I haven't been able to get to vBulletin.com for the last 9hrs. Anyone else having the problems?

Is this another wave of DDoS attacks?

Well, I had some slow connections yesterday but never had an issue with not getting connected.

Had some difficulty myself .. very intermittent though . not continuously.

No clue what is happening. I havn't been able to hit the site for a couple of hours. Maybe DoS attacks or maybe a faulty machine. Who knows. I am sure vB will look into it since the problem keeps arising.

If some people didnt have trouble and others did then it would be a peering issue.

I was unable to hit vbulletin.com during many hours. :(

Ive been unable to get here in the last day or so, it seems fine now.

When it was slow yesterday, I could still download the vb3gamma.zip file with 120kb/s
So I think the php/mysql server was having a high load rather then the server being under attack.

Why it was unreachable for quite some hours today I do not know. I was asleep during that period :P

I doubt the load is the problem since I recall a staff member posting the server's load average during "high load." It was at 1. I think the problem is that there is not enough bandwidth to send pages and vB3 Gamma downloads from the server.

I found access a bit sketchy, but I was still able to get on sometimes...

We were hit with another DDoS attack last night. I will refrain from telling you what I think of the person doing this.

We were hit with another DDoS attack last night. I will refrain from telling you what I think of the person doing this.
Me to,, looks like hes gone back to pre-school today though..

Was the previous attacker arrested?
Kier told us about FBI coordination:
http://www.vbulletin.com/forum/showthread.php?t=86416

What concerns me is that major corporations are moving all of their information and stuff over to the internet which can, as it seems, easily be taken down by a 12 year old with a grudge.

Sad to say, but the FBI is worthless. Plus they can't really do much when the attacker sits in a country that doesn't cooperate and could care less about attacks like this.

so you know were the attacker is located?

Yes I do - and no, I'm not going to say.

It has been said eariler, though, if you look around enough. It won't be a surprise when you find out because Steve's opinion is spot on. ;)

I believe a vB.com staff member said it's half of China or Asia or something along those lines.

I was just thinking. If they are pinging your site a lot for the DDoS attacks we not disable the ability to ping?

I don't want to sound like I know it all because I don't and I don't know how they are even doing it I just know that my hosting provider was getting attacks like these and somehow disabled the ability to ping the server and things got better.

I don't think its a Ping of Death. More like they are flooding the server with bad requests.

This has nothing to do with ping.

I believe a vB.com staff member said it's half of China or Asia or something along those lines.
That is just where a lot of the zombie machines are... Doesn't have anything to do with the person behind the controls.

The ability to ping a server can be disabled, but it still doesnt stop them from flooding the network and clogging the lines.

What I'm suprised about is the fact that the ping command is still around. That's the only thing people use it for nowadays is DoS'ing someone.

They said earlier that it was Apache getting bombarded. I suppose only a module for Apache could fix that, and I'm sure Ventures Online has tried everything so far.

'ping of death' ROFL

thats made my evening - thanks

They said earlier that it was Apache getting bombarded. I suppose only a module for Apache could fix that, and I'm sure Ventures Online has tried everything so far.
Tricky if the attack is sending random USER_AGENT's from random IP's and requesting GET / or just random requests

Somebody mentioned mod_dosevasive (http://www.nuclearelephant.com/projects/dosevasive/) possibily overcoming this. Hope they find a solution soon.

Somebody mentioned mod_dosevasive (http://www.nuclearelephant.com/projects/dosevasive/) possibily overcoming this. Hope they find a solution soon.
It helps some, but really does not stop the dedicated DDOSer.

The ability to ping a server can be disabled, but it still doesnt stop them from flooding the network and clogging the lines.

What I'm suprised about is the fact that the ping command is still around. That's the only thing people use it for nowadays is DoS'ing someone.I actually use it on a daily basis. It is a lot better to ping an IP address rather than have to drive 200 miles just to see that a server is having problems ;)

What exaclty does this clown want? Or does he even have a reason for doing it?



-Michael

I think Kier said it was a typical SYN flood?

That is just where a lot of the zombie machines are... Doesn't have anything to do with the person behind the controls.

Thanks for the clarification.:)

What exaclty does this clown want? Or does he even have a reason for doing it? Prolly wants his RC-1 much more badly than we all do :D

LOL, my post about what I thought about them got deleted. :p

My IP is blocked. I cant access vbulleetin.com from my house now. :(

I think Kier said it was a typical SYN flood?
SYN floods are very easy to overcome.

Scott said something about Apache being overloaded which is why I think that module might help them a bit.

I can not surf on vbulletin from my house, please help me. Because during my work time i can not play with vbulletin

Thanks a lot

Interdit

during my work time i can not play with vbulletinvBulletin is not a game... it is an experience... :D

Lol, how is the translation in french doing ?
Une petite sortie pour Noel ? :)


Thx for an update,
Interdit

Well i consider it like a game as i love it and spend more time on it that on games...

Interdit,

Please send an email to support@vbulletin.com and include your customer number and IP address.

Hi,

The problem is that I'm having a dynamic ip, so you will need to enable my range of ip, i will send it to you later tonight,

Thanks,
Interdit

After 2 weeks, it's back online :)

Thanks for unblocking my ip range

Interdit

After 2 weeks, it's back online :)

Thanks for unblocking my ip range

Interdit
Same here! I could access vB.com from work, but not from home :( but its all good again :cool:

So this doof is hitting jelsoft about every sunday?:(

It's seems sad in a way that a person has nothing better to do with their time.

So this doof is hitting jelsoft about every sunday?:(

It's seems sad in a way that a person has nothing better to do with their time.

Is that the reason why this site has either been slow or down all of today?

That's my best guess.

I guess the git has been active again...

I couldn't get to it all evening. :(

we had a little 8 hour attack there.

Our autoblock script works but Apache seems to crash on restart after an attack forcing a full server reboot to fix it. We're working with Ventures Online during each attack to try and find a definate way to stop this in future.

Since it is now clear who is behind these attacks, when are the feds going to make their move? Or can this person walk away laughing because of international laws?

The FBI has been totally uninterested and worthless in this.

The FBI has been totally uninterested and worthless in this.
I'm really surprised. FBI is usually really good about this. How about the British Government?

Well, could be a guy who's angry about the status of vB3 or something like this. Fact is, that all the sites and pages (vBg.com vB.com vB.org vBtemplates.com) went down when he started this ****. I don't understand why he do it at night and not on day. The FBI should do something, because of that, they have to exist! Maybe you could do it like Microsoft with the Blaster, when you know its every sunday, delete all things on Server or just shut down it at this time...

hope you could understand it ^^"

Iceball

Then ask this user to attack the goverment routers, see if that tickles their interest since that suddenly will change the status from 'who cares' to 'national security'.

iceball
The reason is known to Jelsoft why he is doing it, and the reason why all the official sites are down is because they are on the same web server, overload 1 server results in all sites becoming unreachable. The reason why he is doing it at night might be because it is daytime for him then. And probably because then he is free from school *g*. You will get no where when you delete files from the server, LOL. Either shutting it down or becoming unreachable. Result: unreachable to the public. I think we should just gather up some money and a tolk, goto that guys house and take away his dailup.

perhaps an idea is when this guy starts attacking again, redirect all the traffic to all the government webpages :p

Particular the FBI's website :p

I'm really surprised though...I mean extortion, racketeering, harassment, and a couple of other things, I'm really surprised FBI hasn't gotten involved. Never have I seen a DDoS attack where there would be a ransom amount.

Maybe Jelsoft should just have a fund raiser, and then
hire some mercenaries.
I'd donate a couple of bucks. :D

we had a little 8 hour attack there.

Our autoblock script works but Apache seems to crash on restart after an attack forcing a full server reboot to fix it. We're working with Ventures Online during each attack to try and find a definate way to stop this in future.
I'm on ventures and my servers all got extremely slow during this same timeframe... hope they can help come up with something for you guys.

I say everyone of us should say a prayer that the next time this person starts the DDoS attacks, he/she would have a heart attack!

No way to track an ip ? or a mac adress ?

Interdit

I say everyone of us should say a prayer that the next time this person starts the DDoS attacks, he/she would have a heart attack!
I've got the same opinion as you, its damn that all pages be down when he started this ****! Maybe vB could send every guys with a license a newletter with another adress to connect to the server (vBulletin and all pages on the server) and resend the URL vbulletin.com to another place, that he don't know the "adress" who connected to server... or make a htaccess file... but thats very hard... hmm... but the URL connection... maybe..

I'm sure Jelsoft has all sorts of information about this guy...

Still doesn't mean they can do anything though :\

Regards,
Patrick

Is it possible to switch servers, occasionally? I mean, as an added security precaution, just like you might change passwords on a regular basis?

Here's another idea. Is it possible to have the vBulletin site mirrored on a second server, which would be used only in case of attack on the primary server? Then, after that attack is resolved, move the mirrored site to a "new" second server? That way, the current location of the second server is always unknown?

<Please be nice. I'm not knowledgeable about running servers. :p>

I haven't been able to access the site for around two days. vB seriously need to find a solution to this problem as I'm sure it is affecting sales.

Something like load balancing servers in different NOCs could possibly help.

No way to track an ip ? or a mac adress ?

Interdit
Actually, we have a list of about 10,000 IP's used in the attacks.

No way to track an ip ? or a mac adress ?

Interdit
MAC IDs are not received properly when routed everywhere (i.e., if not on the exact same LAN).

The key word in DDoS is distributed. There's effectively nothing can be done more than what's already been done.

there is certainly a way, if we can hack, we can protect.

Ready to work on if needed
Interdit

Fighting fire with an illegal nuclear attack doesn't work. 99% of the machines that are attacking are almost certainly not aware that they are even participating in the attack.

The kids will grow tired and reach bedtime soon.

didn't catch your expression with the kids...

Anyway, just wanted to help

Ciao

Francois

I've heard of routers that stop DDoS attacks. I wonder if the same idea can be used for servers.

the router:
http://www.netgear.com/products/details/WGR614.asp?view=hm

Just about all routers can be instructed to detect and block a simple DoS attack, where the target server is overwhelmed with a small amount of junk traffic designed to quickly fill up the number of available TCP/IP connections.

However, the attacks being directed against vBulletin.com are DDoS, which is a very different beastie. In a DDoS attack the connection to the internet itself is flooded with vast amounts of traffic in order to completely fill the pipe with rubbish and prevent legitimate traffic from reaching its destination. There is nothing that can be done to defend against these kind of attacks, apart from blocking large ranges of IP addresses on the periphery of the network (long before it reaches the target server).

Getting a faster connection or load balancing with different pipes should reduce the effects me thinks.

When the attacker is pushing 250Mb/s of bandwidth there really isn't a pipe in existence that won't be severly affected by these attacks.

That is why Jelsoft should seriously look into multiple uplink redundancy. That is the only way to beat this IMO.

At first, sorry when I say now things, who other members said too, could be that I dont understand the things right because I'm german.
Can't someone the connection interrupt when he start and take it up again, when he stopped? This would be better for the server I think and he don't must be restarted when he crashed because of that. I've said it at vbg.com, too, it can't be, that one country have an Law and another country havn't this, so we could let it at start and don't must waste the time to think about somethink like this. The FBI should went to this pupil and take away all his computers and Internetconnections! But they cant do it because its another country who heavn't this Law Well, there must be a way to stop this ****....

At first, sorry when I say now things, who other members said too, could be that I dont understand the things right because I'm german.
Can't someone the connection interrupt when he start and take it up again, when he stopped? This would be better for the server I think and he don't must be restarted when he crashed because of that. I've said it at vbg.com, too, it can't be, that one country have an Law and another country havn't this, so we could let it at start and don't must waste the time to think about somethink like this. The FBI should went to this pupil and take away all his computers and Internetconnections! But they cant do it because its another country who heavn't this Law Well, there must be a way to stop this ****....I say we throw him your English. ;) If that alone doesn't kill him, nothing will! ;)

Just kidding Iceball. I just couldn't resist. I hope to God you have a sense of humor. Love and peace to all. And, may everyone's New Year be a wonderful one.

I say we throw him your English. ;) If that alone doesn't kill him, nothing will! ;)

Just kidding Iceball. I just couldn't resist. I hope to God you have a sense of humor. Love and peace to all. And, may everyone's New Year be a wonderful one.Well, normally I could speak better english like this, but... the "internet" words and the gramar with this words are harder to use correct. I don't know what you mean with the "I say we throw him your English. ;) If that alone doesn't kill him, nothing will!" was is because its a bad english or just for fun? >.<" I think its good so, because of that, I posted, hope that you could understand it.

Now it seems, that a huge part of the 80.* IP range got blocked. But with T-Online being the biggest ISP here in Germany which uses primary this range (together with 217.*), many germans can't visit vBulletin.com any more.

That's when it really sucks, when not only are users being denied the use of vB for a few hours at a time, now some are being blocked for good all because of the actions of a single malicious wannabee hacker.

I like the idea that you move the vb Forums ( or at least a mirror hosted somewhere else ), and send only users who have purchaced a license for vB the alternate URL.

Someone else mentioned that before, but I thought it was great... you could disallow all spiders on the alternate, and require everyone to log in to view the forum.

Just some crazy ideas of mine... I hope you guys figure something out to crack down on this guy/girl.

Please ask them to email us and we will get them access. The problem is the hundreds of unsecured computers sitting on broadband that have been attacking us - so everyone encourage your friends to patch Windows, or else these kind of attacks will just keep on happening!

:( ...

Makes me glad I keep XP patched. Now, I just wish they had cheaper hardware firewalls that were better than what Linksys offers (I hate software ones).

ThrillNetwork's ISP almost regularly gets DoS attacks, which sucks. I just hope I never end up getting blocked like I did on here for other people's malicious activity.

I wonder how he/she managed it to gain control over so many machines...does this mean that this person wrote a virus or something and every time some of this infected PC's goes online he gets the IP so he can send commands? Don't get me wrong, I'm not saying that it is good what he is doing (I'm also effected by this), but just from the idea's point of view...it's pretty intense, don’t you think?!

Most likely it's exactly like you said. The person doing this is a software pirate and he is doing it because he was caught. Most people eventually grow up - but it appears his personal and emotional development have been stunted.

I say we throw him your English. ;) If that alone doesn't kill him, nothing will! ;)

Just kidding Iceball. I just couldn't resist. I hope to God you have a sense of humor. Love and peace to all. And, may everyone's New Year be a wonderful one.
Actually, his English was perfectly legible, if you think in German syntax. :)

Please ask them to email us and we will get them access. The problem is the hundreds of unsecured computers sitting on broadband that have been attacking us - so everyone encourage your friends to patch Windows, or else these kind of attacks will just keep on happening!
Yes, a quick visit to Windows Update should do the trick.

BTW, the site now appears to be responding pretty well. So either the attacks have stopped or you've found a solution!

Most likely it's exactly like you said. The person doing this is a software pirate and he is doing it because he was caught. Most people eventually grow up - but it appears his personal and emotional development have been stunted.

thanks Steve! I always though people who are able to program viruses must be very smart, because they found something in a peace of software that dozens of developers couldn't find. Well, this cliche must be wrong then...at least there are some exceptions :rolleyes: he probably figured that he is geting sued anyway so he might not give a crap anymore if he get's another trial or not...just a guess though...