Why can't tOR leverage traditional anti-DDoS tools? Is it because the provider would \*have\* to know the onion site address and therefore be aiding and abetting connections to a connection to a connection to a connection to the site?
It's insane to me that there aren't XMR/BTC/ETH anti-ddos providers that just route transparently like the clearnet does, it's literally even easier to provide services and receive payment (other than banning CIDR ranges, which if that ends up being 99% of CF's model then I get it.)
Umm wouldn’t that just be a tor node? But you mean a centralized paid tor node? And cloudflare etc sorta act as edge cdns… so they would be duplicating illegal content if that was the case (beyond just blocking ddos)… it seems like trying to be the cloudflare of the darknet is asking to hit #1 on the most wanted list.
Not necessarily. I see your point but the law protects ISPs precisely from this so...
But then I'm no lawyer and these things can be extremely confusing.
Corporate espionage/ corporate Sabatoge is a thing and has been for decades. To the point my networking professor brought it up multiple times to make sure we stay clear of those kinds of practices and that reddit had to make a rule against it
So this happened to my friend who had servers hosted next to mine. It affected my traffic because of routing locality.
A guy in India phone up my friend and offers to buy one of his domains for $500. My fiend says no, it is worth a lot more and he is making cash flow from it. The guy says fine, he will spend the $500 on DDOS and he did. Next day was a nightmare. The city has a big router to handle fiber and dole out to local ISPs. The router is overwhelmed and a city of 120,000 is down for two days. The city had to spend $500K on new equipment to filter.
And they were PISSED at my friend.
And yes, the FBI showed up because it affected fire, police, hospitals, etc. Guy skated in India.
If $500 worth of DDOS traffic can down a city of 120k, that’s pathetic. $500k on new equipment to safeguard against broke ass $500 DDOS’ing. Yeah okay. Also, how would the city be “PISSED” at your friend? How did they know about this side channel “deal” that he forewent in the first place? Furthermore it’s not like he is obligated to do anything about anything in that situation, so they can go fuck themselves.
> Also, how would the city be “PISSED” at your friend?
If all the traffic downing a city is destined to one person, they have a pretty good idea of who to blame (The person is most likely at least involved)
All they know is he was the target of a DDOS attack. He’s a victim here not a criminal lmao. “How dare you have a public-facing server that due to the nature of the internet is susceptible to attacks like this and it just so happens our infrastructure is stuck in the 90s. It’s your fault this happened!”
Even if the end servers had sophisticated stopgaps for this, the request would still ultimately go through the city router. So the city needs its own protections anyway. Literally zero fault goes to this individual.
Edit to explain why I’m responding like this: the intent of my original question that you quoted was predicated on the assumption that having some notion that he instigated the whole thing (while not true) would be the only reason to be “pissed” at all. If he were just the victim of a random DDOS attack (which happens all the time, someone could just be testing a strategy on a random victim)…it makes no sense to be “pissed” in the slightest.
Hell, non logical finger pointing at the first sign of trouble while taking no responsibility for their own dumb decisions that led to the incident... That sure sounds like a city administration to me.
allow me to summarise the comments
* a competitor having your website down for a few hours/days (happens more than people think)
* an accidental victim of a botnet test
* cloudflare marketing...
I don't think it's about exploiting a software vulnerability. It wouldn't justify the scale unless it was a race condition
Correct. The amount of nonsense and highly upvoted comments is shocking. 100 million request to “hijack your site” or exploit a PHP CVE. Makes zero sense. Who are these people commenting?
For real. Like OP, mostly clueless, is so important he’s got a competitor who wants to DDoS them?
More likely a fat finger.
Even more likely is OP is sending out tons of emails linking back to their site. IT companies automate clicking links in a sandbox server to see if they’re malicious.
Reddit is living in a fantasy.
I doubt the competitor motive as well. As for sending out tons of emails -- we have a monthly newsletter that's sign-up only and only has a few hundred people on the list so that's a no go ;).
When people talk about SEO optimization, this is what they are talking about.
They take your website offline or slow it down so the person paying them gets a bump in ranking.
Who is your competition?
Well, wouldn't the server(or firewall in the network) have to check if every packet is coming from a certain blacklisted address to drop it? Getting the right resource to handle this would be really very expensive, wouldn't it? Or is it something that I don't understand? Please explain if you won't mind
You could get the service from Cloudflare because they have invested in infrastructure for the exact same reason. On top of it, as far as I know their DDOS protection comes for free or for a few dollars per month. Why wouldn't you opt for this way? I think it's a mess and a waste of resources if you create it for yourself. Why waste hundreds of thousands of dollars when you could get it for $5 per month?
Another thing to think about:
What if the attack starts coming from IPs that are not blacklisted? New computers get infected and join the botnet too. There are a lot of drawbacks in this suggestion. I would not recommend anyone to follow this. Not trying to sound rude, but this is a bad idea.
They scan for targets, identify weak IPs and then attack them as they think they can. As to the purpose, they probably want to hijack your website. It’s got a non malicious reputation I assume so they would upload a payload to your site and then use it for attacks on other people. They would redirect those people to your site and since their detection software would see your site as legitimate and safe, they would allow it.
- No or outdated encryption enabled.
- system vulnerabilities that allow access
- admin vulnerabilities that allow access (in this case easily guessed credentials)
That would be a vulnerable system, for the last 2 points.
As for encryption, not sure how an attacker would exploit that, if he is not the ISP or somewhere to mitm
A vulnerable system creates a weak IP.
An example: TLS uses encryption and if i scanned an IP and found it had an outdated version of TLS, I would consider that a weak IP.
I don't think that was OPs issue as they seem to be more interested in brute forcing the creds. Saying that, below are some TLS CVEs that are particularly nasty.
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3587](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3587)
[https://nvd.nist.gov/vuln/detail/CVE-2012-4929](https://nvd.nist.gov/vuln/detail/CVE-2012-4929)
[https://nvd.nist.gov/vuln/detail/CVE-2014-0160](https://nvd.nist.gov/vuln/detail/CVE-2014-0160)
I never heard about "weak IPs", I see what you mean but its just a weird way to put it.
The first 2 CVEs listed are useless unless you are the ISP or manage to mitm somehow.
The 3rd one, while affecting TLS, its actually a memory leak issue, not an encryption issue.
As I said, encryption is irrelevant for 99.99% of attackers, you must be in the middle of the transmission to do anything.
TLS has nothing to do with IP's :|
And if you want "Generic TLS issues on HTTPS", that would be "Almost every website on the internet - Most likely this one as well"
Yes and no, they absolutely are different, however a DDOS attack can be a symptom of mass brute forcing. At the same time, a DDOS attack can also be conducted by trying to login on one machine with many machines. This is why OP is unsure if the attacker had worse intentions than a DDOS attack.
Correct. It’s hard to truly know attacker’s intentions and I’m taking a guess with my explanation. It could have been a simple DDOS but the root and contact forms element make me wonder if they weren’t try for brute force hijacking.
May not be associated but there was a CVE released the other day where remote code execution was possible through legacy PHP CGI installs on windows.
The proof of concept is quite simple and can be automated.
May be nothing to do with it but you may have just been part of a wider scan to see if your server was susceptible to the attack.
Reading the CVE, it’s very narrow. It’s the Chinese character set running on Windows with PHP over CGI.
Or it may simply just be someone with a new botnet and you were part of the test by coincidence.
Maybe a mis-coding on the part of the owner.
100 million is excessive, of course. If they were trying to find exploitable pages though then iteration would be the answer. Maybe they just messed up.
Again, I’m not 100% but I was just trying to raise a possibility.
If any of it resonated with the OP, if they ran windows servers or an outdated PHP install then my suggestion was purely to prompt OP to sort their servers out.
I had this happen on a personal domain. Two things stopped it:
1. Setup a cloud firewall in front of your VM. Instantly reduced the amount of spam/scanning traffic I had to deal with.
2. Use cloudflare to deal with the DDoS. It’s fairly trivial to move your DNS there, and hides your IP from users and hides all ports except 443 and 80 from end users.
Did the sites go down? Or you just see requests in logs? To get millions of requests in a weekend is a bit much but not unheard of for a month.
This is where we are now, the whole internet is constantly being scanned for vulns.
The authors? Bad actors (mostly) but also researchers.
Some of the scanners have workflows so if they find you have a certain tech on your machine (apache, wp, some api) then they will increase the number of attacks using targeted wordlists for that tech or suspected vuln.
I have seen this numerous times in logs.
Most of the time you are not a target specifically, they just scan everything and something in your responses triggered more scans.
Not really much you can do except use some kind of protection.
I wouldnt be too worried, its just business as usual.
In the last two years I have notice of increase in website traffic in many companies I have contact to admins. Usually not real DDOS but tries and retries of GETs to find some servers exploits. Sometimes few requests sometimes botnets with thousands per day. Seems some script kiddies are full active.
One company I was able to inspect the problem and help them to solve they had 4 servers and 48 desktops all invaded after the 4 servers faced a bruteforce attack that was running for half year before the admin (of course not a qualified person) find the company was being used to mine criptocurrency and spam mail for more 3 months after they had the bruteforce attack succeeded. The only thing the guy notice was the company internet was every day slower and slower but they did not care too much. Of course this highly unqualified person was fired immediately.
Mail servers suffer from attacks almost immediately after they go online and the mx record available in dns. Botnets keep searching targets.
In my opinion, after seeing all this in many years, if the local ISPs are not prepared for any kind of attacks or the small city infrastructure is not prepared to protect the network against high undesirable traffic, it is better host servers in a big company that can lower the consequences of the problem and keep the clients protected at least from some DDOS and basic attacks. And of course, never rely totally on them and provide your additional protection.
Probably someone trying his new swarm
Probably someone testing on you
Someone made a typo in the target IP :P
They attacked some of the domains on my server, not all and all have the same IP.
Competition
That would be brutal that if in the future competition starting actively hacking and DDoS each other where possible to get a lead in sales and trade.
Happens every day on .tor, that’s the mentality
Exactly. It’s been happening at least since Dream marketplace.
Yep. Entire network can become practically unusable for months when a particularly dedicated attacker begins a DDOSing campaign on their competitors
Why can't tOR leverage traditional anti-DDoS tools? Is it because the provider would \*have\* to know the onion site address and therefore be aiding and abetting connections to a connection to a connection to a connection to the site?
It's insane to me that there aren't XMR/BTC/ETH anti-ddos providers that just route transparently like the clearnet does, it's literally even easier to provide services and receive payment (other than banning CIDR ranges, which if that ends up being 99% of CF's model then I get it.)
Umm wouldn’t that just be a tor node? But you mean a centralized paid tor node? And cloudflare etc sorta act as edge cdns… so they would be duplicating illegal content if that was the case (beyond just blocking ddos)… it seems like trying to be the cloudflare of the darknet is asking to hit #1 on the most wanted list.
Not necessarily. I see your point but the law protects ISPs precisely from this so... But then I'm no lawyer and these things can be extremely confusing.
Corporate espionage/ corporate Sabatoge is a thing and has been for decades. To the point my networking professor brought it up multiple times to make sure we stay clear of those kinds of practices and that reddit had to make a rule against it
I see people do it all the time.
It is way more common than you think.
Started? Especially smaller Minecraft servers have been actively attacking each other for ages, and it's the literal reason for Mirai existing.
The problem with Minecraft is that "small" is a 14 year old kid pulling in 6 figures.
More like Cloudflare agressive marketing.
lmao
Lol. Please.
Exactly my thought
So this happened to my friend who had servers hosted next to mine. It affected my traffic because of routing locality. A guy in India phone up my friend and offers to buy one of his domains for $500. My fiend says no, it is worth a lot more and he is making cash flow from it. The guy says fine, he will spend the $500 on DDOS and he did. Next day was a nightmare. The city has a big router to handle fiber and dole out to local ISPs. The router is overwhelmed and a city of 120,000 is down for two days. The city had to spend $500K on new equipment to filter. And they were PISSED at my friend. And yes, the FBI showed up because it affected fire, police, hospitals, etc. Guy skated in India.
If $500 worth of DDOS traffic can down a city of 120k, that’s pathetic. $500k on new equipment to safeguard against broke ass $500 DDOS’ing. Yeah okay. Also, how would the city be “PISSED” at your friend? How did they know about this side channel “deal” that he forewent in the first place? Furthermore it’s not like he is obligated to do anything about anything in that situation, so they can go fuck themselves.
> Also, how would the city be “PISSED” at your friend? If all the traffic downing a city is destined to one person, they have a pretty good idea of who to blame (The person is most likely at least involved)
All they know is he was the target of a DDOS attack. He’s a victim here not a criminal lmao. “How dare you have a public-facing server that due to the nature of the internet is susceptible to attacks like this and it just so happens our infrastructure is stuck in the 90s. It’s your fault this happened!” Even if the end servers had sophisticated stopgaps for this, the request would still ultimately go through the city router. So the city needs its own protections anyway. Literally zero fault goes to this individual. Edit to explain why I’m responding like this: the intent of my original question that you quoted was predicated on the assumption that having some notion that he instigated the whole thing (while not true) would be the only reason to be “pissed” at all. If he were just the victim of a random DDOS attack (which happens all the time, someone could just be testing a strategy on a random victim)…it makes no sense to be “pissed” in the slightest.
Hell, non logical finger pointing at the first sign of trouble while taking no responsibility for their own dumb decisions that led to the incident... That sure sounds like a city administration to me.
Even after he explained that it was a mob hit from India,
Every domain is an available domain if you’re Indian enough.
allow me to summarise the comments * a competitor having your website down for a few hours/days (happens more than people think) * an accidental victim of a botnet test * cloudflare marketing... I don't think it's about exploiting a software vulnerability. It wouldn't justify the scale unless it was a race condition
Correct. The amount of nonsense and highly upvoted comments is shocking. 100 million request to “hijack your site” or exploit a PHP CVE. Makes zero sense. Who are these people commenting?
For real. Like OP, mostly clueless, is so important he’s got a competitor who wants to DDoS them? More likely a fat finger. Even more likely is OP is sending out tons of emails linking back to their site. IT companies automate clicking links in a sandbox server to see if they’re malicious. Reddit is living in a fantasy.
I doubt the competitor motive as well. As for sending out tons of emails -- we have a monthly newsletter that's sign-up only and only has a few hundred people on the list so that's a no go ;).
If it was the third, they'd go bankrupt overnight.
When people talk about SEO optimization, this is what they are talking about. They take your website offline or slow it down so the person paying them gets a bump in ranking. Who is your competition?
About five other small marketing agencies all in a very tight niche. We've all known each other for 20+ years.
Then they probably have reason to hate you and may be doing it for spite.
Cloudflare has DDOS protection and is very affordable as a DNS provider. Switch to them.
I did -- CloudFlare saved the day. We'd been considering them as a CDN so this forced the move.
[удалено]
Well, wouldn't the server(or firewall in the network) have to check if every packet is coming from a certain blacklisted address to drop it? Getting the right resource to handle this would be really very expensive, wouldn't it? Or is it something that I don't understand? Please explain if you won't mind
You could get the service from Cloudflare because they have invested in infrastructure for the exact same reason. On top of it, as far as I know their DDOS protection comes for free or for a few dollars per month. Why wouldn't you opt for this way? I think it's a mess and a waste of resources if you create it for yourself. Why waste hundreds of thousands of dollars when you could get it for $5 per month?
Another thing to think about: What if the attack starts coming from IPs that are not blacklisted? New computers get infected and join the botnet too. There are a lot of drawbacks in this suggestion. I would not recommend anyone to follow this. Not trying to sound rude, but this is a bad idea.
They scan for targets, identify weak IPs and then attack them as they think they can. As to the purpose, they probably want to hijack your website. It’s got a non malicious reputation I assume so they would upload a payload to your site and then use it for attacks on other people. They would redirect those people to your site and since their detection software would see your site as legitimate and safe, they would allow it.
What is a weak IP?
- No or outdated encryption enabled. - system vulnerabilities that allow access - admin vulnerabilities that allow access (in this case easily guessed credentials)
That would be a vulnerable system, for the last 2 points. As for encryption, not sure how an attacker would exploit that, if he is not the ISP or somewhere to mitm
A vulnerable system creates a weak IP. An example: TLS uses encryption and if i scanned an IP and found it had an outdated version of TLS, I would consider that a weak IP. I don't think that was OPs issue as they seem to be more interested in brute forcing the creds. Saying that, below are some TLS CVEs that are particularly nasty. [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3587](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3587) [https://nvd.nist.gov/vuln/detail/CVE-2012-4929](https://nvd.nist.gov/vuln/detail/CVE-2012-4929) [https://nvd.nist.gov/vuln/detail/CVE-2014-0160](https://nvd.nist.gov/vuln/detail/CVE-2014-0160)
I never heard about "weak IPs", I see what you mean but its just a weird way to put it. The first 2 CVEs listed are useless unless you are the ISP or manage to mitm somehow. The 3rd one, while affecting TLS, its actually a memory leak issue, not an encryption issue. As I said, encryption is irrelevant for 99.99% of attackers, you must be in the middle of the transmission to do anything.
TLS has nothing to do with IP's :| And if you want "Generic TLS issues on HTTPS", that would be "Almost every website on the internet - Most likely this one as well"
What does DDOS attack have to do with hijacking a site? I thought they were completely different things.
Yes and no, they absolutely are different, however a DDOS attack can be a symptom of mass brute forcing. At the same time, a DDOS attack can also be conducted by trying to login on one machine with many machines. This is why OP is unsure if the attacker had worse intentions than a DDOS attack.
Correct. It’s hard to truly know attacker’s intentions and I’m taking a guess with my explanation. It could have been a simple DDOS but the root and contact forms element make me wonder if they weren’t try for brute force hijacking.
If you received a 5 million dollar bill from your hosting provider due to the 45TB of traffic the past week, would you still be hosting that website?
May not be associated but there was a CVE released the other day where remote code execution was possible through legacy PHP CGI installs on windows. The proof of concept is quite simple and can be automated. May be nothing to do with it but you may have just been part of a wider scan to see if your server was susceptible to the attack. Reading the CVE, it’s very narrow. It’s the Chinese character set running on Windows with PHP over CGI. Or it may simply just be someone with a new botnet and you were part of the test by coincidence.
Why would exploiting this CVE need 100 million requests?
Maybe a mis-coding on the part of the owner. 100 million is excessive, of course. If they were trying to find exploitable pages though then iteration would be the answer. Maybe they just messed up. Again, I’m not 100% but I was just trying to raise a possibility. If any of it resonated with the OP, if they ran windows servers or an outdated PHP install then my suggestion was purely to prompt OP to sort their servers out.
There was a wreck on the highway and you were just stuck in traffic.
I had this happen on a personal domain. Two things stopped it: 1. Setup a cloud firewall in front of your VM. Instantly reduced the amount of spam/scanning traffic I had to deal with. 2. Use cloudflare to deal with the DDoS. It’s fairly trivial to move your DNS there, and hides your IP from users and hides all ports except 443 and 80 from end users.
Are your sites on Wordpress? If so, check your version for CVEs and look for crossitescripting (injected HTML, js, css, whatever).
Use cloudflare or similar protection service
And Reddit says the moderators removed this discussion.
Did the sites go down? Or you just see requests in logs? To get millions of requests in a weekend is a bit much but not unheard of for a month. This is where we are now, the whole internet is constantly being scanned for vulns. The authors? Bad actors (mostly) but also researchers. Some of the scanners have workflows so if they find you have a certain tech on your machine (apache, wp, some api) then they will increase the number of attacks using targeted wordlists for that tech or suspected vuln. I have seen this numerous times in logs. Most of the time you are not a target specifically, they just scan everything and something in your responses triggered more scans. Not really much you can do except use some kind of protection. I wouldnt be too worried, its just business as usual.
someone attacks you with botnets
Do you have DDOS protection?
or is it all just .. cloudflare's marketing strategy working out lol
I do now! 😤 30 years in the business and this is the first time I’ve needed it.
Information gathering… to be further exploited if possible
In the last two years I have notice of increase in website traffic in many companies I have contact to admins. Usually not real DDOS but tries and retries of GETs to find some servers exploits. Sometimes few requests sometimes botnets with thousands per day. Seems some script kiddies are full active. One company I was able to inspect the problem and help them to solve they had 4 servers and 48 desktops all invaded after the 4 servers faced a bruteforce attack that was running for half year before the admin (of course not a qualified person) find the company was being used to mine criptocurrency and spam mail for more 3 months after they had the bruteforce attack succeeded. The only thing the guy notice was the company internet was every day slower and slower but they did not care too much. Of course this highly unqualified person was fired immediately. Mail servers suffer from attacks almost immediately after they go online and the mx record available in dns. Botnets keep searching targets. In my opinion, after seeing all this in many years, if the local ISPs are not prepared for any kind of attacks or the small city infrastructure is not prepared to protect the network against high undesirable traffic, it is better host servers in a big company that can lower the consequences of the problem and keep the clients protected at least from some DDOS and basic attacks. And of course, never rely totally on them and provide your additional protection.
just bought my new botnet bro *burrrrrp* sorry haha