DDOS and Migration (Updated)

Dr. Roy Schestowitz

2009-05-20 00:33:40 UTC
Modified: 2009-05-20 01:09:48 UTC

Summary: Boycott Novell had been under DDOS attacks for almost 4 days. We were struggling to just stay online while hosts investigated where the attacks came from. We moved between hosts (to semi-dedicated) and the same pattern of attack persisted until yesterday.

WE have kept silent about it in order not to encourage the attacker/s, but it's true. We have been under heavy DDOS attacks since Thursday night. What has happened since then? Well, a lot. Our previous host is no more as far as we are concerned. After struggling with the botnet for like 10 hours (filtering to no avail) our Web site got isolated. It did not serve any pages for almost 2 days. A reader of Boycott Novell was kind enough to lend us room on his server (more or less dedicated), on which he fought the botnets for over a day. The attackers kept changing tactics. Some other readers offered filtering advice and we are grateful to all of them. Ultimately, the attacks halted yesterday afternoon.

“Ultimately, the attacks halted yesterday afternoon.”The migration from the old server was not simple because the site was disabled abruptly following the early attacks. But now we have ensured that all data has been migrated. The only 'good' thing which came out of this attack is that, as oiaohm put it, the ordeal sort of made us more robust to future attacks.

Now that we have a new host in place, we also have more features. Data on the site (comments, posts, etc.) was not lost in the migration, just heaps of time and effort affecting several people. We have moved to a bigger, more robust environment that will hopefully facilitate the needs of the Web site as it continues to grow (we served about 200GB of data last month). We apologise for the downtime, which is unprecedented.

The plan is to carry on exposing Comes exhibits next month and also organise the Wiki. There is enough for years of work.

Again: we would like to thank all those who helped during the downtime and especially our generous reader ( Copilotco) who offered to host the Web site, taking us away from shared hosting in the process. Dedicated servers on normal Web hosts are just far too expensive for us to afford and I swear that I never made a single dime from this Web site. The ads merely covered the hosting fees which Shane has been paying since 2006.

One last clarification for lunatics who are now suggesting that we DDOSed ourselves, where to even begin refuting such nonsense (coupled with personal abuse)?

The attacks came from many addresses, for example 88.198.60.8 which is "tor-proxy.va6.de". Multiple such IPs hit us constantly and relentlessly (all tor exit nodes at first). At one stage it seemed like the front page alone received 3 page requests per second. But the IPs were also doing a HEAD on the Web site as many times as possible, bringing the server down to its knees (both the old server and new server, the former running Red Hat and the latter CentOS). ⬆

Update: Here is a report from the administrator.

I took over hosting of boycottnovell.com for Roy in the middle of the DDOS attack. I am looking at the squid log for boycottnovell.com during the DDOS. I have squid caching/proxying/url-rewriting for apache for various reasons.

The attack initially (or at least, at the time the DNS was re-pointed to my server) consisted of lots of HEAD requests. Then I wrote up a script to tail the log finding anyone doing lots of HEAD requests and putting the offending IP into the iptables packet filter while I cooked up a more permanent solution. Eventually they figured this out and switched to a full on GET of the root of the site and then I think they started getting random pages from the site as fast as they could although I'm not sure about that.

The interesting part starts around timestamp 1242543590.804 which is apparently when most of the world's DNS cut over to me including that of the machines in whatever bot net was employed in the attack.

If we run this command on the logfile with the logfile being /tmp/bn.log:
grep " HEAD http://boycottnovell.com/ " /tmp/bn.log | awk
'{print $3}' | sort | uniq -c |sort -n | tail -10
we get:
   2716 81.175.61.4
   2960 212.24.147.228
   3056 204.209.56.56
   5637 87.236.199.73
   6645 145.100.100.190
   7261 212.42.236.140
   8487 88.198.14.120
   9640 62.141.58.13
  11008 87.118.104.203
  11269 88.198.60.8
and if we do:
grep " GET http://boycottnovell.com/ " /tmp/bn.log |
awk '{print $3}' | sort | uniq -c |sort -n|tail -10
we get:
   5801 94.136.16.242
   5854 85.25.152.185
   5865 212.24.147.228
   6367 66.35.1.170
   6682 205.209.142.210
   6977 87.118.104.203
   8102 83.140.125.188
   8300 85.25.145.98
   8441 212.42.236.140
  20065 66.230.230.230
So one IP did a get of the root of the site 20k times before I really effectively got everything blocked off and another did a HEAD around 11k times. You can get a feel for how the attack progressed using:
egrep ' GET http://boycottnovell.com/ | HEAD
http://boycottnovell.com/ ' /tmp/bn.log | less
Assuming that everyone who did a GET or a HEAD more than 100 times (a conservative estimate) is involved in the attack:
egrep ' GET http://boycottnovell.com/ | HEAD http://boycottnovell.com/ '
/tmp/bn.log | awk '{print $3}' | sort | uniq -c| sort -n > /tmp/attackers
and then counting only the lines with greater than 100 hits we can see that there were 281 unique IP addresses involved in the attack.

However, it looks like they switched to targeting various different parts of the site later on or maybe just random pages because if we look at all of the accesses to the site which made more than 100 requests we get 863 IPs involved the top 19 being the following:
   6193 62.141.53.224
   7153 85.25.151.22
   7764 145.100.100.190
   8524 66.35.1.170
   8757 94.136.16.242
   9256 85.25.152.185
  10369 83.140.125.188
  10464 212.24.147.228
  10874 205.209.142.210
  10935 87.236.199.73
  11441 88.198.14.120
  12094 62.141.58.13
  12208 88.198.60.8
  12994 66.249.70.134
  13940 85.25.145.98
  19119 212.42.236.140
  19867 87.118.104.203
  26480 216.105.40.113
  29854 66.230.230.230
So 66.230.230.230 made 29k requests to the site in total.

Putting some iptables rules in place (which I document here):

http://www.kernel-panic.org/pipermail/kplug-list/2009-May/108075.html

nicely cut the problem down to size and now the effect of the DOS is unnoticeable.

11M of gzipped log are used for this sample.

Comments

aeshna23

2009-05-21 01:48:57

It's sad that some people are so afraid of the ideas on this website that they resort to such tactics.

I do have one suggestion, if this happens in the future. Don't put long, technical explanations in the main post. You could put a link to a page with the long, technical explanation. The long, technical explanation dilutes the moral indignation about our opponents tactics. I know that what I'm saying is a rhetorical change, but rhetoric really matters here.
Test

2009-05-20 12:09:41

site is super zippy fast now !

great work team !
Shane Coyle

2009-05-22 00:53:00

Actually, according to Google, I am still receiving hits and clicks from BN for Adsense. I guess when you copied over the site you left in the publisher id for my account.

Roy Schestowitz

2009-05-22 13:38:16

Shane,

Yes, I am still speaking to Tracy to figure out how we shall work this out. I moved all three domains to his DNS namehost and we will probably use the adverts to pay him for all he has done to save us, not to mention hosting. Last night we moved to account to a VM (to limit the damage of future attacks).

"Today's [Red Hat] is run by a cabal of vultures.": it seems safe to assume Red Hat too will languish away
Microsoft Layoffs in 2026 Can be Bigger Than 2025 Microsoft Layoffs (30,000+ Workers Laid Off): "Is there going to be any reorg or Microsoft layoffs?"
The Free Software Foundation (FSF) Represents People, Not Corporations: FSF isn't in the "business" of appeasing oligarchs
IBM: We Can't Make 'AI' (Voice Recognition) Do the Work of a McDonald's Teenager, So Let's Try the Same on Saudi Planes: IBM is lost. It's truly lost.
Links 22/12/2025: North Korean Applicants Target GAFAM (Amazon), ‘Orwellian Climate of Fear’ of CPC (Even Outside China): Links for the day
More IBM Layoffs in India: It's not as simple as "laid off to be replaced by an Indian"
GAFAM Deeply Connected to Jeffrey Epstein, Richard Stallman (RMS) in No Way Connected to Jeffrey Epstein: people who hoarded all the capital get to decide what people think and say
Linus Torvalds Has a Birthday This Coming Weekend, Thankfully He Still Controls His Main Project: GNU and Linux should remain under their control as long as they live
Mozilla is Getting Attention for All the Wrong Reasons, Take a Look at LibreWolf: Just last week Mozilla added a new top-level manager who (as usual) came from a "tech giant"
When Conformism Means Capitulation and Defeat: In an age of injustices like these, we all have some kind of moral obligation not to be conformist.
Text is Still King: But the so-called 'industry' insists that we should download 10 MB of objects from multiple domains... even just to read 5-10 paragraphs of text
Links 22/12/2025: Facebook "Testing $14.99 Monthly Subscription Fee to Post Links" and "Middle East Petrostates as American Media Owners": Links for the day
Beyond the World Wide Web (WWW): We continue to treat Gemini Protocol as a first-class citizen
Serbia: GNU/Linux Rises, Windows Down to All-Time Lows: According to statCounter
"Wrestling With Pigs": "Never wrestle with a pig. You both get dirty, and the pig likes it."
Productive Year and Better Access to Techrights' Archives Going Back to 2006: we've long needed and wanted native, local, independent search facilities
Linux Abandoned by Linux Foundation: It speaks for Microsoft and for so-called 'AI' companies
Microsoft Has Practically Given Up on XBox Already: Expect many XBox related layoffs when 2026 starts (Q1)
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Sunday, December 21, 2025: IRC logs for Sunday, December 21, 2025
Gemini Links 21/12/2025: Solstice, Chaos of CSS, and Program Interpreter Fun: Links for the day
Why?: Why write articles?
Microsoft-Connected Publisher Spinning XBox's Death Spiral (It's Dying Fast) as a Strength and Something Deliberate: "Microsoft’s big gaming pivot"
Slop is Rare by Now: A year ago slop was so abundant that we did a whole series about it, and it was daily
Links 21/12/2025: U.S. Strikes in Syria, "Epstein Files Photos Disappear From Government Website": Links for the day
Gemini Links 21/12/2025: Labrador Retriever of Lagrange's Developer Dies From Cancer, Political Philosophy, and "Getting to Inbox Zero": Links for the day
Microsoft is Becoming Irrelevant: The Case of Georgia: Not Georgia Tech
Sirius Open Source is Now Imminently Dead (Struck Off): compulsory strike-off
Dr. Richard Stallman, Invited by LibreTech Collective, is Giving a Public Talk in Georgia Tech Next Month (Scheller College of Business): They can probably squeeze about 400 people into this room
25 Years of Activism for GNU/Linux: My passion for GNU/Linux brought a lot of contentment
Africa, Where Microsoft Used De Facto Slaves to Pretend to be "AI", Chatbots Usage is 0.2% of Measured Online Traffic: Judging by recent trends in Africa, many "Windows PCs" are being converted into GNU/Linux computers
New Drone Footage Shows IBM is Dead (Parts of It): The people who participated in IBM when IBM actually mattered probably have boasting rights, unlike people who work for IBM today
Michael Larabel Adds Slop Category to Phoronix, Quickly Realises That It's Worthless: Phoronix nowadays gets carried away; it made a new category to talk about slop and it decided to call it "intelligence" with some caricature of a brain (that's misleading)Phoronix nowadays gets carried away; it made a new category to talk about slop and it decided to call it "intelligence" with some caricature of a brain (that's misleading)
After 35 Years the World Wide Web, HTML, and HTTP Are Proprietary: HTTP/2 added a lot of complexity (it's just a Google protocol, based on SPDY originally), many image formats are proprietary and patented, HTML got 'replaced' by Java-Scripts [sic], and many URLs (the URL system was created in the early 90s) are just long strings for proprietary 'webapps'
The General Public License (GPL) Inspired the Web's Original Openness/Freedom, According to Tim Berners-Lee: "During the preceding year I had been trying to get CERN to release the intellectual property rights to the Web code under the General Public License (GPL) so that others could use it."
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, December 20, 2025: IRC logs for Saturday, December 20, 2025
The Register MS Has Lowered Its Standards Considerably: Incidentally, we've only just noticed that "US editor for The Register since July 2025" has not been active for 4 weeks already
Scamfarms, Spamfarms, and Slopfarms in "Linux" Clothing: Today, Linux searches in Google News produced no slop at all. That's an improvement.
Did Bill Gates Lobby to Blur the Face of the Young Woman He Openly Braces (and Who Isn't His Wife)?: "This photo of of Microsoft co-founder Bill Gates with a woman whose face is blurred out is just one of 68 more photos and documents released today."
Links 20/12/2025: Microsoft Ruins Televisions, 'Epstein Files' Deeply Sanitised (to Protect Particular Culprits): Links for the day
Gemini Links 20/12/2025: Merry Christmas 2025 and Running a Factorio Headless Server on FreeBSD with the Linuxulato: Links for the day
With 10 Days Left, the Free Software Foundation (FSF) Has Already Raised Close to $300,000 This Winter: they're besieged by despicable corporations and very despicable people
The Real Problem With Rust is Not "Wokeness" (It Never Was): Don't feed the trolls who attack "Rust People" on political grounds
2025 in Numbers: What was very good about this year is that we truly got "into the rhythm" of publishing
More Microsoft Layoffs Coming Soon: When I spoke about Microsoft layoffs (routinely) I got very viciously attacked by Microsoft boosters
My Humble Assessment of the Future of Red Hat, A Company That IBM is Flushing Down the Loo: GNU/Linux will be OK without Red Hat, but shaping the future of it matters because we don't want companies like Valve (DRM) to set the agenda
Probably the Least Useful Gadgets, Ever: as if a "smart" thing worn on the wrist is the "new Rolex"
Former Manager at IBM Research (Yorktown) Says Why IBM is Doomed and the Anonymous Tipline (Speak Up) is a Trap: IBM isn't willing to change or to address internal issues
Links 20/12/2025: Fentanylware Becomes CheeTok and "Why Roomba Died": Links for the day
Linux Foundation: Richard Stallman Developed Only a Software Licence: We already criticised this report several times last night
Impulsive Writing, Quotas, and Keeping Things as Concise as Feasible: A 10-word sentence being read by a million people can have the same impact or magnitude (exposure-wise) as a million-word book being read by just 10 people
Gemini Links 20/12/2025: Christmas Songs, Storms, and Old Web: Links for the day
Coming to Grips With a Lack of Future at IBM: Red Hat's future doesn't look bright under the auspices as they seem right now
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, December 19, 2025: IRC logs for Friday, December 19, 2025
Links 20/12/2025: Media Layoffs, a Third of Online Traffic is Bots: Links for the day

DDOS and Migration (Updated)

Comments

Recent Techrights' Posts