English Webserver Attack

79 replies
Goto Page
To the start Previous 1 2 3 4 Next To the start
23.06.12 09:55:38 pm
Up
DC
Admin
Offline Off
Looks like Counter-Strike 2D servers are not the only target of those slightly retarded kids. My webserver has been attacked today, leading to bad accessibility of all Unreal Software websites.
I blocked the attacking IP (50.72.86.162) now. I assume that it overloaded the webserver the entire day.

I want to note that this will be examined and it will draw legal consequences if I'm able to find out who is responsible for this.

Sorry to everyone who wasn't able to access the website because of this.
edited 1×, last 19.07.12 12:07:07 am
www.UnrealSoftware.de | www.CS2D.com | www.CarnageContest.com | Use the forum & avoid PMs!
23.06.12 09:57:15 pm
Up
dENd
User
Offline Off
Yea...
That is bad.
Zzz
23.06.12 10:00:42 pm
Up
apacherev
User
Offline Off
Was it really only 1 IP? Doesn't apache/httpd automatically give out 500s for overloading requests? Perhaps you should set that up properly.
23.06.12 10:05:18 pm
Up
DC
Admin
Offline Off
@user apacherev: No I'm not sure if it was just one IP. I didn't examine the logfiles yet. I just know that there was a suspiciously high amount of TCP connections from the mentioned IP so I iptable banned it and the server worked well since that. Maybe a Syn-Flood or something else. I didn't examine it yet.

Before doing that I already tried a shitload of Apache configurations to solve the problem. Apache always reached the maximum number of connections within a few minutes, even if I set them to something like 3000 (a value which is never reached even closely... normally). I know how to setup a webserver properly, that's not the problem...
www.UnrealSoftware.de | www.CS2D.com | www.CarnageContest.com | Use the forum & avoid PMs!
23.06.12 10:07:51 pm
Up
Brainless Solutions
User
Offline Off
Take a report to FBI o.-
23.06.12 10:12:47 pm
Up
apacherev
User
Offline Off
The reason I say that is because, during the attack, I tried to connect to unreal, and it did try to load the website.

If max connections have been initialized/declared then it should have sent me a 503--which I never got.
23.06.12 10:21:10 pm
Up
DC
Admin
Offline Off
Your request has benn queued probably or the server wasn't able to send any response I guess.
www.UnrealSoftware.de | www.CS2D.com | www.CarnageContest.com | Use the forum & avoid PMs!
23.06.12 10:23:43 pm
Up
oxytamine
User
Offline Off
user DC, why wouldn't you limit opened TCP connections from one IP? I think no one probably needs more than 50 connections in the same time.
Code:
1
iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP

This one would work great against 80% of TCP attacks (change number to desired, of course, I stick with 9). Dropping when many IP addresses are performing DDoS attack on your server.
edited 2×, last 23.06.12 10:25:10 pm
23.06.12 10:24:03 pm
Up
Ahmad
User
Offline Off
The attacker can hide/change his ip right?
Because this ip is Canadian.Canadian crasher doesn't make sense .
23.06.12 10:27:34 pm
Up
Yates
Reviewer
Offline Off
user Ahmad has written:
Because this ip is Canadian,it doesn't make sense .

Canada wants to be seen as nobody cares about them. Ignore.

US.de loaded for me, but very slowly. I was still able to do everything I normally could but slowpoke. It's weird how people want to ruin a community full of kids which probably don't even care as long as the game works.

Sad.
23.06.12 10:28:09 pm
Up
DC
Admin
Offline Off
@user oxytamine: Great idea. Thanks.
www.UnrealSoftware.de | www.CS2D.com | www.CarnageContest.com | Use the forum & avoid PMs!
23.06.12 10:30:37 pm
Up
TheTrollHammer
BANNED
Offline Off
This made me lol so bad.
Ahmad has written:
Because this ip is Canadian,it doesn't make sense

So what if it's Canadian? It could have been an Arabian IP.
IMG:http://i48.tinypic.com/2rqzvom.jpg
I'm more likely to be anonymous. No one's going to know who I really am.
23.06.12 10:32:32 pm
Up
oxytamine
User
Offline Off
SMB attacks could be easily blocked by this.
Code:
1
2
iptables -A INPUT -p UDP --dport 135:139 -j DROP
iptables -A INPUT -p TCP --dport 135:139 -j DROP

Since they all use same port. Also, let's limit connections to port 80, DDoS'ing this port is the most common attack since kids often use pre-compiled scripts/programs which flood port 80.
Code:
1
-A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

That's what I'm talking about - it will reject all the connections from specific IP if limit is reached (in this case limit is 20, I set 40).
23.06.12 10:43:42 pm
Up
apacherev
User
Offline Off
DC have you confirmed that the attacker had only 1 IP? These solutions are good but are only towards dos.
23.06.12 10:43:49 pm
Up
Suprise
BANNED
Offline Off
erm.. I don't know what sense of attacking.
23.06.12 10:44:13 pm
Up
Yates
Reviewer
Offline Off
user TheTrollHammer has written:
So what if it's Canadian? It could have been an Arabian IP.

Or it could have been you posting gayporn everywhere.

Owait. Did I just? Yea.. I did, screw you.

user apacherev has written:
These solutions are good but are only towards dos.

That's one thing fixed then. Would you protect something against all attacks yet must wait for an actual solution. Or would you protect it from one attack right away!? Seriously dude, your posts are getting more and more useless.
23.06.12 10:48:29 pm
Up
oxytamine
User
Offline Off
user Yates has written:
That's one thing fixed then. Would you protect something against all attacks yet must wait for an actual solution. Or would you protect it from one attack right away!? Seriously dude, your posts are getting more and more useless.

I once told him that he is talking non-sense, but he did not listen.
23.06.12 10:50:28 pm
Up
Jela331
User
Offline Off
Fucking retarded kids, I hope they burn in hell.
23.06.12 10:52:12 pm
Up
oxytamine
User
Offline Off
user Jela331 has written:
Fucking retarded kids, I hope they burn in hell.

I'll never seem to understand sense of attacking a simple forum. DDoS attacks could be useful when you're making business (I once DDoS'ed e-Quality to death for a couple of hours, I lol'd), but it's completely useless when it turns out that you do not profit from DDoS'ing.
edited 1×, last 23.06.12 10:59:30 pm
23.06.12 10:59:23 pm
Up
TheTrollHammer
BANNED
Offline Off
user Yates has written:
Or it could have been you posting gayporn everywhere.

Owait. Did I just? Yea.. I did, screw you.


Hmm.. you seem to have a wild imagination. Stupid much? You're screwing yourself.
IMG:http://i48.tinypic.com/2rqzvom.jpg
I'm more likely to be anonymous. No one's going to know who I really am.
To the start Previous 1 2 3 4 Next To the start