DDoS


30 posts   Page 1 of 2   1, 2
by liz » Thu Jun 14, 2012 4:20 pm
You might have noticed that this site has been up and down over the last 24 hours. We're undergoing a DDoS attack - depending on how long it continues, we may be spending some time later on sticking Cloudflare in front of the site, but for now we're crossing our fingers and hoping that whoever is pointing their botnet at us will get bored and wander off.

It's a *big* botnet. We've been seeing a DDoS that's roughly 110Mbps of SYN packets (307kps) to port 80. There's nothing terribly sensible our buddies at Mythic Beasts, who host this site, can do; it's pegged one CPU at 100% just managing the firewall connection state, and Apache has (unsurprisingly) run out of connections when it's at its worst.

We think that the ethernet wire is also full. Gigabit ethernet pads to 512 bytes, which is roughly 1.2Gbps on a 1Gbps link.

It's frustrating, but we're not suicidal (yet); for now we're taking the downtime to do the admin we need to do and steam through some email. I'll be posting regular updates on Twitter - https://twitter.com/#!/Raspberry_Pi - please discuss below what sort of twonk thinks that DDoSing a charity is a smart thing to do.
--
Head of Comms, Raspberry Pi Foundation
User avatar
Raspberry Pi Foundation Employee & Forum Moderator
Raspberry Pi Foundation Employee & Forum Moderator
Posts: 4112
Joined: Thu Jul 28, 2011 7:22 pm
by krischaplin » Thu Jun 14, 2012 4:43 pm
Shameful behaviour, I wonder what could be the motive?

Bizarre.
Posts: 13
Joined: Fri Jan 13, 2012 1:52 pm
by finnw » Thu Jun 14, 2012 4:51 pm
I would guess it is someone who is upset at being banned from the site.
Posts: 24
Joined: Wed May 16, 2012 7:05 pm
by liz » Thu Jun 14, 2012 4:52 pm
It's either someone doing it for the lulz, someone we've banned for being an idiot, or someone who's taken offence at something we've said at some point - you know how people can get about favourite platforms/languages/OSes. Or it could be a blackmail thing (lots of these are, and this one does seem pretty large and well organised) - we haven't had any email to that effect, though. (Unless they mailed info@, which folder is currently several thousand deep in unread mail.)
--
Head of Comms, Raspberry Pi Foundation
User avatar
Raspberry Pi Foundation Employee & Forum Moderator
Raspberry Pi Foundation Employee & Forum Moderator
Posts: 4112
Joined: Thu Jul 28, 2011 7:22 pm
by grumpyoldgit » Thu Jun 14, 2012 4:56 pm
I thought you had a Girl Friday now to deal with office stuff.
User avatar
Posts: 1454
Joined: Thu Jan 05, 2012 12:20 pm
by nick.mccloud » Thu Jun 14, 2012 4:58 pm
I love it when you talk tech :twisted:
User avatar
Posts: 795
Joined: Sat Feb 04, 2012 4:18 pm
by liz » Thu Jun 14, 2012 4:59 pm
She's not with us any more, sadly. Although we do now have someone (Helen) who is working solely on chasing down trademark infringements on eBay and elsewhere - which has turned out to be a very big job indeed. And Jack's been hiring students on an hourly basis to do some of the really tedious stuff. We also have some interns arriving in the summer vac to do some engineering work.

*Edit* I realise that this sounds as if Girl Friday died. She didn't.
--
Head of Comms, Raspberry Pi Foundation
User avatar
Raspberry Pi Foundation Employee & Forum Moderator
Raspberry Pi Foundation Employee & Forum Moderator
Posts: 4112
Joined: Thu Jul 28, 2011 7:22 pm
by abishur » Thu Jun 14, 2012 5:29 pm
I guess a lot of people were upset when their pi didn't comes with wheels and a sandwich, you really should have been more careful when you said that!
Dear forum: Play nice ;-)
User avatar
Forum Moderator
Forum Moderator
Posts: 4298
Joined: Thu Jul 28, 2011 4:10 am
Location: USA
by extravagoose » Thu Jun 14, 2012 9:00 pm
liz wrote:It's either someone doing it for the lulz, someone we've banned for being an idiot, or someone who's taken offence at something we've said at some point - you know how people can get about favourite platforms/languages/OSes. Or it could be a blackmail thing (lots of these are, and this one does seem pretty large and well organised) - we haven't had any email to that effect, though. (Unless they mailed info@, which folder is currently several thousand deep in unread mail.)


I thought lulz had kind of ceased... even then I wouldn't have thought a charity would be their sort of target. Unless you are referring to someone doing it for a laugh? :oops:

In any case, its disgraceful behaviour and especially low that a charity is the target...

Found this article an interesting read also:
http://www.networknewz.com/2010/04/05/how-to-combat-a-ddos-attack-on-your-network/#resume

Also, the Wikipedia article is an informative read too
http://en.wikipedia.org/wiki/Denial-of-service_attack

...of course I'm not intending to insult anyone's intelligence either :)
RPi 1: Hostname: Gimli, 500Gb USB HDD, ArchLinux | ARM.
Main Use: Bit of everything - but mainly web server, Network Storage and C programming.

RPi 2: Hostname tba, awaiting delivery.
User avatar
Posts: 59
Joined: Tue May 29, 2012 2:51 pm
Location: UK
by RichardUK » Thu Jun 14, 2012 9:13 pm
Being popular is enough of a reason for these people.
User avatar
Posts: 131
Joined: Fri Jun 01, 2012 5:12 pm
by AndrewS » Fri Jun 15, 2012 2:29 am
liz wrote:We also have some interns arriving in the summer vac to do some engineering work.

That sounds promising :) GSoC-type stuff?

Any more news regarding the raspberrypi.com shop?
User avatar
Posts: 3626
Joined: Sun Apr 22, 2012 4:50 pm
Location: Cambridge, UK
by Jim Manley » Fri Jun 15, 2012 5:57 am
So, with the sale of all of those Pi boards, is the Foundation putting up the $185,000 each for the obvious .raspberry, .pi, and .raspberrypi top-level domains (TLDs)? Then, you can just shift over to those when the vermin present themselves :D

At least we aren't being snooped on by a Flame worm ... oops, a couple of years too late, now! :cry:

Zombies always attack when you least expect it, especially when they're dreaded DDOS-bots! ;)
The best things in life aren't things ... but, a Pi comes pretty darned close! :D
"Education is not the filling of a pail, but the lighting of a fire." -- W.B. Yeats
In theory, theory & practice are the same - in practice, they aren't!!!
User avatar
Posts: 1357
Joined: Thu Feb 23, 2012 8:41 pm
Location: SillyCon Valley, California, USA
by blc » Fri Jun 15, 2012 7:32 am
I know the feeling; at least on a smaller scale.

I ran a Minecraft server on the same VPS that ran my website; purely just for my friends and I. The server address turned up on some random Minecraft server listing site and it got griefed really badly (griefing in minecraft = random destruction of other people's builds); I assumed that not giving the IP address out was sufficient protection.

Once I took down the Minecraft server, I started getting DDoS'ed very shortly afterwards. It took down the physical server node that my VPS was hosted on along with several server nodes at the hosting company. They were not pleased...
Posts: 167
Joined: Mon Sep 05, 2011 9:28 am
by Reider » Fri Jun 15, 2012 8:18 am
I run two forums on my domain. The RasPi one so far has had no trouble but the Photography one is at times inundated with applications and sometimes multiple applications from the same accounts. This seemed to start from the moment I made the site accessible to iphones, Android, tablets etc by adding Tapatalk and Forum Runner. Not services I would pull down and fortunately with some selective IP Banning I`m slowing the multiple applications down by wildcarding the IP bans. But I know that we are a localised Photography Club and their is very little reason for people outside of that town to join. Especially folk in Russia and Indonesia..... :D Folk with obviously spam orientated names and/or email addresses are easy to spot, D`oh!

Nothing like the problem that RasPi.org has seen. But one thing always sticks in my mind, it would be so easy for an AV Virus Company to give you a trial and pretend you had some virus that your other AV systems failed to spot. Just as easy would be for companies offering protection to start attacks, as long as they can do it without detection. Then reap a monthly fee to protect against it. That's not to say that any of them do, only that it is possible some of them could and would. Taking a monthly fee and not offering any account of where the attacks are coming from stinks to high heaven for me. What are they doing for that money? I realize they cannot log all attacks but even random samples could suggest X Country/Town for a maximum no. of IP ranges.

Steve
Posts: 75
Joined: Sun Mar 04, 2012 12:00 pm
by nick.mccloud » Fri Jun 15, 2012 8:33 am
Reider wrote: Taking a monthly fee and not offering any account of where the attacks are coming from stinks to high heaven for me. What are they doing for that money? I realize they cannot log all attacks but even random samples could suggest X Country/Town for a maximum no. of IP ranges.


I think you need to consider the Distributed bit of DDoS! Infected computers all around the world have been instructed to send variously formatted requests to the website, they aren't all based in one town.
User avatar
Posts: 795
Joined: Sat Feb 04, 2012 4:18 pm
by liz » Fri Jun 15, 2012 12:38 pm
Plus, if what you're seeing is a SYN attack (like this one), your logs aren't going to be of any help pinpointing where people are geographically anyway. :(
--
Head of Comms, Raspberry Pi Foundation
User avatar
Raspberry Pi Foundation Employee & Forum Moderator
Raspberry Pi Foundation Employee & Forum Moderator
Posts: 4112
Joined: Thu Jul 28, 2011 7:22 pm
by SN » Fri Jun 15, 2012 12:48 pm
Well if I see the little green light winking furiously on my router in the living room I'll know someones trying to hack my little pi and I'll just unplug it :lol:
Steve N – binatone mk4->intellivision->zx81->spectrum->cbm64->cpc6128->520stfm->pc->raspi ?
User avatar
Posts: 1008
Joined: Mon Feb 13, 2012 8:06 pm
Location: Romiley, UK
by JustThisGuy » Sat Jun 16, 2012 12:02 am
Me? I thought it was a conspiracy against me! ;)

See, I just received my RPi on Wednesday so I hop on RPi.org and what do you know, just when I needed those wiki and download pages they ignore my GETs and POSTs. Oh well, it gave me an excuse to go at it without the manual, so to speak. All's well, HDMI & Composite work great without overscan. Network fine. Audio wrangling and general fooling around are next on the list.

Thanks again you guys. This weekend is going to be fun. It's Christmas in June here in California. I haven't had my hands on a fun piece of hardware in a long time.
Any conversation about a sufficiently complex subject is indistinguishable from babble.
Posts: 114
Joined: Thu Jan 05, 2012 11:22 pm
by Jim Manley » Sat Jun 16, 2012 4:06 am
SN wrote:Well if I see the little green light winking furiously on my router in the living room I'll know someones trying to hack my little pi and I'll just unplug it :lol:

If the Foundation starts seeing massive numbers of SN packets instead of SYN packets, at least they'll know where to send the goon squad :lol:
The best things in life aren't things ... but, a Pi comes pretty darned close! :D
"Education is not the filling of a pail, but the lighting of a fire." -- W.B. Yeats
In theory, theory & practice are the same - in practice, they aren't!!!
User avatar
Posts: 1357
Joined: Thu Feb 23, 2012 8:41 pm
Location: SillyCon Valley, California, USA
by sjfaustino » Mon Jun 18, 2012 7:56 pm
abishur wrote:I guess a lot of people were upset when their pi didn't comes with wheels and a sandwich, you really should have been more careful when you said that!


Mine came with a Element 14/raspberry Pi T-Shirt offer :D
Posts: 87
Joined: Tue Jun 12, 2012 5:21 pm
by ren41 » Tue Jun 19, 2012 7:18 pm
so frustrating when it went down just as I couldn't boot after an RPI-update!

someone must be really upset that the RPI's so popular!

ren
Posts: 99
Joined: Sat May 26, 2012 8:00 pm
by liz » Tue Jun 19, 2012 8:14 pm
Someone claiming to be from Anonymous also tried to flood my email earlier yesterday, but was outwitted by Gmail. I ask you...
--
Head of Comms, Raspberry Pi Foundation
User avatar
Raspberry Pi Foundation Employee & Forum Moderator
Raspberry Pi Foundation Employee & Forum Moderator
Posts: 4112
Joined: Thu Jul 28, 2011 7:22 pm
by abishur » Tue Jun 19, 2012 8:37 pm
liz wrote:... but was outwitted by Gmail. I ask you...


That reminds of a kid who claimed to be a "l33t h@ck3r" because he could hack into other people's computers... using a program someone else wrote... as long as the person he wanted to hack actually ran the program. He threatened to hack me and when I asked what would happen when I didn't run the program, he didn't have coherent response.
Dear forum: Play nice ;-)
User avatar
Forum Moderator
Forum Moderator
Posts: 4298
Joined: Thu Jul 28, 2011 4:10 am
Location: USA
by liz » Tue Jun 19, 2012 9:27 pm
Eben points out that his own email is flooded to bursting point with perfectly reasonable enquiries anyway, so nobody *needs* to try to do the same to his. Although he says he'd welcome the respite.
--
Head of Comms, Raspberry Pi Foundation
User avatar
Raspberry Pi Foundation Employee & Forum Moderator
Raspberry Pi Foundation Employee & Forum Moderator
Posts: 4112
Joined: Thu Jul 28, 2011 7:22 pm
by alexeames » Tue Jun 19, 2012 9:32 pm
liz wrote:Eben points out that his own email is flooded to bursting point with perfectly reasonable enquiries anyway, so nobody *needs* to try to do the same to his. Although he says he'd welcome the respite.


Good problem to have though. If you can direct some of them to the forum, the answers can help lots of people - theoretically :lol:
Alex Eames RasPi.TV HDMIPi.com RasP.iO
User avatar
Posts: 2079
Joined: Sat Mar 03, 2012 11:57 am
Location: UK