsche Telekom AG address: Internet Services a bit more, 195.243.0.0/16 resolved to 195.243.0.0 - 195.243.255.255 address: Ammerlaender Heerstrasse 138 address: DE 26129 Oldenburg address: Germany phone: +49 441 234 4501 fax-no: +49 441 234 4589 e-mail: lir.nic@t-com.net |
| Posted by: RD 2006-04-07 02:20 |
| #15 for an amateur thats my best shot, LOL! mods plz delete as needed thanks. |
| Posted by: RD 2006-04-07 02:11 |
| #14 62.156.0.0/15 resolved to 62.159.255.224 - 62.159.255.255 netname: MIMATIC-ZETTL-NET descr: Zettl GmbH CNC Praezisiions- und Sonderwerkzeuge country: DE admin-c: TS20391-RIPE tech-c: TS20391-RIPE status: ASSIGNED PA mnt-by: DTAG-NIC source: RIPE # Filtered person: Thomas Sraega address: Zettl GmbH CNC Praezisiions- und Sonderwerkzeuge address: Westendstr. 3 address: 87488 Betzigau address: GERMANY phone: +498315744456 fax-no: +498315744494 e-mail: edv@mimatic-zettl.de nic-hdl: TS20391-RIPE mnt-by: DTAG-NIC source: RIPE # Filtered % Information related to '62.156.0.0/14AS3320' route: 62.156.0.0/14 descr: Deutsche Telekom AG, Internet service provider origin: AS3320 member-of: AS3320:RS-PA-TELEKOM mnt-by: DTAG-RR source: RIPE # Filtered |
| Posted by: RD 2006-04-07 02:09 |
| #13 domain: mayang.com owner: william smith organization: william owen smith email: domainadmin@willsmith.org address: the laurels address: little bourton city: banbury state: oxon postal-code: ox17 1rq country: GB phone: +44 1295 750000 admin-c: domainadmin@willsmith.org#0 tech-c: domainadmin@willsmith.org#0 billing-c: domainadmin@willsmith.org#0 nserver: b.ns.joker.com 159.25.97.69 nserver: c.ns.joker.com 207.44.185.10 nserver: a.ns.joker.com 194.176.0.2 status: lock created: 2000-04-13 10:53:31 UTC modified: 2005-06-17 18:20:07 UTC expires: 2010-04-13 10:53:31 UTC contact-hdl: domainadmin@willsmith.org#0 person: will smith email: domainadmin@willsmith.org address: the laurels address: little bourton city: banbury state: -- country: GB phone: +44 1295 750000 source: joker.com live whois service query-time: 0.040898 db-updated: 2006-04-07 05:47:11 NOTE: By submitting a WHOIS query, you agree to abide by the following NOTE: terms of use: You agree that you may use this data only for lawful NOTE: purposes and that under no circumstances will you use this data to: NOTE: (1) allow, enable, or otherwise support the transmission of mass NOTE: unsolicited, commercial advertising or solicitations via direct mail, NOTE: e-mail, telephone, or facsimile; or (2) enable high volume, automated, NOTE: electronic processes that apply to Joker.com (or its computer systems). NOTE: The compilation, repackaging, dissemination or other use of this data NOTE: is expressly prohibited without the prior written consent of Joker.com. |
| Posted by: RD 2006-04-07 01:48 |
| #12 Don't give the bastards the satisfaction, Fred. |
| Posted by: Iblis 2006-04-07 01:43 |
| #11 3dc still on board? 195.243.0.0/16 resolved to 195.243.0.0 - 195.243.255.255 195.243.0.0 - 195.243.255.255 org: ORG-DTA2-RIPE netname: DE-TELEKOM-971222 descr: Provider Local Registry country: DE admin-c: DTAG-RIPE tech-c: DTAG-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: DTAG-NIC mnt-routes: DTAG-RR source: RIPE # Filtered organisation: ORG-DTA2-RIPE org-name: Deutsche Telekom AG org-type: LIR address: Ammerlaender Heerstrasse 138 address: D-26129 address: Oldenburg address: Germany |
| Posted by: RD 2006-04-07 01:43 |
| #10 of course you could attempt to convince all your users to use a real abnormal port like 8081 and block off all others. |
| Posted by: 3dc 2006-04-07 01:35 |
| #9 http://fixingtheweb.com/ to block countries and problem areas in linux "ip-to-country" database file from ip-to-country.webhosting.info or the "geoip" database file from www.maxmind.com. |
| Posted by: 3dc 2006-04-07 01:28 |
| #8 Fred my brother in law builds servers with various operating systems for businesses and data folks. I'll call him tomorrow or drive over and ask him about IP port attacks and what can be done. 'puters and software are *NOT* my field of expertise. .......... The hit counter shows the current IPs onbord, does anyone else get pinged at RB besides me? |
| Posted by: RD 2006-04-07 01:26 |
| #7 Drop all requests from all German and French IP Blocks. To bad a few have to wreck it for everyone but that tough for the Germans and French. |
| Posted by: SPoD 2006-04-07 01:14 |
| #6 In all seriousness, if there are any particularly notorious folks who keep popping up, drop me an e-mail and I'll see if there's anything I can do. |
| Posted by: Dan Darling 2006-04-07 01:10 |
| #5 One place that site visits a lot (other than the ones on the o-club) is: http://www.mayang.com/ This guy has his wedding photos on the site. He is a Malaysian Muslim (gathered from the burka and styles) look at the large amount of traveling this guy does. Although they may be visiting him for "TEXTURE FILES". Textures would make great "PADS" for encryption... September - October 2005 Will and Mayang went to Denmark, Norway and Sweden June 2005 Will and Mayang went to the Glastonbury Festival June 2005 Mayang visited France April 2005 Mayang visited Portugal October 2004 We visited Morocco and spent some time in the Sahara August 2004 We visited Thailand, Cambodia (including Angkor Wat) and Vietnam. June 2004 We visited Sarawak, East Malaysia. See the pictures. June 2004 We visited Sabah and climbed Mount Kinabalu. See the pictures. May 2004 Our texture web site is now very popular. Statistics show that over 2000 people each day visit to download textures! August 2003 We visited England again. See the pictures. I think somebody should be profiling those servers and doing social network analysis on those servers... (HINT TO NSA) |
| Posted by: 3dc 2006-04-07 01:08 |
| #4 Not much. I've literally been fighting this battle for a couple years. |
| Posted by: Fred 2006-04-07 01:07 |
| #3 Little shitheads. Anything we can do to help out, Fred? |
| Posted by: Dan Darling 2006-04-07 00:56 |
| #2 Nights like this, I think seriously of closing up shop. I used to have a life... |
| Posted by: Fred 2006-04-07 00:54 |
| #1 I'm sorry that you constantly have to deal with these folks. Thanks for staying on top of it and keeping the 'burg open. It's very much appreciated. Jan |
| Posted by: Jan 2006-04-07 00:53 |