You might have noticed that this site has been up and down over the last 24 hours. We're undergoing a DDoS attack - depending on how long it continues, we may be spending some time later on sticking Cloudflare in front of the site, but for now we're crossing our fingers and hoping that whoever is pointing their botnet at us will get bored and wander off.
It's a *big* botnet. We've been seeing a DDoS that's roughly 110Mbps of SYN packets (307kps) to port 80. There's nothing terribly sensible our buddies at Mythic Beasts, who host this site, can do; it's pegged one CPU at 100% just managing the firewall connection state, and Apache has (unsurprisingly) run out of connections when it's at its worst.
We think that the ethernet wire is also full. Gigabit ethernet pads to 512 bytes, which is roughly 1.2Gbps on a 1Gbps link.
It's frustrating, but we're not suicidal (yet); for now we're taking the downtime to do the admin we need to do and steam through some email. I'll be posting regular updates on Twitter - https://twitter.com/#!/Raspberry_Pi - please discuss below what sort of twonk thinks that DDoSing a charity is a smart thing to do.
-
- Posts: 13
- Joined: Fri Jan 13, 2012 1:52 pm
Re: DDoS
Shameful behaviour, I wonder what could be the motive?
Bizarre.
Bizarre.
Re: DDoS
It's either someone doing it for the lulz, someone we've banned for being an idiot, or someone who's taken offence at something we've said at some point - you know how people can get about favourite platforms/languages/OSes. Or it could be a blackmail thing (lots of these are, and this one does seem pretty large and well organised) - we haven't had any email to that effect, though. (Unless they mailed info@, which folder is currently several thousand deep in unread mail.)
Director of Communications, Raspberry Pi
- grumpyoldgit
- Posts: 1452
- Joined: Thu Jan 05, 2012 12:20 pm
Re: DDoS
I thought you had a Girl Friday now to deal with office stuff.
- nick.mccloud
- Posts: 1280
- Joined: Sat Feb 04, 2012 4:18 pm
Re: DDoS
I love it when you talk tech
Pico/RP2040 ≠ Arduino
Pico = hot rod kit car, Arduino = hot rod kit car wrapped in cotton wool with buoyancy aids & parachute
Pico = hot rod kit car, Arduino = hot rod kit car wrapped in cotton wool with buoyancy aids & parachute
Re: DDoS
She's not with us any more, sadly. Although we do now have someone (Helen) who is working solely on chasing down trademark infringements on eBay and elsewhere - which has turned out to be a very big job indeed. And Jack's been hiring students on an hourly basis to do some of the really tedious stuff. We also have some interns arriving in the summer vac to do some engineering work.
*Edit* I realise that this sounds as if Girl Friday died. She didn't.
*Edit* I realise that this sounds as if Girl Friday died. She didn't.
Director of Communications, Raspberry Pi
- extravagoose
- Posts: 59
- Joined: Tue May 29, 2012 2:51 pm
- Location: UK
Re: DDoS
I thought lulz had kind of ceased... even then I wouldn't have thought a charity would be their sort of target. Unless you are referring to someone doing it for a laugh?liz wrote:It's either someone doing it for the lulz, someone we've banned for being an idiot, or someone who's taken offence at something we've said at some point - you know how people can get about favourite platforms/languages/OSes. Or it could be a blackmail thing (lots of these are, and this one does seem pretty large and well organised) - we haven't had any email to that effect, though. (Unless they mailed info@, which folder is currently several thousand deep in unread mail.)
In any case, its disgraceful behaviour and especially low that a charity is the target...
Found this article an interesting read also:
http://www.networknewz.com/2010/04/05/h ... rk/#resume
Also, the Wikipedia article is an informative read too
http://en.wikipedia.org/wiki/Denial-of-service_attack
...of course I'm not intending to insult anyone's intelligence either
RPi 1: Hostname: Gimli, 500Gb USB HDD, ArchLinux | ARM.
Main Use: Bit of everything - but mainly web server, Network Storage and C programming.
RPi 2: Hostname tba, awaiting delivery.
Main Use: Bit of everything - but mainly web server, Network Storage and C programming.
RPi 2: Hostname tba, awaiting delivery.
- Jim Manley
- Posts: 1600
- Joined: Thu Feb 23, 2012 8:41 pm
- Location: SillyCon Valley, California, and Powell, Wyoming, USA, plus The Universe
Re: DDoS
So, with the sale of all of those Pi boards, is the Foundation putting up the $185,000 each for the obvious .raspberry, .pi, and .raspberrypi top-level domains (TLDs)? Then, you can just shift over to those when the vermin present themselves
At least we aren't being snooped on by a Flame worm ... oops, a couple of years too late, now!
Zombies always attack when you least expect it, especially when they're dreaded DDOS-bots!
At least we aren't being snooped on by a Flame worm ... oops, a couple of years too late, now!
Zombies always attack when you least expect it, especially when they're dreaded DDOS-bots!
The best things in life aren't things ... but, a Pi comes pretty darned close!
"Education is not the filling of a pail, but the lighting of a fire." -- W.B. Yeats
In theory, theory & practice are the same - in practice, they aren't!!!
"Education is not the filling of a pail, but the lighting of a fire." -- W.B. Yeats
In theory, theory & practice are the same - in practice, they aren't!!!
Re: DDoS
I know the feeling; at least on a smaller scale.
I ran a Minecraft server on the same VPS that ran my website; purely just for my friends and I. The server address turned up on some random Minecraft server listing site and it got griefed really badly (griefing in minecraft = random destruction of other people's builds); I assumed that not giving the IP address out was sufficient protection.
Once I took down the Minecraft server, I started getting DDoS'ed very shortly afterwards. It took down the physical server node that my VPS was hosted on along with several server nodes at the hosting company. They were not pleased...
I ran a Minecraft server on the same VPS that ran my website; purely just for my friends and I. The server address turned up on some random Minecraft server listing site and it got griefed really badly (griefing in minecraft = random destruction of other people's builds); I assumed that not giving the IP address out was sufficient protection.
Once I took down the Minecraft server, I started getting DDoS'ed very shortly afterwards. It took down the physical server node that my VPS was hosted on along with several server nodes at the hosting company. They were not pleased...
Re: DDoS
I run two forums on my domain. The RasPi one so far has had no trouble but the Photography one is at times inundated with applications and sometimes multiple applications from the same accounts. This seemed to start from the moment I made the site accessible to iphones, Android, tablets etc by adding Tapatalk and Forum Runner. Not services I would pull down and fortunately with some selective IP Banning I`m slowing the multiple applications down by wildcarding the IP bans. But I know that we are a localised Photography Club and their is very little reason for people outside of that town to join. Especially folk in Russia and Indonesia..... Folk with obviously spam orientated names and/or email addresses are easy to spot, D`oh!
Nothing like the problem that RasPi.org has seen. But one thing always sticks in my mind, it would be so easy for an AV Virus Company to give you a trial and pretend you had some virus that your other AV systems failed to spot. Just as easy would be for companies offering protection to start attacks, as long as they can do it without detection. Then reap a monthly fee to protect against it. That's not to say that any of them do, only that it is possible some of them could and would. Taking a monthly fee and not offering any account of where the attacks are coming from stinks to high heaven for me. What are they doing for that money? I realize they cannot log all attacks but even random samples could suggest X Country/Town for a maximum no. of IP ranges.
Steve
Nothing like the problem that RasPi.org has seen. But one thing always sticks in my mind, it would be so easy for an AV Virus Company to give you a trial and pretend you had some virus that your other AV systems failed to spot. Just as easy would be for companies offering protection to start attacks, as long as they can do it without detection. Then reap a monthly fee to protect against it. That's not to say that any of them do, only that it is possible some of them could and would. Taking a monthly fee and not offering any account of where the attacks are coming from stinks to high heaven for me. What are they doing for that money? I realize they cannot log all attacks but even random samples could suggest X Country/Town for a maximum no. of IP ranges.
Steve
- nick.mccloud
- Posts: 1280
- Joined: Sat Feb 04, 2012 4:18 pm
Re: DDoS
I think you need to consider the Distributed bit of DDoS! Infected computers all around the world have been instructed to send variously formatted requests to the website, they aren't all based in one town.Reider wrote: Taking a monthly fee and not offering any account of where the attacks are coming from stinks to high heaven for me. What are they doing for that money? I realize they cannot log all attacks but even random samples could suggest X Country/Town for a maximum no. of IP ranges.
Pico/RP2040 ≠ Arduino
Pico = hot rod kit car, Arduino = hot rod kit car wrapped in cotton wool with buoyancy aids & parachute
Pico = hot rod kit car, Arduino = hot rod kit car wrapped in cotton wool with buoyancy aids & parachute
Re: DDoS
Plus, if what you're seeing is a SYN attack (like this one), your logs aren't going to be of any help pinpointing where people are geographically anyway.
Director of Communications, Raspberry Pi
-
- Posts: 114
- Joined: Thu Jan 05, 2012 11:22 pm
Re: DDoS
Me? I thought it was a conspiracy against me!
See, I just received my RPi on Wednesday so I hop on RPi.org and what do you know, just when I needed those wiki and download pages they ignore my GETs and POSTs. Oh well, it gave me an excuse to go at it without the manual, so to speak. All's well, HDMI & Composite work great without overscan. Network fine. Audio wrangling and general fooling around are next on the list.
Thanks again you guys. This weekend is going to be fun. It's Christmas in June here in California. I haven't had my hands on a fun piece of hardware in a long time.
See, I just received my RPi on Wednesday so I hop on RPi.org and what do you know, just when I needed those wiki and download pages they ignore my GETs and POSTs. Oh well, it gave me an excuse to go at it without the manual, so to speak. All's well, HDMI & Composite work great without overscan. Network fine. Audio wrangling and general fooling around are next on the list.
Thanks again you guys. This weekend is going to be fun. It's Christmas in June here in California. I haven't had my hands on a fun piece of hardware in a long time.
Any conversation about a sufficiently complex subject is indistinguishable from babble.
- Jim Manley
- Posts: 1600
- Joined: Thu Feb 23, 2012 8:41 pm
- Location: SillyCon Valley, California, and Powell, Wyoming, USA, plus The Universe
Re: DDoS
If the Foundation starts seeing massive numbers of SN packets instead of SYN packets, at least they'll know where to send the goon squadSN wrote:Well if I see the little green light winking furiously on my router in the living room I'll know someones trying to hack my little pi and I'll just unplug it
The best things in life aren't things ... but, a Pi comes pretty darned close!
"Education is not the filling of a pail, but the lighting of a fire." -- W.B. Yeats
In theory, theory & practice are the same - in practice, they aren't!!!
"Education is not the filling of a pail, but the lighting of a fire." -- W.B. Yeats
In theory, theory & practice are the same - in practice, they aren't!!!
-
- Posts: 87
- Joined: Tue Jun 12, 2012 5:21 pm
Re: DDoS
Mine came with a Element 14/raspberry Pi T-Shirt offerabishur wrote:I guess a lot of people were upset when their pi didn't comes with wheels and a sandwich, you really should have been more careful when you said that!
Re: DDoS
That reminds of a kid who claimed to be a "l33t h@ck3r" because he could hack into other people's computers... using a program someone else wrote... as long as the person he wanted to hack actually ran the program. He threatened to hack me and when I asked what would happen when I didn't run the program, he didn't have coherent response.liz wrote:... but was outwitted by Gmail. I ask you...
Dear forum: Play nice
Re: DDoS
Eben points out that his own email is flooded to bursting point with perfectly reasonable enquiries anyway, so nobody *needs* to try to do the same to his. Although he says he'd welcome the respite.
Director of Communications, Raspberry Pi
Re: DDoS
Good problem to have though. If you can direct some of them to the forum, the answers can help lots of people - theoreticallyliz wrote:Eben points out that his own email is flooded to bursting point with perfectly reasonable enquiries anyway, so nobody *needs* to try to do the same to his. Although he says he'd welcome the respite.
Alex Eames RasPi.TV, RasP.iO