What's been going on with the forum then? - Arms thread

[Admin]

I wouldn't want to 'test' the attackers so don't post anything about this anywhere public. If you're found to do so we'll just ban your account. It's not worth it.

Now things appear to have settled I feel comfortable letting you know what's being going on and why we've been up and down like a yoyo.

Keep this out of the public areas of the forum and whatnot. As it risks screwing the forum again.

Sunday morning we noticed a massive amount of traffic coming into the network, a few hours on we noticed it was a DDOS attack. Where too many requests are sent to the websites for the server and network to handle so it crashes the websites. Our hosts were able to manage the traffic to a degree while we traced what was going on. And it became apparent that it was thousands if not near 100,000+ botnets (computers being controlled by attackers without the owners knowledge) sending false requests to the forums to crash the server.

This had a knock-on effect on our hosts other customers, and even my hosts ISP in the London Docklands had to shut down some of their own traffic routing systems to stop the traffic.

Monday the attackers changed tactics and used HTTP requests that were left open, so the websites wouldn't resolve them properly. That crashed the forums too.

Tuesday it changed to DNS reflection where they attack the IP address itself and send traffic directly to that.

And today we've switched to an expensive routing service to send traffic through to filter out any nasty stuff. Done this for the main forums, carted all my customers off to other solutions so they're not affected now, and I have closed down a lot of my own websites and forums and things.

It's cost me thousands in losses and extra services and I wouldn't wish this on any of our competitor forums. Really dodgy situation to be put in.

I was expecting a ransom related message but haven't got anything so far. The attack is classed as industrial sabotage and as dozens of other companies we affected, along with our host, their network provider (and their other customers) and their ISP (and their other customers) we've had to get the old SOCA (Serious and Organised Crimes Agency) which is now called NCA (National Crimes Agency) involved who are investigating the attack in case this is part of some bigger issue (like that dodgy RansomWare thing that's going about). We're not too sure who's doing it or why but we've fought them off for now.

At no point were anything to do with personal details at risk. They we're NOT physically hacking us or anything, just sending massive amounts of traffic to us in the form of what took down PayPal and Amazon and VISA (and even SOCA last year).

So it looks like we're okay now. A few people are having DNS / Cache related issues but that'll all calm down in the next 24 hours or so as networks refresh and whatnot.

I wouldn't want to 'test' the attackers so don't post anything about this anywhere public. If you're found to do so we'll just ban your account. It's not worth it.

 

[GMES]

Thanks for putting us in the picture Dan.

 

[Darkwood]

Was annoying our end but now you've kindly explained Dan I can say that its much appreciated the effort you have put in to resolve the attack... :tank:

 

[Admin]

I must add that at one point they gained access to several servers owned by the same poor sod in the Netherlands and used those for the HTTP attacks. Meanwhile couldn't gain access to our own. So that shows how solid we are. We were literally only open to DDOS attacks, but such things only usually happen to massive firms. So nobody who runs a forum would ever think of protecting against it without needing it as it costs thousands.

 

[Admin]

There isn't a smiley appropriate for the amount of drink I'm having tonight to celebrate.

 

[GMES]

Is that any good for you

 

[Admin]

Nope, bigger please.

 

[GMES]

Your wish is my command

 

[Admin]

That's the one lad. Well done. That much drink I'm having, that much.

 

[Geordie Spark]

There isn't a smiley appropriate for the amount of drink I'm having tonight to celebrate.

I hope you're not going to driving as well.

 

[Admin]

I hope you're not going to driving as well.

Funny.

 

[Andy78]

So an attempt to sink the forum with no apparent gain to the attackers apart from the act itself ? Seems very odd. Maybe some wannabes practicing for bigger targets or just hacking for the hell of it ?

I would suggest that it could be the work of someone, or an organisation, or a group of organisations that had seen something they didn't like in the open forums.... but I wouldn't have the foggiest idea what such topics, views, or potential movements could provoke such a reaction, and I'm also not paranoid..... or should I be ?

Thanks for the update Dan.

 

[Admin]

So an attempt to sink the forum with no apparent gain to the attackers apart from the act itself ? Seems very odd. Maybe some wannabes practicing for bigger targets or just hacking for the hell of it ?

I would suggest that it could be the work of someone, or an organisation, or a group of organisations that had seen something they didn't like in the open forums.... but I wouldn't have the foggiest idea what such topics, views, or potential movements could provoke such a reaction, and I'm also not paranoid..... or should I be ?

Thanks for the update Dan.

I was expecting a ransom threat. Failing that they perhaps wanted to make the forum vulnerable to a SQL injection to place RansomWare software on the server to attack its visitors. Failing that they are testing the network we're on. Failing that it's some form of person or group of people we've annoyed somehow, whether being so popular or have upset them some other way.

But the fact they controlled botnets means they had access to thousands of computers with viruses on. And the fact they gained control of several servers in the Netherlands suggests they know how to hack well.

But for now your guess is as good as mine.

I don't think the NCA will ever reveal anything they find for security reasons. But they're certainly very interested in knowing everything we do so they can investigate.

No need to be paranoid. The attack was certainly aimed at myself / my business (and my customers websites) and not members per se.

 

[telectrix]

defleted.

 

[shanky887614]

Ddos attacks are nasty, if you guys are curious about these kinds of things.

Have a look at defcon on youtube.

Smoocon or blackhat is also interesting

 

[Marvo]

Having access to a botnet doesn't narrow it down much, anyone can hire the services of a botnet, you just need money and you need to know where to look. Glad to say speeds are good for me tonight, first night this week I've been able to load pages.

 

[shanky887614]

Having access to a botnet doesn't narrow it down much, anyone can hire the services of a botnet, you just need money and you need to know where to look. Glad to say speeds are good for me tonight, first night this week I've been able to load pages.

The problem is that it is very difficult to track these people down because they will have infected pc's with a virus.

These computers will then either wait for a command from a certain server or will constantly communicate.

The server will then eventually select a target and then the zombie computers will start the ddos attack.

The problem is it is very hard to trace

 

[GMES]

I am now having trouble with managing attachments/uploading pics but only in the last 30 minutes and everything else is running fine

 

[Marvo]

Seems okay but I'll check out the software settings.

 

[Darkwood]

The problem is that it is very difficult to track these people down because they will have infected pc's with a virus.

These computers will then either wait for a command from a certain server or will constantly communicate.

The server will then eventually select a target and then the zombie computers will start the ddos attack.

The problem is it is very hard to trace

Its like walking outside on a hot day seeing thousands of raindrops on the pavement and road after a quick light shower that have only just fallen and been asked to identify which one fell first.

 

[telectrix]

or catching up with the bandit. 10-4.

 

[Admin]

I am now having trouble with managing attachments/uploading pics but only in the last 30 minutes and everything else is running fine

View attachment 25474


Seems okay but I'll check out the software settings.

Wont be a setting on our part. It'll be DNS cache. Just hang in there. Things will refresh.

 

[Octopus]

Is there any reason email notification of thread updates arne't working?

 

[Admin]

Is there any reason email notification of thread updates arne't working?

Yeah, we haven't configured that end of it yet. You might find some come through eventually. But in the most part, this last few days has been about getting us back online, if I'm honest.

 

[shanky887614]

Can we pm this to people in forum?

 

[Admin]

Not if they're not in the arms no. Why would you need to?

I have their business details if they're in the arms.

And I don't know anybody from adam in the public domain.

Don't risk the forum. Tell them a bulb broke.

Nobody really needs to know, but I thought I'd be respectful and thankful for you lot putting up with yet again more forum issues, and do the right thing and explain what it was that was going on, so you knew the gravity of it.

If it ends up in the public domain, we risk whoever is attacking us fancying a challenge, and I can't physically afford more security.

 

[Darkwood]

Not if they're not in the arms no. Why would you need to?

I have their business details if they're in the arms.

And I don't know anybody from adam in the public domain.

Don't risk the forum. Tell them a bulb broke.

Nobody really needs to know, but I thought I'd be respectful and thankful for you lot putting up with yet again more forum issues, and do the right thing and explain what it was that was going on, so you knew the gravity of it.

If it ends up in the public domain, we risk whoever is attacking us fancying a challenge, and I can't physically afford more security.

If only someone knew an Electrician! :sosp:

 

[7029 dave]

Thanks for the update. Regards Dave

 

[uksparks]

I used to own a web hosting company for 14 years and hosted over 35,000 sites and 250 dedicated servers so all too familiar with this. This is why I sold the business to one of the uk's largest hosts and got out of it and now commit to my electrical work full time, best thing I ever did. I fully sympathise with you, I honestly can say I really do feel sorry for you and the issues you have had.

 

[ian.settle1]

Not if they're not in the arms no. Why would you need to?

I have their business details if they're in the arms.

And I don't know anybody from adam in the public domain.

Don't risk the forum. Tell them a bulb broke.

Nobody really needs to know, but I thought I'd be respectful and thankful for you lot putting up with yet again more forum issues, and do the right thing and explain what it was that was going on, so you knew the gravity of it.

If it ends up in the public domain, we risk whoever is attacking us fancying a challenge, and I can't physically afford more security.

Thought this was supposed to be a electrical forum not a gardening forum

 

[Admin]

I used to own a web hosting company for 14 years and hosted over 35,000 sites and 250 dedicated servers so all too familiar with this. This is why I sold the business to one of the uk's largest hosts and got out of it and now commit to my electrical work full time, best thing I ever did. I fully sympathise with you, I honestly can say I really do feel sorry for you and the issues you have had.

You'll agree it's not too common for small sites to get ddos'd then too I guess? And quite common for large firms, but also affordable to get around (out bandwidth them, or use on-site routers etc).

I was quoted 10k per month to protect the whole server at one point. Got it down to 6 considering we don't need much traffic when the ddos is over. Still not affordable.

I wouldn't wish this on our competitors who are often on shared hosting accounts (or resellers) in not so high-end datacentres, with software they need external staff to updated and protect etc etc - They'd struggle to quickly get things online I think.

 

[uksparks]

Dan, if you need ny free advice or assistance with getting an affordable stable platform just let me know as I know the industry inside out and have years of experience in it. Plus lots of experience with hackers and DDOS attacks, I'd be more than happy to have a chat with you should you need it, £6k per month is rediculous, I could get you a much cheaper platform.

 

[Paul.M]

As far as I am concerned the forum had man flu for a few days

 

[uksparks]

I have no idea of the pec of the server you are on, but I could get you probably 10TB of bandwidth per month and your own top spec server with Solid state disks for only a couple of hundreds month, with own dedicated Cisco firewall on a 10Gb fibre network, I am sure I can probably help you on this, PM me if you want.

 

[Admin]

I have no idea of the pec of the server you are on, but I could get you probably 10TB of bandwidth per month and your own top spec server with Solid state disks for only a couple of hundreds month, with own dedicated Cisco firewall on a 10Gb fibre network, I am sure I can probably help you on this, PM me if you want.

Since 2006 I've hosted the trade forums we know of. And before that it was tiling related forums, training centre websites, and tiling tools websites. Before that when I was about 14, using AOL dialup (9.99 per month and 1p per minute) I was using a packard bell PC and AOL chatrooms creating scripts that changed the colour of the font in chatrooms (got banned a lot). And hosted car related forums and websites.

I'm quite clued up to a point. But instead of going down the 'hacking' route, I went down an actual business route.

We spend a lot on dedicated servers, clusters of servers for mail and other protection, and have had a lot of attempted hacks over the years as we run vBulletin. Lots of exploits in that.

What I've found is rather than me be super skilled in every field, is to get specialists in when needed. So we're on an awesome server that gets upgraded annually, with SSD's, awesome RAM, always DELL, hosted in DC1 in the docklands on the best connectivity with lots of spare bandwidth and whatnot. And know when I shop around what I'm looking for (I rarely switch but I do haggle when it comes to upgrading - I'd rather stay put than build new relationships).

But this, this was new. Small guys don't get DDOS'd and if it was a script kiddy I have lots of bandwidth spare and they'd find their resources outnumbered. This was massive though. It took down my hosts network and his lines he leased (inc his backup lines). The datacentre went nuts. I can't afford hardware myself. So like with my usual outcome, I've paid an external firm to route traffic through who will update their own gear when needed rather than me needing to keep on top of what's what and keep shopping around.

I appreciate your offer, but I didn't go with the 10k guy who came down a bit to something more than a millionaires mortgage. lol

I'm sure he's never touched hardware in his life and drives a ferarri.

 

[Silly Sausage]

Interesting thread, in several ways!!!

 

[uksparks]

It sounds like you know what you are doing then, well I'm always here for impartial advice should you need it, the last big hit we took, knocked out one of the min links between the uk and the Netherlands... We were really not very popular.

I best go to bed now as hve a shower circuit to put in tomorrow, I did turn up at the job this morning to see that I'd written it on the wrong page in my diary lol.

 

[piccollo]

Thanks for update, much appreciated,

 

[Admin]

Looks like we've been just fine with the new setup.

 

[telectrix]

no problems here since forum came back online yesterday.