Re: Continuing Attempts to Thwart FluTrackers

As some of you know we were down for about 3 hours yesterday due to tow "targeted disseminated" denial of service attacks.

One partial email from our server company:

Date: Apr 17, 2014 2:06 PM
Note: Replying more than once may delay our response time, because your ticket will be placed at the bottom of our ticket queue.

Dear FluTrackers,

Request supervisor
A technician responded to your ticket with:

Hello,

We have checked your server in detail and can see that vbulletin forum consuming high memory and cpu usage on server. Please see the results pasted below:

-----
redacted
------

Also from the domlogs I can see that lot of hits are coming to register.php?do=addmember just seconds after register.php?do=register. While humans take a minute or more to fill out the registration form, bots do it instantly. Here's some evidence from my logs:

----------
46.119.122.102 - - [17/Apr/2014:10:46:29 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:33 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:35 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:38 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"
46.119.122.102 - - [17/Apr/2014:10:46:41 -0700] "POST /forum/register.php?do=addmember HTTP/1.0" 200 34931 "http://www.flutrackers.com/forum/register.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36"

more redacted...

---------------------------------------------

In the 2nd attack yesterday thousands of ips from all over the world tried to: register, log in, post to threads, view the index, view random attachments, and view the tags - all at the same time.

The robbers of our resources and time are using a computer program to synchronize the requests to our server for page views to a guarantee maximum hit against us.

In the 1st attack a similar program asked thousands of computers to guess the user name and password combination to our server. Our firewall stopped all attempted intrusions into the server. In addition, obviously none of their guesses were correct. We have employed a strategy for many years that is very effective in dealing with this problem.

The robbers are continuing today - generating thousands of requests to our server to join etc. We are maintaining.

Also, we are receiving emails containing viruses to the FluTrackers email account.

Thank you to everyone who views us. Our team is committed to providing the most accurate and timely information possible.

We are all volunteers and we do this because we want to.

It is our will power that propels this site.

Re: Continuing Attempts to Thwart FluTrackers

to me it sounds pretty easy to defend against these attacks.
E.g. detect suspicious logins/registrations (time between attempts, match of passwords,)
detect hightraffic from one site, bot-like-behaviour

if the defenders were only as creative as the hackers ...


but then, when I check the views of my attached pictures, it's _very_ low.
Maybe some bot can be programmed to look at my charts ;-)

Re: Continuing Attempts to Thwart FluTrackers

And we are not the only ones. Crof blog has been several times this week from DOS attacks. And now - again today:

FluTrackers.com ‏@FluTrackers 11m
@Crof So your blog is down again?

Crawford Kilian ‏@Crof 8m
@FluTrackers Yup. Discovering powers & limits of FluTweeting!

FluTrackers.com ‏@FluTrackers 5m
@Crof We would be honored to post anything you write. Please send to our email & we will post and tweet w/hat tip to you.

Retweeted by FluTrackers.com
Crawford Kilian ‏@Crof 3m
@FluTrackers Very kind offer! May take you up on it if DOS attack persists. In meantime, will tweet you folks. :-)

Re: Continuing Attempts to Thwart FluTrackers

And now we are having a large influx of ips trying to repeatedly register etc.. A sample:

46.119.112.63 flutrackers.com POST /forum/register.php?do=addmember HTTP/1.0

134.249.141.83 flutrackers.com POST /forum/register.php?do=addmember HTTP/1.0

183.60.214.59 flutrackers.com GET /forum/misc.php?do=whoposted&t=218671 HTTP/1.1

134.249.141.83 flutrackers.com POST /forum/register.php?do=addmember HTTP/1.0

46.119.112.63 flutrackers.com POST /forum/register.php?do=addmember HTTP/1.0

134.249.141.83 flutrackers.com POST /forum/register.php?do=addmember HTTP/1.0

134.249.141.83 flutrackers.com POST /forum/register.php?do=addmember HTTP/1.0

-------------------

Our techs are dealing with this.

Re: Continuing Attempts to Thwart FluTrackers

I haven't been able to access Flutrackers.com for about a week from my personal computer. The screen comes up with "Forbidden" in bold letters (quotes mine)

Then below that "You don't have permission to access/forum/search.php on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."

I can access Flutrackers.org, but it won't accept my i.d. or password. I am sending this post via another computer in our household that uses the same network connection. I can access Flutrackers.com from this other computer.

We have Windows8 with the firewall on, and the security scans have not found any problems. I am having zero problems accessing any other sites including another VBulletin forum. I was online and on Flutrackers.com when it was attacked.

Re: Continuing Attempts to Thwart FluTrackers

I suspect you are experiencing a DNS issue. Try to switch to a public DNS service instead to our provider.

Re: Continuing Attempts to Thwart FluTrackers

I would also suggest running a virus scan. AVG has some good free software, and as a secondary (free) system run malwarebytes.

Both have paid versions, but the free ones should suffice. I would suggest you run these in addition to whatever software you may currently run for virus and similar protection.

Re: Continuing Attempts to Thwart FluTrackers

Our server has never been accessed. We are on lock down mode.

The attacks on us are a bunch of computers all programmed at the same time to ask to view a page on FT. With thousands of requests coming in at the same time, the server gets overloaded and slows down to barely operating. These are not attacks were someone has been able to get inside of the server to embed anything.

There is a new scam online. Some sites have a pop-up that suggests that you upgrade your video player or reader. If you mistakenly click on one of these fake solicitations you may get a virus.

Also, try clearing your cache.

Re: Continuing Attempts to Thwart FluTrackers

And...you might want to send me a message with your ip so I can check if I accidentally banned it.

As I said we are sitting very tight on the server right now. Maybe too tight!

Today I "banned" 3 people.

Re: Continuing Attempts to Thwart FluTrackers

As of yesterday, apparently, all links to FluTrackers from the browser Internet Explorer do not work. An error message is displayed. Firefox, Safari, Opera, and Google Chrome are working. It appears someone hacked into Internet Explorer and changed the linking directions to FluTrackers to invalid ones.

Way to go Microsoft!

Re: Continuing Attempts to Thwart FluTrackers

May I suggest ixquick.com as a search engine instead going through one's browser? Or Google, for that matter. Ixquick does not record ip's or track one's search terms. They also have problems with DDoS attacks sometimes, but I've very seldom been unable to get to them.

Re: Continuing Attempts to Thwart FluTrackers

well, Internet Explorer is a browser, not a search engine.
I have to somehow login so to access my subscribed threads

Re: Continuing Attempts to Thwart FluTrackers

to what other webpages did that happen ?
FT can't be the only one

Re: Continuing Attempts to Thwart FluTrackers

I was having no problem with Firefox but did try IE (which I hate) and get
I could not find a problem with IE and other sites, including another vBulletin forum.

It appears to be an incompatibility between IE and the FT site. As this is a new problem I would guess either it is due either to an IE update or some changes made to this site at the time of the problems emergence.

Re: Continuing Attempts to Thwart FluTrackers

We have not made any changes to this site.