Re: Continuing Attempts to Thwart FluTrackers
As some of you know we were down for about 3 hours yesterday due to tow "targeted disseminated" denial of service attacks.
One partial email from our server company:
Date: Apr 17, 2014 2:06 PM
Note: Replying more than once may delay our response time, because your ticket will be placed at the bottom of our ticket queue.
Dear FluTrackers,
Request supervisor
A technician responded to your ticket with:
Hello,
We have checked your server in detail and can see that vbulletin forum consuming high memory and cpu usage on server. Please see the results pasted below:
-----
redacted
------
Also from the domlogs I can see that lot of hits are coming to register.php?do=addmember just seconds after register.php?do=register. While humans take a minute or more to fill out the registration form, bots do it instantly. Here's some evidence from my logs:
----------
46.119.122.102 - - [17/Apr/2014:10:46:29 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:33 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:35 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:38 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:41 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
more redacted...
---------------------------------------------
In the 2nd attack yesterday thousands of ips from all over the world tried to: register, log in, post to threads, view the index, view random attachments, and view the tags - all at the same time.
The robbers of our resources and time are using a computer program to synchronize the requests to our server for page views to a guarantee maximum hit against us.
In the 1st attack a similar program asked thousands of computers to guess the user name and password combination to our server. Our firewall stopped all attempted intrusions into the server. In addition, obviously none of their guesses were correct. We have employed a strategy for many years that is very effective in dealing with this problem.
The robbers are continuing today - generating thousands of requests to our server to join etc. We are maintaining.
Also, we are receiving emails containing viruses to the FluTrackers email account.
Thank you to everyone who views us. Our team is committed to providing the most accurate and timely information possible.
We are all volunteers and we do this because we want to.
It is our will power that propels this site.
As some of you know we were down for about 3 hours yesterday due to tow "targeted disseminated" denial of service attacks.
One partial email from our server company:
Date: Apr 17, 2014 2:06 PM
Note: Replying more than once may delay our response time, because your ticket will be placed at the bottom of our ticket queue.
Dear FluTrackers,
Request supervisor
A technician responded to your ticket with:
Hello,
We have checked your server in detail and can see that vbulletin forum consuming high memory and cpu usage on server. Please see the results pasted below:
-----
redacted
------
Also from the domlogs I can see that lot of hits are coming to register.php?do=addmember just seconds after register.php?do=register. While humans take a minute or more to fill out the registration form, bots do it instantly. Here's some evidence from my logs:
----------
46.119.122.102 - - [17/Apr/2014:10:46:29 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:33 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:35 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:38 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:41 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
more redacted...
---------------------------------------------
In the 2nd attack yesterday thousands of ips from all over the world tried to: register, log in, post to threads, view the index, view random attachments, and view the tags - all at the same time.
The robbers of our resources and time are using a computer program to synchronize the requests to our server for page views to a guarantee maximum hit against us.
In the 1st attack a similar program asked thousands of computers to guess the user name and password combination to our server. Our firewall stopped all attempted intrusions into the server. In addition, obviously none of their guesses were correct. We have employed a strategy for many years that is very effective in dealing with this problem.
The robbers are continuing today - generating thousands of requests to our server to join etc. We are maintaining.
Also, we are receiving emails containing viruses to the FluTrackers email account.
Thank you to everyone who views us. Our team is committed to providing the most accurate and timely information possible.
We are all volunteers and we do this because we want to.
It is our will power that propels this site.
Comment