Latest Update..

[Doug]

at least posters aren't getting some virus by logging in ( or visiting) here. Something like that happened with another forum ( forgot which one) a few years ago.

OGD ?

I think you have to look at who has something to gain here, or at least who really hates the RX... and has the ability to do this.

 

[texansfan]

Hasn't the U.S. Gov't or some big financial institutions been hacked into before? If so, what would make this site not vulnerable to outside attacks?

 

[VegasMike01]

cisco floodguard laughs at DDOS attacks.

 

[Doug]

All kinds of sites can get hacked into. No great reason for RX to have crazy levels of security, IMO. It can happen to places like BofA.

Losing a couple days of posts is no biggie, but the downtime has to hurt, and they may well try to it on the weekend again.

 

[Cusipz]

Guys, you are missing the point here. It's not just a DDOS. If so, even if they had to kick out all the botnet IPs by hand, it would be fixed now.

It seems to me the attackers are using a botnet running a script that exploits a flaw in the Vbulletin software, crashing the db/forums, or just wasting a zillion cycles.

Until VBulletin issues a patch and theRX loads the new softwareto counter this, the forums will be up and down constantly.

Frustrating, but don't blame theRX site admins, they are stuck waiting for Vbulletin, I believe.

 

[wolfie_cr]

cisco floodguard laughs at DDOS attacks.

to start with that will be totally and absolutely USELESS if the link is already saturated (that was basically the situation we had in CR a few years ago with those attacks) %^_, it actually enforces my point that sometimes you can be as competent as you want......but you rely on the equipment/expertise/resources of your upstream ISP's (who are shown over and over to not be totally prepared to deal with these situations such as the time when some ISP in Pakistan managed to throw youtube offline using a simple BGP advertisement)

btw I am not saying that there are no trivial attacks.....I am just saying that the ones that we (users) notice/find out about are most of the time not trivial at all and as another poster noted.......while there are mitigation technologies that can be deployed.....many times it doesnt make financial sense.....back in the days of the attacks that we had here in CR I remember hearing a quote for a 'medium' site going at 50k /year, before the attack happened obviously it would have been a hard sell to spend 50k on a 'may be this can happen'

 

[Doug]

Guys, you are missing the point here. It's not just a DDOS. If so, even if they had to kick out all the botnet IPs by hand, it would be fixed now.

It seems to me the attackers are using a botnet running a script that exploits a flaw in the Vbulletin software, crashing the db/forums, or just wasting a zillion cycles.

Until VBulletin issues a patch and theRX loads the new softwareto counter this, the forums will be up and down constantly.

Frustrating, but don't blame theRX site admins, they are stuck waiting for Vbulletin, I believe.

So they can get any forum using V-bulletin, must be a million of them. Could they get all of them at once ?

 

[Cusipz]

I'm guessing they will only bring down the ones they are paid for, it takes cash to run a botnet.

Same thing happened to certain phpBB forums not too long ago.

They have RX at the mercy of vbulletin, because it would be a nightmare to switch forum software now.

 

[wolfie_cr]

Guys, you are missing the point here. It's not just a DDOS. If so, even if they had to kick out all the botnet IPs by hand, it would be fixed now.

assuming its not spoofed connections we are talking about (in which case listing thousands of IPs is of course useless but those can probably be detected in an easier fashion...once again by the upstream ISPs who implement Unicast RPF that mitigates spoofing or do a backscatter analysis)

and of course......putting an ACL with thousands of entries in a firewall has its own complications

if it is a botnet running a script like you describe, most definitively it sticks like a sore thumb and can be easily blocked......simply using a packet inspector that matches the script in question

 

[Cusipz]

I agree wolfie, a packet inspector might do the trick, but I'm guessing they have several flavors of the exploit floating around - not all using the same syntax! - making it harder to nail every possible request.

I agree with you that admins with the right tools and resources should be able to help, but really the fix should come from vBulletin.

 

[wolfie_cr]

I agree wolfie, a packet inspector might do the trick, but I'm guessing they have several flavors of the exploit floating around - not all using the same syntax! - making it harder to nail every possible request.

I agree with you that admins with the right tools and resources should be able to help, but really the fix should come from vBulletin.

probably but you put someone to watch the traffic....looking for mutations of the script, there are less scripts to block than IPs in a botnet attack thats for sure

in the meantime we both speculate cause we cant see the graphs .....but on the good side we can be having our :toast: while therx techs work :lol:

 

[Cusipz]

Indeed wolfie. Hopefully they are working that angle.

In the meantime: :toast: :drink:

 

[bilbal]

Since everyone thinks its so 'easy' to counterattack a DoS attack I will just add my 2 cents on the issue.

There is no such thing as 'a site that is NOT vulnerable to a DoS attack' just as there is NO site that is 'not vulnerable to a hacking attempt', if something its exposed to the internet.....its vulnerable whether its because of lack of filtering/small pipe/vulnerabilities in the daemons that are running etc

You have sites that have been hacked, sites that have not been hacked yet and sites that don't know they been hacked

Depending on the resources you have available in both analyzing/filtering the attack with your upstream providers (and if the upstream providers are competent in this area....which is not guarranteed at all) it can be very hard to defeat an attack, specially if the attack is well designed so that a silly/simple null route......packet filtering etc doesn't do trick


CNN, Yahoo, Ebay etc have all been subject to crippling DDoS attacks...as well as very large sportsbooks that are also based in the UK (and those are the ones that were succesful at prosecuting the crooks....because the local autorities stepped in)

Bottom line, if it would be THAT simple there would not be companies specializing in preventing/defeating these attacks for BIG bucks

No one said it was easy. The bottom line is that IF this had been an event that had been anticipated and prepared for, they'd have likely been back up 100% in a few hours. When it takes this long and there are still no promises it's fixed, well then it seems to me that the "What do we do if we get hit by an attack" entry in the IT Policy Guide was left to be filled in later.

 

[wolfie_cr]

No one said it was easy. The bottom line is that IF this had been an event that had been anticipated and prepared for, they'd have likely been back up 100% in a few hours. When it takes this long and there are still no promises it's fixed, well then it seems to me that the "What do we do if we get hit by an attack" entry in the IT Policy Guide was left to be filled in later.

Then there is the financial side. How much does it cost to prepare versus 'x' and what is the likelihood of getting hit by 'x' (while I am sure that therx is profitable....resources for IT are always limited, this is not a bank that gets away with 40% APR interest rates for instance)

Sometimes you are also told by your ISP or hosting company that they have 'y' and when the shit hits the fan there is no such thing (been there a couple of times and after that its 'oh yeah.....lets unplug that and show me' )

And like I've said, there are DDoS attacks that have gone for weeks (very large books in the United Kingdom ...with First World technologies....and resources etc)

I am not making up excuses for therx........but since I have been on a 'similar boat' for almost 10 years I can understand how these situations can happen.

In IT (or engineering in general) its hard enough to make a case to pay $$$$ for 'x' when its absolutely necessary .....let alone when its a 'prevention in case xyz happens'

In essence, tech guys at therx......keep up the caffeine and gl

 

[Willie99]

Good luck Wil, obviously the situation was much worse than a "failed server". I appreciate the efforts by theRx, and the site seems to be running better than ever right now.

:toast:

 

[hippieki11er]

Running lightning fast right now with over 4500 users, don't think I've ever seen it this fast in fact. Let's hope this doesn't jinx things.

 

[wilheim]

Important.

Make sure you page down if you have to go thru click here to go to froum after clicking.



wilheim..

 

[Buster]

Make sure you page down if you have to go thru click here to go to froum after clicking.



wilheim..

what does page down mean? i had to go through click here thingy..and there is a bunch of jibberish at the top...could page down bypass that? otherwise everything has been good on this end..

 

[noPunter]

This is insane, and is contributing to me doing alot more of this :drink: and less of this d1g1td1g1t.


Thanks guys! :toast:

 

[noPunter]

what does page down mean? i had to go through click here thingy..and there is a bunch of jibberish at the top...could page down bypass that? otherwise everything has been good on this end..

Same effect as scrolling down just uses the keyboard without going to the mouse. Usually to the left of the numbers on a regular keyboard, or topright on laptop keyboard. :toast: