DDoS

[liz]

You might have noticed that this site has been up and down over the last 24 hours. We're undergoing a DDoS attack - depending on how long it continues, we may be spending some time later on sticking Cloudflare in front of the site, but for now we're crossing our fingers and hoping that whoever is pointing their botnet at us will get bored and wander off.

It's a *big* botnet. We've been seeing a DDoS that's roughly 110Mbps of SYN packets (307kps) to port 80. There's nothing terribly sensible our buddies at Mythic Beasts, who host this site, can do; it's pegged one CPU at 100% just managing the firewall connection state, and Apache has (unsurprisingly) run out of connections when it's at its worst.

We think that the ethernet wire is also full. Gigabit ethernet pads to 512 bytes, which is roughly 1.2Gbps on a 1Gbps link.

It's frustrating, but we're not suicidal (yet); for now we're taking the downtime to do the admin we need to do and steam through some email. I'll be posting regular updates on Twitter - https://twitter.com/#!/Raspberry_Pi - please discuss below what sort of twonk thinks that DDoSing a charity is a smart thing to do.

[krischaplin]

Shameful behaviour, I wonder what could be the motive?

Bizarre.

[finnw]

I would guess it is someone who is upset at being banned from the site.

[liz]

It's either someone doing it for the lulz, someone we've banned for being an idiot, or someone who's taken offence at something we've said at some point - you know how people can get about favourite platforms/languages/OSes. Or it could be a blackmail thing (lots of these are, and this one does seem pretty large and well organised) - we haven't had any email to that effect, though. (Unless they mailed info@, which folder is currently several thousand deep in unread mail.)

[grumpyoldgit]

I thought you had a Girl Friday now to deal with office stuff.

[nick.mccloud]

I love it when you talk tech

[liz]

She's not with us any more, sadly. Although we do now have someone (Helen) who is working solely on chasing down trademark infringements on eBay and elsewhere - which has turned out to be a very big job indeed. And Jack's been hiring students on an hourly basis to do some of the really tedious stuff. We also have some interns arriving in the summer vac to do some engineering work.

*Edit* I realise that this sounds as if Girl Friday died. She didn't.

[abishur]

I guess a lot of people were upset when their pi didn't comes with wheels and a sandwich, you really should have been more careful when you said that!

[extravagoose]

It's either someone doing it for the lulz, someone we've banned for being an idiot, or someone who's taken offence at something we've said at some point - you know how people can get about favourite platforms/languages/OSes. Or it could be a blackmail thing (lots of these are, and this one does seem pretty large and well organised) - we haven't had any email to that effect, though. (Unless they mailed info@, which folder is currently several thousand deep in unread mail.)

I thought lulz had kind of ceased... even then I wouldn't have thought a charity would be their sort of target. Unless you are referring to someone doing it for a laugh?

In any case, its disgraceful behaviour and especially low that a charity is the target...

Found this article an interesting read also:
http://www.networknewz.com/2010/04/05/h ... rk/#resume

Also, the Wikipedia article is an informative read too
http://en.wikipedia.org/wiki/Denial-of-service_attack

...of course I'm not intending to insult anyone's intelligence either

[RichardUK]

Being popular is enough of a reason for these people.

[AndrewS]

We also have some interns arriving in the summer vac to do some engineering work.

That sounds promising GSoC-type stuff?

Any more news regarding the raspberrypi.com shop?

[Jim Manley]

So, with the sale of all of those Pi boards, is the Foundation putting up the $185,000 each for the obvious .raspberry, .pi, and .raspberrypi top-level domains (TLDs)? Then, you can just shift over to those when the vermin present themselves

At least we aren't being snooped on by a Flame worm ... oops, a couple of years too late, now!

Zombies always attack when you least expect it, especially when they're dreaded DDOS-bots!

[blc]

I know the feeling; at least on a smaller scale.

I ran a Minecraft server on the same VPS that ran my website; purely just for my friends and I. The server address turned up on some random Minecraft server listing site and it got griefed really badly (griefing in minecraft = random destruction of other people's builds); I assumed that not giving the IP address out was sufficient protection.

Once I took down the Minecraft server, I started getting DDoS'ed very shortly afterwards. It took down the physical server node that my VPS was hosted on along with several server nodes at the hosting company. They were not pleased...

[Reider]

I run two forums on my domain. The RasPi one so far has had no trouble but the Photography one is at times inundated with applications and sometimes multiple applications from the same accounts. This seemed to start from the moment I made the site accessible to iphones, Android, tablets etc by adding Tapatalk and Forum Runner. Not services I would pull down and fortunately with some selective IP Banning I`m slowing the multiple applications down by wildcarding the IP bans. But I know that we are a localised Photography Club and their is very little reason for people outside of that town to join. Especially folk in Russia and Indonesia..... Folk with obviously spam orientated names and/or email addresses are easy to spot, D`oh!

Nothing like the problem that RasPi.org has seen. But one thing always sticks in my mind, it would be so easy for an AV Virus Company to give you a trial and pretend you had some virus that your other AV systems failed to spot. Just as easy would be for companies offering protection to start attacks, as long as they can do it without detection. Then reap a monthly fee to protect against it. That's not to say that any of them do, only that it is possible some of them could and would. Taking a monthly fee and not offering any account of where the attacks are coming from stinks to high heaven for me. What are they doing for that money? I realize they cannot log all attacks but even random samples could suggest X Country/Town for a maximum no. of IP ranges.

Steve

[nick.mccloud]

Taking a monthly fee and not offering any account of where the attacks are coming from stinks to high heaven for me. What are they doing for that money? I realize they cannot log all attacks but even random samples could suggest X Country/Town for a maximum no. of IP ranges.

I think you need to consider the Distributed bit of DDoS! Infected computers all around the world have been instructed to send variously formatted requests to the website, they aren't all based in one town.

[liz]

Plus, if what you're seeing is a SYN attack (like this one), your logs aren't going to be of any help pinpointing where people are geographically anyway.

[SN]

Well if I see the little green light winking furiously on my router in the living room I'll know someones trying to hack my little pi and I'll just unplug it

[JustThisGuy]

Me? I thought it was a conspiracy against me!

See, I just received my RPi on Wednesday so I hop on RPi.org and what do you know, just when I needed those wiki and download pages they ignore my GETs and POSTs. Oh well, it gave me an excuse to go at it without the manual, so to speak. All's well, HDMI & Composite work great without overscan. Network fine. Audio wrangling and general fooling around are next on the list.

Thanks again you guys. This weekend is going to be fun. It's Christmas in June here in California. I haven't had my hands on a fun piece of hardware in a long time.

[Jim Manley]

Well if I see the little green light winking furiously on my router in the living room I'll know someones trying to hack my little pi and I'll just unplug it

If the Foundation starts seeing massive numbers of SN packets instead of SYN packets, at least they'll know where to send the goon squad

[sjfaustino]

I guess a lot of people were upset when their pi didn't comes with wheels and a sandwich, you really should have been more careful when you said that!

Mine came with a Element 14/raspberry Pi T-Shirt offer

[ren41]

so frustrating when it went down just as I couldn't boot after an RPI-update!

someone must be really upset that the RPI's so popular!

ren

[liz]

Someone claiming to be from Anonymous also tried to flood my email earlier yesterday, but was outwitted by Gmail. I ask you...

[abishur]

... but was outwitted by Gmail. I ask you...

That reminds of a kid who claimed to be a "l33t h@ck3r" because he could hack into other people's computers... using a program someone else wrote... as long as the person he wanted to hack actually ran the program. He threatened to hack me and when I asked what would happen when I didn't run the program, he didn't have coherent response.

[liz]

Eben points out that his own email is flooded to bursting point with perfectly reasonable enquiries anyway, so nobody *needs* to try to do the same to his. Although he says he'd welcome the respite.

[alexeames]

Eben points out that his own email is flooded to bursting point with perfectly reasonable enquiries anyway, so nobody *needs* to try to do the same to his. Although he says he'd welcome the respite.

Good problem to have though. If you can direct some of them to the forum, the answers can help lots of people - theoretically