Forum painfully slow at the moment

Forum appears to be painfully slow at the moment. Time for a reboot of the server? Or is there just too many guests?

The SQL server should surely be overloaded. Nuno Brito may inquire. There may be some strange activity in another virtual host running from the same platform.

Hooray!!

Another DDoS. This one is a bit more aggressive than normal.

I've rebooted our server. If it continues then I'll contact Mikorist on Monday so that he can help tracking down whatever they are attacking at this moment.

Sorry for the server being slow, we always had a lot of people trying to bring us down.

Last year they managed to put us down for half a month. We've hardened our defenses but I guess that these guys like to keep trying new stuff.

Looks better now after reboot, but still not the "Well Known Responce Times"

Good luck!

Peter

Yeah, let those guys have some fun and we'll see what can be done after the weekend.

So much for "let those guys have some fun"!
May i suggest to use a differnt approach next time?

...
Another DDoS. This one is a bit more aggressive than normal.
...
Sorry for the server being slow, we always had a lot of people trying to bring us down.

Last year they managed to put us down for half a month. We've hardened our defenses but I guess that these guys like to keep trying new stuff.

I think it'd be nice to see punitive consequences for such people...

That must be why I was greeted with a bunch of SQL errors earlier in the day.

May i suggest to use a differnt approach next time?

I think it'd be nice to see punitive consequences for such people.

Would be nice indeed.

That must be why I was greeted with a bunch of SQL errors earlier in the day.

Yep. We seem to be back to normal.

Mikorist is testing the speed of the machine, we back in full speed as depicted on the image below.

As partly a physician, I am sometimes tempted to work-out things the way physicians do. Sometimes, to cure a heady viral infection, physicians use a technique called Homeopathy.

Homeopathy is the art of using the cause of an ailment to cure that ailment.

That said, I was just thinking aloud yesterday:

Begin Thinking



- I may create an emergency mode that my server will run into, when it detects a DDoS attack; 



- while in that mode, it will accept just one connection from each IP address;



- it will try to detect zombies based on ping frequency and IP-network map;



- it will launch back an auto-self-destruction trojan-detector-cleaner to the zombies (this may argueably seem illegal, but, will change the battlefield from my-server-ville to zombie-ville without ripping personal infos from zombies);



- if attack subsides, it goes back to normal mode;



End Thinking

It would be an interesting approach.

However, it would make us no better than them. Plus, we have more to lose since it would give other people the excuse to shut down our server.

This already happened last summer when our US server was brought down by the hosting provider without chance of appeal. Someone managed to hack one of the hosted subdomains and planted malicious scripts for phishing activities.

Recently, some two days ago the hosting provider that we are using (in Germany) has contacted me because they got a similar complaint. Luckily, things are different in Europe and they asked for an explanation rather than just suspending the service automatically.

Probably, the same people causing these annoyances are also reading this post to see what are our reactions: Thank you guys, try harder next time.

It may be done in a better way:

Send a pop-up message to zombies, alerting the user/administrator of what's going on and presenting the polite option to perform a free remote system scan/clean.

presenting the polite option to perform a free remote system scan/clean.

How would we do this?

Also, even if it was possible then what differ our polite way from a typical scareware message?



This way people wouldn't take it seriously..

If only time and money were abundant, it'd be interesting:

• to log communications during a DDoS attack
• to review the logs for a pattern
• to seek and obtain co-operation from a DDoS node's owner/ISP
• to find the node code responsible for the DDoS
• to find out where that code was obtained
• to find where it takes its instructions from
• to find out who sent those instructions
• to alert the relevant authorities, if applicable

How would we do this?

Also, even if it was possible then what differ our polite way from a typical scareware message?
... This way people wouldn't take it seriously.. 

Take a look at this snap-shot. It uses a more friendlier approach like IM tray pop-ups do.


It uses simple language to tell the truth to the user, then wait for a decition.

The first option, gives a sure way of presenting your new antivirus application,

while the second option will demonstrate to the user the capabilities of Reboot.pro

I personly would settle for something way more simple.

The login page stayed accessable throughout the whole shebang. So why not have a two class access system?
One for loged in members and one for 'guests'.
During an attack the 'guest' part would become slow or even inaccessable due to the huge amount of requests. However with a limited queue depth, the system as a whole would stay stable.

And with a stable system, loged in members could keep using the express lane.

Take a look at this snap-shot. It uses a more friendlier approach like IM tray pop-ups do.


It uses simple language to tell the truth to the user, then wait for a decition.

The first option, gives a sure way of presenting your new antivirus application,

while the second option will demonstrate to the user the capabilities of Reboot.pro

That notification, while having honest content, looks too much like the fake alerts that are so common now.

I do not see a web browser open in the taskbar... How does the message appear on the user's computer? If the answer is anything other than "the user explicitly installed a reboot.pro notification service application," then I do not agree with the strategy.

Marilyn Manson (regardless of anyone's taste in his band's music ) said it so well in the movie Bowling for Columbine; something along the lines of: "Fear and Consumption. If you don't get the zit cream, you won't get the girl." If there's a chance that a notification might frighten/concern a user into consuming a potential remedy, then I disagree with that strategy.

You seem to be pretty familiar with this type of strategy, Henshaw... Have you, too, spent exhausting hours helping friends and family remove such notifications from their computers? Imagine for a moment, if you will, a virus which recommends a particular anti-virus product. Who benefits?

That notification, while having honest content, looks too much like the fake alerts that are so common now.

I do not see a web browser open in the taskbar...  How does the message appear on the user's computer?  If the answer is anything other than "the user explicitly installed a reboot.pro notification service application," then I do not agree with the strategy.

Marilyn Manson (regardless of anyone's taste in his band's music ) said it so well in the movie Bowling for Columbine; something along the lines of: "Fear and Consumption.  If you don't get the zit cream, you won't get the girl."  If there's a chance that a notification might frighten/concern a user into consuming a potential remedy, then I disagree with that strategy.

You seem to be pretty familiar with this type of strategy, Henshaw...  Have you, too, spent exhausting hours helping friends and family remove such notifications from their computers?  Imagine for a moment, if you will, a virus which recommends a particular anti-virus product.  Who benefits?

You may have thousands of such pop-ups out there. It doesn't matter.
As a business man, from a marketing point of view, I tell you it works!
All that matters is your approach. If you read my reply in post #10, I stated
that the application you push into the zombies, would be self-destructive 
once it finishes its job or is exited.  

Nothing is installed. It will pop-up only during heavy traffic receipt. You use the
hping-like technique as Symantec sometimes does through Norton Web-Scan.
The pop-up presents three buttons: the X will quit and invoke the self-destruction,
the other two will give you mathematically, 2 of 3 possibilities to hit the target.
That would already be a good result. You can't convince the whole world.

Whatever be the pop-up trigger, a few things count:

  - knowledge of DDoS will drive some experts to give it a try
  - curiosity will drive some non-experts to give it a try
  - if at first trial the application does exactly what it professes, without any hidden
    services, you rip their attention and gain credibility and begin sprouting out of the mass
  - if the user quits without giving it a try, you mark that IP address and limit subsequent pop-up alerts.

It is not an All-Or-Nothing rule. It's MARKETING. 

I personly would settle for something way more simple.

The login page stayed accessable throughout the whole shebang. So why not have a two class access system?
One for loged in members and one for 'guests'.
During an attack the 'guest' part would become slow or even inaccessable due to the huge amount of requests. However with a limited queue depth, the system as a whole would stay stable.

And with a stable system, loged in members could keep using the express lane.

Using a CMS like this one, where login information is traditionally stored in the same
database as content, every login attempt, be it successful or not, will keep the SQL server busy.
Thus, Locked-up or Not, a bulk of multiple connection attempts will bring the server down.

You may have thousands of such pop-ups out there. It doesn't matter.
As a business man, from a marketing point of view, I tell you it works!

Clearly it does and clearly the approach has cost me much precious time.

All that matters is your approach. If you read my reply in post #10, I stated
that the application you push into the zombies, would be self-destructive 
once it finishes its job or is exited.

To me, that seems a lot like:

• Trying the door-handles in the neighbourhood houses.
• Find an open one? Walk into the kitchen.
• Open the cup-boards and post "Hungry? Order Henshaw Pizza!" pages inside.
• Pages will dissolve after being exposed to the kitchen light for 30 seconds.

Nothing is installed. It will pop-up only during heavy traffic receipt. You use the
hping-like technique as Symantec sometimes does through Norton Web-Scan.

A big problem with this approach is: You don't know what you don't know.

This is, in my opinion, "out-of-band" for the "authoritative" communication channels that people might expect.

People might expect their ISP or the police to give a telephone call if they have been identified as being involved in an attack. For those who consider a Windows System Tray Area-notification to be authoritative, the strategy is lying: It's not a message from Windows.

Consider what happens if a person is watching a video and this notification appears: You've interrupted their otherwise enjoyable experience.

Consider what happens if your notification code includes a bug: You can introduce further security vulnerabilities or cause inadvertent damage.

Consider what happens if a person doesn't read English: They have no idea what the notification is all about and might waste their time trying to find out.

Consider what happens if a person doesn't get any help and some malicious code on their computer continues to DDoS reboot.pro forever: They need to put up with your notification forever. Why are they being abused in a battle they have no knowledge of? How many other battles might be waged around them? Perhaps their job is to bull-doze my house... Do I break into theirs and wait for them to come home so I can tell them to stop?

Consider what happens if a computer has software running which reads on-screen text: You suddenly wake up their sleeping cat.

Consider what happens when reboot.pro is added to lists of "mal-ware" sources (as such an unsolicited program is clearly in that category): reboot.pro loses reputation points.

etc.

When a user uses a web browser to browse the Internet's web sites, they have few guarantees about the content of those web-sites, so they ought to have just as few expectations about the content they will be exposed to. When a user is not using a web browser, any miscellaneous content is unexpected and alarming! It's not NICE to sneak up behind someone and pop[-up] a [notification] balloon close to them!

The pop-up presents three buttons: the X will quit and invoke the self-destruction,
the other two will give you mathematically, 2 of 3 possibilities to hit the target.
That would already be a good result. You can't convince the whole world.

Whatever be the pop-up trigger, a few things count:

  - knowledge of DDoS will drive some experts to give it a try
  - curiosity will drive some non-experts to give it a try
  - if at first trial the application does exactly what it professes, without any hidden
    services, you rip their attention and gain credibility and begin sprouting out of the mass
  - if the user quits without giving it a try, you mark that IP address and limit subsequent pop-up alerts.

It is not an All-Or-Nothing rule. It's MARKETING. 

A slippery slope... If one goes so far as to run arbitrary code, why not use the opportunity to get revenge and DDoS an identified, original source of the attack, at John Q. Hacker's own site? Why not use the opportunity to reverse-engineer the source of the attack by monitoring network traffic and gathering a little report for us to review?

Or maybe...

The free cloudflare protection service, might be an option:

Performance

• Globally-distributed network
• Secure, redundant DNS
• Anycast routing technology
• Automatic static content caching
• Always online

Basic Security

• Email harvesting protection
• Reputation-based threat protection
• Server side exclude ability
• Hotlinking protection
• Browser integrity checks
• Threat control dashboard
• Block traffic by country or IP range
• Alert infected human visitors
• Identify new threats for community

http://www.cloudflare.com/plans.html

I got an alert a few days ago on a website that was protected by this service.
I first thought it was a scam, because my Linux machine would be very unlikely to be infected.
Then I realized that 50.000 PC at that location share the same external IP (so some virus infected machines could be available in this network).

This material is sensible and I understand this debate can be very tough.
A DoS attack can be easy to trace. But with DDoS, the source is usually almost
impossible to trace. A big business cannot afford to simply succomb by merely
trying to make repairs while under attack.

"All that matters is approach". Sha0, you may have gone through this statement with less attention.
Not all non-user-initiated pop-ups scare people. This method has been one of the milestones
for wealth in the publicity industry for all sorts of digital and non-digital goods. Pop-ups today, are
the fulcrum of digital marketing. Be it OpenSource, Freeware, Shareware, or a Commercial product,
the rules of marketing must be met, else, it goes nowhere!

Whatever you do, wherever you go, there is abuse somehow. That should not, however,
stop your good work. Take note that pop-ups that don't interfere with the user's work and always offer the option
for instant removal, are usually considered friendly at first glance...
   ... just to mention a few characteristics of known friendly pop-ups behaviour:

    - do not appear at the center of the screen
    - do not present modal dialogs
    - present at least a set of options like this:

        * Quit     * Remind me later    * Remove (Do not bother me anymore).

Much care must be taken in the choice of icon flags, if any is to be used.
Believe me or not, businesses have made great successes from mere simplicities like this.
Theorithical ethics makes me agree with you but experience makes me to diverge.  

Using a CMS like this one, where login information is traditionally stored in the same
database as content, every login attempt, be it successful or not, will keep the SQL server busy.

Firstly, who in their right mind, would set up a system like that?
One does not build a system to work properly, when everything goes well, but to work properly, also in case everything goes wrong. A system should always protect itself. First step is to identify the root of the problem and isolate it, so it can't affect other parts of the system.

And second, if i give you every ten minutes a task to do and you need less then 10 minutes to do it, i can never pile up tasks.
To do that, i will have to give you tasks, which take longer to complete then ten minutes or i have to give you new tasks faster.
So it's basicly a race.

Checking login information on requests, in a very small database (20-30 members loged in) is lighning fast, compared to dishing out pages or even doig searches, so it takes way more load to get this system into DoS.

Firstly, who in their right mind, would set up a system like that?
One does not build a system to work properly, when everything goes well, but to work properly, also in case everything goes wrong. A system should always protect itself. First step is to identify the root of the problem and isolate it, so it can't affect other parts of the system.

And second, if i give you every ten minutes a task to do and you need less then 10 minutes to do it, i can never pile up tasks.
To do that, i will have to give you tasks, which take longer to complete then ten minutes or i have to give you new tasks faster.
So it's basicly a race.

Checking login information on requests, in a very small database (20-30 members loged in) is lighning fast, compared to dishing out pages or even doig searches, so it takes way more load to get this system into DoS.

Be your server lightning-fast as that of google, microsoft, etc., be they simple login attempts, 
when billions of timed and co-ordinated concurrent connections point to your server, you're done! 

when billions of timed and co-ordinated concurrent connections point to your server, you're done!

Yes and when our server is hit by the falling moon, it's dead, so we better not do anything to protect it against attacks, it's all useless anyway, if we can't protect it from everything.