From November 9 to November 19 two of our domains were unter attack by cyber-criminals. Due to a Distributed Denial-of-Service attack (DDoS) involving thousands of remote controlled zombie computers directed from a secret control centre, some of our sites were inaccessible for several days.
First we received an automated warning email from our webhost, which gets triggered if a certain amount of traffic per hour is exceeeded. I started blocking IP addresses of hosts with an excessive number of connections using iptables in Linux, but could not keep up: The server became unreachable. I was left with no choice but to pull the emergency brake, i.e. to replace the IP address of the server with a non-routable IP address such as 127.0.0.1 (loopback address).
I then moved the affected website to a backup server and reenabled it there. The new server was running a later Linux kernel than the old one. If you get DOSed, make sure you have Linux kernel 2.6, which is more suitable for reconfiguration to make it more resilient against such attacks.
After a number of days, other hosts names on our server that had not been disabled were also added to the list of attack targets.
As a result of the tweaks on the new server the sites stayed up most of the time, but the bandwidth usage was tremendous. During one hour the attacking bots generated more than 31 GB of traffic. On that peek day the traffic on that server came to 152 GB, even though we added over 4000 different IP addresses of attacking hosts to the blocklist.
Clearly, anyone who doesn’t have an unlimited traffic allowance for his hosting account would be in trouble with such huge numbers, even if the machine and operating system were able to keep up. Once they exhaust their monthly allowance they would either have to start paying for extra Gigabytes or the server gets disconnected, or the network speed gets throttled down, which would make the site virtually unreachable.
After 10 days the attacks started winding down. By that time we knew where the control center of the botnet was located. It was hosted by a company called AbdAllah Internet Hizmetleri in Turkey. Its upstream provider is TurkTelekom. The IP address range used by the hoster is listed by anti-spam site SpamHaus.org as being used for “Ukrainian/Russian cybercriminal hosting”.
During or shortly after the attacks against our servers, the same botnet also attacked the following sites:
- newgeneration.lv
- streamingvideosoftware.info
- www.kety.org
- anriintern.com
- datingsoftware.org
This target list ranges from an anti-spam website (ours) over an evangelical church site to sites related to adult videos.
Distributed denial of service attacks are a mortal danger for any website. There are few effective countremeasures, except load sharing with many fast servers connected via fat data pipes, but even that is no match for some of the largest botnets such Storm. Attacks are used to intimidate, to silence or to extort “protection money”. Victims have little hope of getting effective help from law enforcement.
What needs to happen? First of all, the number of infected computers needs to decrease. Unsecured broadband hosts that come under criminal control are a public menace. Webhosts need to take effective action against botnet control centres. Unlike the actual bots, which are mostly running Windows XP, most of the botnet control centres run on Linux servers in data centres. Hosters must not turn a blind eye to this. If they do that because of money from criminals then their upstream providers must disconnect them.
I work on streamingvideosoftware.info company. You send me an email witch advice – I would advise you to temporarily point the A record of your domain to IP
address 88.255.90.242, i.e. the botnet control center IP.
When we made it, so on our sites started open the child porno sites. I think it was a bad idea.
Hello Tatiana, these people are unscrupulous criminals so they responses to any countermeasures can be nasty. I had checked what happens when you access the control centre IP via a browser while my site was under attack, but it did not show a porn site then. Now it does.
However, it seems that they ended the DDoS against your site, because last time I checked it’s available again. Maybe they got the message 😉
Some info about the bot used in the attack is given here:
http://www.teamfurry.com/wordpress/2007/10/16/illusion-now-you-see-me-now-you-dont/
The attacks by the botnet controlled via a host at AbdAllah Internet Hizmetleri are continuing. Every couple of days they are targeting different sites. All of these have been hit during the last week or are being hit right now:
Thanks for the information, i saw some suspicious ips in my logfiles too, trying to ban them trough htaccess is just working temporarily.
Visit the site and let me know if you are interested in a 15day trial for our ddos protection product called secure pig. we can and have sustained over 4gig/sec and over 2mil pps during attacks.
anyways, not here to promote it… just wanted to let you know about it.
thanks
ypigsfly
I could understand that they might want to attack Adult sites to get their spyware or malware on there, and so therefore be able to get their rubbish installed on a wide audience. But why the evangelical church’s site? Are they trying to ‘silence’ them, or do they feel that the site has a lot of hits and, similarly, they can get their malware installed on a large amount of computers?
It’s clear that these kinds of people are nothing short of criminals and should be treated as such completely.
I can only make guesses why an evangelical church site becomes a target. The criminals will attack anyone they’re paid to attack. Maybe someone sees evangelical churches as unwelcome competition to the Russian Orthodox church, which these days is in favour with the Russian political elite.
Pingback: What’s that “Yanga WorldSearch Bot v1.1/beta”?