[ARCHIVED THREAD] - DDOS, anyone? (Page 1 of 2)
Posted: 1/2/2015 7:34:21 PM EDT
Looks like it's hitting St. Louis and Washington State. I haven't seen anything this big in a while. 
|
|
Something is going on but it's not rare to see these types of attacks. The better story is that the recent Sony hack turns out to be a disgruntled former employee. Now, was this 'Lena' person working alone but I never bought the Nork angle, not without inside help.
And Obama announces new sanctions against NK because of the hack. Poor guy just catch a break. Posted Via AR15.Com Mobile |
|
Quoted: I've seen it that bad quite frequently, generally from China. And yes, St. Louis and Kirksville, MO, tend to get hit quite a bit. I've been trying to figure out why Kirksville keeps getting hit. The only thing I've been able to come up with is that there may be sort of co-location out there possibly belonging to Hurricane Electric(they do global networking and other shit) and it's taking the hit...but why?  There is some university there but I doubt that's the target. China wouldn't waste these resources for so long on a university in some no-name town in MO. My dogs will probably get shot for even posting this. |
|
Quoted: ... almost embarrassing to admit this, but I'm not sure how a DDOS attack works, why is it done, or what the endgame is for the offensive tactics. Would someone here post up a brief primer for dummies like me? Put simply...they pummel a network with so much data/requests for data that the network is overloaded. This makes the network unresponsive for anyone trying to legitimately access the network. The end game is to make it inaccessible for as long as the DDOS is taking place. Once it's over everything goes back to normal. They do this to bring down websites, services, etc. |
|
Quoted: ... almost embarrassing to admit this, but I'm not sure how a DDOS attack works, why is it done, or what the endgame is for the offensive tactics. Would someone here post up a brief primer for dummies like me? |
|
Quoted: Just a ton of computers, or bot computers which are hijacked that hit a target over and over until it goes offline. It can't handle the traffic overload. Any good system can easily defeat it. Quoted: Quoted: ... almost embarrassing to admit this, but I'm not sure how a DDOS attack works, why is it done, or what the endgame is for the offensive tactics. Would someone here post up a brief primer for dummies like me? Even a good system can be vulnerable to a big enough attack. When it comes right down to it, that data has to be processed so traffic can be blocked or passed. I'm sure what EA, Sony, and Microsoft run are far beyond what you or I would consider good. |
|
Quoted:
what the hell is there that is so interesting? Quoted:
Quoted:
I've seen it that bad quite frequently, generally from China. And yes, St. Louis and Kirksville, MO, tend to get hit quite a bit. what the hell is there that is so interesting? I don't know what's in Kirksville, and that has me stumped, too, but I used to do armed security with some interesting clients in the St. Louis area. Sometimes Federal agencies have offices and other facilities in very nondescript buildings. St. Louis is also home to the National Personnel Records Center, the US Army Personnel Command, and the National Archives and Records Administration. I used to live about 300m from the front gate of their co-located facilities. |
|
Quoted: I don't know what's in Kirksville, and that has me stumped, too, but I used to do armed security with some interesting clients in the St. Louis area. Sometimes Federal agencies have offices and other facilities in very nondescript buildings. St. Louis is also home to the National Personnel Records Center, the US Army Personnel Command, and the National Archives and Records Administration. I used to live about 300m from the front gate of their co-located facilities. Quoted: Quoted: Quoted: I've seen it that bad quite frequently, generally from China. And yes, St. Louis and Kirksville, MO, tend to get hit quite a bit. what the hell is there that is so interesting? I don't know what's in Kirksville, and that has me stumped, too, but I used to do armed security with some interesting clients in the St. Louis area. Sometimes Federal agencies have offices and other facilities in very nondescript buildings. St. Louis is also home to the National Personnel Records Center, the US Army Personnel Command, and the National Archives and Records Administration. I used to live about 300m from the front gate of their co-located facilities. You guys don't know what honey pots are, huh? |
|
Quoted: I don't know what's in Kirksville, and that has me stumped, too, but I used to do armed security with some interesting clients in the St. Louis area. Sometimes Federal agencies have offices and other facilities in very nondescript buildings. St. Louis is also home to the National Personnel Records Center, the US Army Personnel Command, and the National Archives and Records Administration. I used to live about 300m from the front gate of their co-located facilities. Quoted: Quoted: Quoted: I've seen it that bad quite frequently, generally from China. And yes, St. Louis and Kirksville, MO, tend to get hit quite a bit. what the hell is there that is so interesting? I don't know what's in Kirksville, and that has me stumped, too, but I used to do armed security with some interesting clients in the St. Louis area. Sometimes Federal agencies have offices and other facilities in very nondescript buildings. St. Louis is also home to the National Personnel Records Center, the US Army Personnel Command, and the National Archives and Records Administration. I used to live about 300m from the front gate of their co-located facilities. They moved the records center from its Page Ave location up to Dunn Rd in north county off of I-270.
|
|
Quoted:
You guys don't know what honey pots are, huh? Quoted:
Quoted:
Quoted:
Quoted:
I've seen it that bad quite frequently, generally from China. And yes, St. Louis and Kirksville, MO, tend to get hit quite a bit. what the hell is there that is so interesting? I don't know what's in Kirksville, and that has me stumped, too, but I used to do armed security with some interesting clients in the St. Louis area. Sometimes Federal agencies have offices and other facilities in very nondescript buildings. St. Louis is also home to the National Personnel Records Center, the US Army Personnel Command, and the National Archives and Records Administration. I used to live about 300m from the front gate of their co-located facilities. You guys don't know what honey pots are, huh? Yes, I do and what I'm guessing here. Could be .gov or some security company with enticing servers to lure the script kiddies in. Posted Via AR15.Com Mobile |
|
Quoted:
Just a ton of computers, or bot computers which are hijacked that hit a target over and over until it goes offline. It can't handle the traffic overload. Any good system can easily defeat it. Quoted:
Quoted:
... almost embarrassing to admit this, but I'm not sure how a DDOS attack works, why is it done, or what the endgame is for the offensive tactics. Would someone here post up a brief primer for dummies like me? Go on.... |
|
Quoted:
Go on.... Quoted:
Quoted:
Quoted:
... almost embarrassing to admit this, but I'm not sure how a DDOS attack works, why is it done, or what the endgame is for the offensive tactics. Would someone here post up a brief primer for dummies like me? Go on.... Yes... do go on. 
Anyway, there are certainly things a datacenter and it's firewalls/routers can do to defend against a DDOS attack, these days DDOS packets are quickly identified, and they're going to get ignored, and won't be allowed further into the system. However, the various network devices still need to examine all packets at some level on the network to determine if they're the unwanted ones or not. And depending on the wider topology of the Internet leading in and out of the data center, there's going to be upstream and downstream routers and backbones which also could be affected negatively. It's kind of like if you were getting DDOS'ed through snail-mail and physical letters. You know to shut your mail slot and not let any more letters in, but maybe your front yard is still full of unwanted junk mail, postal carriers, their trucks...
|
|
My server has been getting pounded with China IP's the past couple of weeks.
Here is an example from /var/log/messages Jan 2 18:27:23 (none) auth.err sshd[15703]: error: Could not get shadow information for root Jan 2 18:27:23 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15698]: Failed password for root from 122.225.97.74 port 55833 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:25 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:25 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:26 (none) auth.err sshd[15725]: error: Could not get shadow information for root Jan 2 18:27:26 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:26 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:28 (none) auth.err sshd[15733]: error: Could not get shadow information for root Whois of 122.225.97.74 General Information IP Address: 122.225.97.74 Hostname:122.225.97.74 Country: CN AS:4134 AS Name: CHINANET-BACKBONE No.31,Jin-rong Street,CN Network: 122.224.0.0/12 (122.224.0.0-122.239.255.255) 122.240.0.0 Reports:79430 Targets:29027 First Reported:2014-10-12 Most Recent Report:2015-01-02 Fuckers |
|
Checking in from Saint Louis ground zero.
I have been told by people that Google has servers in Kirksville... how accurate that is I don't know. Saint Louis is also the operations center for Mastercard, don't know if that has any bearing or not either. Edit: And for those who don't know Kirksville MO is north central in the state... a good drive outside of Saint Louis. The two places are not really in the same area per se. Also ARFCOM has been kludgy as fuck for me for a few weeks now. Slow to load, failures to load, you name it... but every other website I visit is perfectly fine. It started with my iPad not wanting to load ARFCOM and now my desktop is having problems with it as well... and no it isn't pornvirus. |
|
Quoted:
Someone going after Boeing maybe? Don't they also have a big presence in St.L? Quoted:
Quoted:
Somebody from China sure has a hardon for St Louis right now. Someone going after Boeing maybe? Don't they also have a big presence in St.L? That's what I'm thinking. |
|
Quoted:
My server has been getting pounded with China IP's the past couple of weeks. Here is an example from /var/log/messages Jan 2 18:27:23 (none) auth.err sshd[15703]: error: Could not get shadow information for root Jan 2 18:27:23 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15698]: Failed password for root from 122.225.97.74 port 55833 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:25 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:25 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:26 (none) auth.err sshd[15725]: error: Could not get shadow information for root Jan 2 18:27:26 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:26 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:28 (none) auth.err sshd[15733]: error: Could not get shadow information for root Whois of 122.225.97.74 General Information IP Address: 122.225.97.74 Hostname:122.225.97.74 Country: CN AS:4134 AS Name: CHINANET-BACKBONE No.31,Jin-rong Street,CN Network: 122.224.0.0/12 (122.224.0.0-122.239.255.255) 122.240.0.0 Reports:79430 Targets:29027 First Reported:2014-10-12 Most Recent Report:2015-01-02 Fuckers echo "block in quick from 122.224.0.0/12" >> /etc/ipf/ipf.conf && svcadm restart pfil ipf Any time I see an attack in my logs, I whois, and if it's from APNIC...I block the whole network. I'm pretty much at the point where I'm just going to block China entirely, full stop. |
|
Quoted:
echo "block in quick from 122.224.0.0/12" >> /etc/ipf/ipf.conf && svcadm restart pfil ipf Any time I see an attack in my logs, I whois, and if it's from APNIC...I block the whole network. I'm pretty much at the point where I'm just going to block China entirely, full stop. Quoted:
Quoted:
My server has been getting pounded with China IP's the past couple of weeks. Here is an example from /var/log/messages [snip] Fuckers echo "block in quick from 122.224.0.0/12" >> /etc/ipf/ipf.conf && svcadm restart pfil ipf Any time I see an attack in my logs, I whois, and if it's from APNIC...I block the whole network. I'm pretty much at the point where I'm just going to block China entirely, full stop. This is pretty solid advice here, and my SOP for the past few years. China could drop off the internet completely and I wouldn't give a single fuck. |
|
Quoted:
echo "block in quick from 122.224.0.0/12" >> /etc/ipf/ipf.conf && svcadm restart pfil ipf Any time I see an attack in my logs, I whois, and if it's from APNIC...I block the whole network. I'm pretty much at the point where I'm just going to block China entirely, full stop. Quoted:
Quoted:
My server has been getting pounded with China IP's the past couple of weeks. Here is an example from /var/log/messages Jan 2 18:27:23 (none) auth.err sshd[15703]: error: Could not get shadow information for root Jan 2 18:27:23 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15698]: Failed password for root from 122.225.97.74 port 55833 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:24 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:25 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:25 (none) auth.info sshd[15703]: Failed password for root from 122.225.97.74 port 56230 ssh2 Jan 2 18:27:26 (none) auth.err sshd[15725]: error: Could not get shadow information for root Jan 2 18:27:26 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:26 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:27 (none) auth.info sshd[15725]: Failed password for root from 122.225.97.74 port 57401 ssh2 Jan 2 18:27:28 (none) auth.err sshd[15733]: error: Could not get shadow information for root Whois of 122.225.97.74 General Information IP Address: 122.225.97.74 Hostname:122.225.97.74 Country: CN AS:4134 AS Name: CHINANET-BACKBONE No.31,Jin-rong Street,CN Network: 122.224.0.0/12 (122.224.0.0-122.239.255.255) 122.240.0.0 Reports:79430 Targets:29027 First Reported:2014-10-12 Most Recent Report:2015-01-02 Fuckers echo "block in quick from 122.224.0.0/12" >> /etc/ipf/ipf.conf && svcadm restart pfil ipf Any time I see an attack in my logs, I whois, and if it's from APNIC...I block the whole network. I'm pretty much at the point where I'm just going to block China entirely, full stop. I download this chinese-blocklist and add it to iptables daily. I use this to parse the log files. awk '($(NF-7) = /invalid user/){print $(NF-3)}' /var/log/messages.0 | sort | uniq -c | sort |