What's new
By:
Filters

What are you doing today?

jaylach said:
Just got done getting my web sites back on-line. I was attacked with over 14,000 outside requests per hour. Seems like all is back to normal but will take a day or so to be sure.

To fix I went to an outfit called Cloudfare for my domain name servers on the recommendation of my hosting. Cloudfare sort of acts like a reverse proxy and has a free version which I used.
Click to expand...
So it was a dns attack ? What is your ttl ? btw 14,000 requests an hour is nothing that is only 4 request a second - how much bw did that draw (depends on size of your landing page if it was to your web server and not just dns requests). I really confused because it sounds like you are using clourfare for dns hosting but it was your website which saw too many request.

Btw did you go through the list of ips making the requests ?
 
anewbie said:
So it was a dns attack ? What is your ttl ? btw 14,000 requests an hour is nothing that is only 4 request a second - how much bw did that draw (depends on size of your landing page if it was to your web server and not just dns requests). I really confused because it sounds like you are using clourfare for dns hosting but it was your website which saw too many request.

Btw did you go through the list of ips making the requests ?
Click to expand...
I have a partial list of IPS requests that was supplied by my hosting...
14282 43.134.91.203
14273 43.159.41.195
14234 43.159.37.213
14227 43.134.165.87
14225 43.159.32.86
... (and many more)
I'm not good at server side but looks like a group attack. I'm not even sure if it was, in fact, a database attack as I'm not a server person. May have been another form of attack of which I'm not familiar.

Here is a portion of the initial email from my hosting... The computerhave.jaylach.com is actually the sub-domain associated with computerhaven.com.
Green Geeks said:
We’ve detected over 1 million requests directed at your site computerhaven.jaylach.com in a short period of time, which is causing a serious performance impact on the server.
Click to expand...

<edit>
Actually it may well have been a "DDoS" attack. I'm not really sure if database or DDoS. All I know is that it seems solved and my sites are back up and running. I asked my hosting for an explanation on what actually happened but have not yet received such info. They may of may not supply a full explanation but that isn't really their job.
 
Last edited:
jaylach said:
I have a partial list of IPS requests that was supplied by my hosting...
14282 43.134.91.203
14273 43.159.41.195
14234 43.159.37.213
14227 43.134.165.87
14225 43.159.32.86
... (and many more)
I'm not good at server side but looks like a group attack. I'm not even sure if it was, in fact, a database attack as I'm not a server person. May have been another form of attack of which I'm not familiar.

Here is a portion of the initial email from my hosting... The yyy.xxx.com is actually the sub-domain associated with xxx.com.


<edit>
Actually it may well have been a "DDoS" attack. I'm not really sure if database or DDoS. All I know is that it seems solved and my sites are back up and running. I asked my hosting for an explanation on what actually happened but have not yet received such info. They may of may not supply a full explanation but that isn't really their job.
Click to expand...
for security reasons i would delete the name of your website.

Nothing on that site seems like it would be a target though it could be random target or just random polling through the ip table. cloudfare probably has a blacklist of sites to not resolve dns request of course it would do crap if you were targeted by ip but doesn't seem likely. There are several companies like cloudfare and basically how they work is the dns is not a flat database instead it is dynamically produced on request - if you host on their site ($$); then they can pick one of their servers based on a number of factors; conversely if they have the ability to blacklist requesters they can return ips that send them to (for the sake of this conversation) never never land.

As for the ips hitting you it could just be compromised hosts but at least the ones you provided are all from the same blocks (43.134 and 43.159); i'm not really an expert on why a site is attacked but a long time ago in another life i would at least do some very primitive (and not sophisticated) look at ips when our site was attacked. For real information we had a security group that dealt with that stuff but since i no longer work at that company i no longer have access to them ;)

I said the above not very well; cloudfaire probalby have a blacklist of ips for which it will not return a website ip when a dns request is made - i.e, if 43.134.91.203 is on the blacklist when it request the ip for domain www.xxx.yyy instead of returning www.xxx.yyy's ip it returns an ip to (for this conversation) never never land.

After all there is nothing that determines how a nameserver responds to a request.

Having said that i don't know for sure how their system works just idle speculation.
 
Last edited:
Yesterday I found out that David Rockefeller and Harald V came to the city where I have lived most of my life... Rockefeller had some investments in Brazil. When Mococa celebrated its 100th birthday, David came to the small town. If you know Portuguese, there is a newspaper article mentioning the fact.

When Rockefeller came to Mococa, in Estádio Olímpico São Sebastião (more commonly known as Campo do Radium, which is currently abandoned...):


Nelson Rockefeller received the title "Honorary citizenship" from the town, too. But, since nowadays the town is not so relevant and most people mistake the city with the neighborhood "Mooca" from São Paulo, there is not so much mention of this.

Harald receiving the title "Cidadão Mocoquense" from Mococa in 1964:
1747610325429.png


Nocturnal recording I made from my Betta splendens:
 
anewbie said:
for security reasons i would delete the name of your website.

Nothing on that site seems like it would be a target though it could be random target or just random polling through the ip table. cloudfare probably has a blacklist of sites to not resolve dns request of course it would do crap if you were targeted by ip but doesn't seem likely. There are several companies like cloudfare and basically how they work is the dns is not a flat database instead it is dynamically produced on request - if you host on their site ($$); then they can pick one of their servers based on a number of factors; conversely if they have the ability to blacklist requesters they can return ips that send them to (for the sake of this conversation) never never land.

As for the ips hitting you it could just be compromised hosts but at least the ones you provided are all from the same blocks (43.134 and 43.159); i'm not really an expert on why a site is attacked but a long time ago in another life i would at least do some very primitive (and not sophisticated) look at ips when our site was attacked. For real information we had a security group that dealt with that stuff but since i no longer work at that company i no longer have access to them ;)
Click to expand...
I see no reason to remove my site name from the posts as it is already in my signature. ;)
 
jaylach said:
I have a partial list of IPS requests that was supplied by my hosting...
14282 43.134.91.203
14273 43.159.41.195
14234 43.159.37.213
14227 43.134.165.87
14225 43.159.32.86
... (and many more)
I'm not good at server side but looks like a group attack. I'm not even sure if it was, in fact, a database attack as I'm not a server person. May have been another form of attack of which I'm not familiar.

Here is a portion of the initial email from my hosting... The computerhave.jaylach.com is actually the sub-domain associated with computerhaven.com.


<edit>
Actually it may well have been a "DDoS" attack. I'm not really sure if database or DDoS. All I know is that it seems solved and my sites are back up and running. I asked my hosting for an explanation on what actually happened but have not yet received such info. They may of may not supply a full explanation but that isn't really their job.
Click to expand...

Loll. the ip block in question that cause the problem belongs to Tencent Cloud Computing (Beijing) Co. Ltd.

Do you know exactly what services (ports) where targeted ?
 
You must log in or register to reply here.

Similar threads

TwoTankAmin
Bitcoin or Money?
3 4 5
Replies
70
Views
2K
Oldspartan
Oldspartan
Magnum Man
planted Cichid tanks... what has worked for you???
Replies
6
Views
259
Uberhoust
Uberhoust
Magnum Man
Charging station for rechargeable batteries, of all kinds...
Replies
9
Views
347
Magnum Man
Magnum Man
M
Fin rot or Ich?
Replies
5
Views
178
GaryE
GaryE
newmag1659
Dojo Loach Mass Between Pelvic and Anal Fins - Help?
Replies
2
Views
172
newmag1659
newmag1659

Most reactions

POPOSOAP.com

Useful Links

Back
Top