> What is going on? Something is trying to "handle" to Internet?
> Ray.
I read that blog entry. I dunno bout all the technical stuff but he really has a go at Rick Ross and his tech guy. Very cultish dead-agent style personal attack nonsense. Most bizarre.
> > What is going on? Something is trying to "handle" to Internet?
> > Ray.
> I read that blog entry. I dunno bout all the technical stuff but he really > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > personal attack nonsense. Most bizarre.
> > > What is going on? Something is trying to "handle" to Internet?
> > > Ray.
> > I read that blog entry. I dunno bout all the technical stuff but he really > > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > > personal attack nonsense. Most bizarre.
> I'm still not able to reach rickross.com from my side. From this blog, > and from a few pieces of news involving this guy, it doesn't seem CoS > related.
zeeorger wrote: > On Dec 8, 8:23 am, "R. Hill" <rh...@xenu-directory.net> wrote: >> On Dec 8, 2:15 pm, "JAFAW" <a...@anon.net> wrote:
>>> "R. Hill" <rh...@xenu-directory.net> wrote in message >>> news:06465e86-06d2-4d8c-96f9-57ac6c24d67f@s8g2000prg.googlegroups.com...> Since a few days, I haven't been able to reach rickross.com, obtaining >>>> a "bad request" page instead. >>>> Look wherewww.rickross.comleadstoday: >>> http://bruceraisley.blogspot.com/2007/12/ddos-distributed-denial-of-s... >>>> What is going on? Something is trying to "handle" to Internet? >>>> Ray. >>> I read that blog entry. I dunno bout all the technical stuff but he really >>> has a go at Rick Ross and his tech guy. Very cultish dead-agent style >>> personal attack nonsense. Most bizarre. >>> Peace and Goodwill >>> JAFAWwww.xenu.netwww.xenutv.comwww.lermanet.com >> I'm still not able to reach rickross.com from my side. From this blog, >> and from a few pieces of news involving this guy, it doesn't seem CoS >> related.
> > > What is going on? Something is trying to "handle" to Internet?
> > > Ray.
> > I read that blog entry. I dunno bout all the technical stuff but he really > > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > > personal attack nonsense. Most bizarre.
> I'm still not able to reach rickross.com from my side. From this blog, > and from a few pieces of news involving this guy, it doesn't seem CoS > related.
> Ray.
It would be nice if you could run "nslookup www.rickross.com" on your system and post the results ... tell me which dns server you are using.
I would not put it outside the realm of the CoS, the OSA fucktards are not above hiring two-bits-short-of-a-byte script kiddies.
> > > What is going on? Something is trying to "handle" to Internet?
> > > Ray.
> > I read that blog entry. I dunno bout all the technical stuff but he really > > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > > personal attack nonsense. Most bizarre.
> I'm still not able to reach rickross.com from my side. From this blog, > and from a few pieces of news involving this guy, it doesn't seem CoS > related.
> Ray.
Hmm, odd. Your ISP isn't using some sort of transparent proxy cache is it? (serving up outdated pages). Normally you'd force a hard refresh using Ctrl+F5 which bypasses any proxy cache. I'm not sure but I think putting /? after the URL in the address bar, and hitting Go or Enter key, also bypasses any proxy cache. Also, try clearing you temporary internet browser cache, and maybe delete any cookies for both sites in question and see what happens.
He may not be Co$ but he's acting like it in the way that he not only repeats their typical defamation but goes way over the top by claiming that Rick Ross is a fake, has a fake site and a fake address.
> > > > What is going on? Something is trying to "handle" to Internet?
> > > > Ray.
> > > I read that blog entry. I dunno bout all the technical stuff but he really > > > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > > > personal attack nonsense. Most bizarre.
> > I'm still not able to reach rickross.com from my side. From this blog, > > and from a few pieces of news involving this guy, it doesn't seem CoS > > related.
> The blogger linked the "urls" used for a DOS attack to > rickross.com, picked on the wrong "return" target and > went south from there.
> It sounds more like a DNS cache poisoning attack, which > would explain why you got re-directed to the blogger's > site.
> Z
Good point. Explains why some people get a site and others don't since each ISP/host generally has its own domain nameservers. To test this, Ray could reconfigure his internet settings to point to an alternative DNS pair.
> > > > > What is going on? Something is trying to "handle" to Internet?
> > > > > Ray.
> > > > I read that blog entry. I dunno bout all the technical stuff but he > really > > > > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > > > > personal attack nonsense. Most bizarre.
> > > I'm still not able to reach rickross.com from my side. From this blog, > > > and from a few pieces of news involving this guy, it doesn't seem CoS > > > related.
> > The blogger linked the "urls" used for a DOS attack to > > rickross.com, picked on the wrong "return" target and > > went south from there.
> > It sounds more like a DNS cache poisoning attack, which > > would explain why you got re-directed to the blogger's > > site.
> > Z
> Good point. > Explains why some people get a site and others don't since each ISP/host > generally has its own domain nameservers. To test this, Ray could > reconfigure his internet settings to point to an alternative DNS pair.
R. Hill wrote: > Since a few days, I haven't been able to reach rickross.com, obtaining > a "bad request" page instead.
Run an updated virus scanner on your machine. I mean it. Then e-mail me your IP address so I can unblock you.
> What is going on? Something is trying to "handle" to Internet?
No, just me trying to handle a DDoS attack. Details below.
JAFAW wrote: > I read that blog entry. I dunno bout all the technical stuff but he really > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > personal attack nonsense. Most bizarre.
Elsewhere has Raisley copy/pasted long chunks from my DA page on religiousfreedomwatch, so yes, you could say it's cultish. But as far as anyone knows or can guess, the CoS has nothing to do with this. In fact, I'm certain they don't.
zeeorger wrote: > It sounds more like a DNS cache poisoning attack, which > would explain why you got re-directed to the blogger's > site.
No cache poisoning, just plain DNS answer differentiation. Anyone familiar with BIND's views will know how this is done, although in this case it was done differently.
Here's the story. By some weird coincidences I ended up doing system administration for rickross.com some time ago. On October 1, I noticed a DDoS attack against one particular page, http://www.rickross.com/reference/perverted_justice/perverted_justice... It was nothing the server couldn't handle, but better watch it anyway.
Three hours later I was sitting with my hands in my hair. The DDoS was growing by the minute and I had hell on earth trying to block left and right. It cost me hell, but the server stayed up.
The attack consists of rapid HTTP requests, 3 to 8 per second, for a 28 KB page, and comes from an average of 5.000 bots, with peaks around 11.000. Do the math. If all these requests were fullfilled, using averages, the outgoing traffic alone would be 5.000 x 5 x 28KB = 680 MiB/s. Megabytes, not megabits, which translates to a volume of roughly 60.000 GB per day. On top of that we had a fairly big ICMP attack coming in. Of course I kept blocking and blocking, so even if the server on a couple of occasions was overloaded, it never came anywhere close to collapsing.
Usually, when a DDoS fails, the attacker moves on. Not in this case though. The attack has persisted ever since, for a whole two and a half months without interruption. Keeping on top of such a thing day after day, week after week, is tiresome and ends up being Very Annoying.
So I researched the attack, together with Rick. By now we know its origin, its reasons and also the guy behind it. I even phoned him to see if I could talk some reason into him, but he's as cuckoo as they get.
There are three ways to deal with a thing like this: give up, defend, or counterattack. One thing I learned already as a kid is to never, ever, for any reason and under any circumstances, give in to extorsion. The attacker is an extorsionist; what he says is simply "if you don't remove that page from the web, I will cause you a lot of pain". Well, that page will be removed from the web over my dead body. (He is also one of those stupidly agressive characters, because if he only had picked up the phone instead of launching a DDoS attack, called Rick, and asked for his name to be removed from the page, Rick would happily h ave obliged. Too late for that now though.)
So I defended. And when I got sick and tired of defending, I attacked back. Kind of.
Almost 75% of the bots are concentrated in Greece, the rest are mainly in the adjacent countries; Montenegro, Serbia, Turkey, Croatia, Slovenia, with some odd ones in other parts of the world. 97% of the legitimate visitors of rickross.com are concentrated in the US, with the rest in Canada, the UK and some odd ones in the rest of the world. The resulting equation makes sense, so I fed the bot countries fake DNS data, pointing them to a machine owned by the botmaster, while the rest of the world could still visit the site as usual. Perfect bliss: the attacker was attacking his own machine, while we got a moment of peace in which to contemplate the next step. It took three weeks for the atacker to realise what happened, although I kept him updated from day one. Bruce, you should really read your n9...@hotmail.com account, it's in your own interest. I always play with (almost) open cards, ask around and people will confirm.
So just a couple of days ago he switched to IP address-based addressing and my DNS trick works no more. Therefore, I'm moving on to the next: creating mirrors of the attacked article at a rate faster than the attacker can count, let alone attack. (Yes Bruce, I already told you this too. Weeks ago. Do read your mail.) The idea is to make the attack completely counterproductive; since the attacker wants that article off the net, if I can make the attack multiply the presence of the article, the attacker will have a serious incitament to stop attacking.
zeeorger wrote: > "Mr Bruce Raisley looks to be an Internet loony, at least his blog on > the subject is several BTs short of a cluster" > ... probably explains WHY he is getting hit with a DDOS attack.
Ehum, rather the exact opposite.
BTW, you copyright terrorist, the "Z" signature is mine, has always been. Cease and desist ;)
I wrote: > R. Hill wrote: >> Since a few days, I haven't been able to reach rickross.com, obtaining >> a "bad request" page instead. > Run an updated virus scanner on your machine. I mean it. Then e-mail > me your IP address so I can unblock you.
I checked your address (assuming it's the same that google shows as posting-host). It's not explicitly blocked, so you are not infected as far as I can tell. However, you happen to be in one of those odd countries with many infected machines and unresponsive ISPs, so I have pointed the entire country to the attacker's server.
<clicketyclick>
No longer. He's attacking by IP address now, so there's no point anyway. As soon as your ISP's DNS cache expires you'll be able to reach www.rickross.com again. The TTL is intentionally very short.
Amazing story of Internet-technical competence and stamina.
Thank you, Zenon.
KNT hrp&p
P.S.: The battleground (including major TV entertainment) is the very unethical world of Criminals turned "volunteers in law-enforcement," of some local law, in which - I hope I understand this correctly - if you are a woman of 21 years old, and you fall in love with and have consensual 'sacks' with a 17 year old man, then "you are a criminal woman."
Copyright 2007 by KNT hrp&p Copyright Conditions as usual
>> Since a few days, I haven't been able to reach rickross.com, obtaining a >> "bad request" page instead.
> Run an updated virus scanner on your machine. I mean it. Then e-mail me > your IP address so I can unblock you.
>> What is going on? Something is trying to "handle" to Internet?
> No, just me trying to handle a DDoS attack. Details below.
> JAFAW wrote:
>> I read that blog entry. I dunno bout all the technical stuff but he >> really has a go at Rick Ross and his tech guy. Very cultish dead-agent >> style personal attack nonsense. Most bizarre.
> Elsewhere has Raisley copy/pasted long chunks from my DA page on > religiousfreedomwatch, so yes, you could say it's cultish. But as far as > anyone knows or can guess, the CoS has nothing to do with this. In fact, > I'm certain they don't.
> zeeorger wrote:
>> It sounds more like a DNS cache poisoning attack, which would explain >> why you got re-directed to the blogger's site.
> No cache poisoning, just plain DNS answer differentiation. Anyone familiar > with BIND's views will know how this is done, although in this case it was > done differently.
> Here's the story. By some weird coincidences I ended up doing system > administration for rickross.com some time ago. On October 1, I noticed a > DDoS attack against one particular page, > http://www.rickross.com/reference/perverted_justice/perverted_justice... > It was nothing the server couldn't handle, but better watch it anyway.
> Three hours later I was sitting with my hands in my hair. The DDoS was > growing by the minute and I had hell on earth trying to block left and > right. It cost me hell, but the server stayed up.
> The attack consists of rapid HTTP requests, 3 to 8 per second, for a 28 KB > page, and comes from an average of 5.000 bots, with peaks around 11.000. > Do the math. If all these requests were fullfilled, using averages, the > outgoing traffic alone would be 5.000 x 5 x 28KB = 680 MiB/s. Megabytes, > not megabits, which translates to a volume of roughly 60.000 GB per day. > On top of that we had a fairly big ICMP attack coming in. Of course I kept > blocking and blocking, so even if the server on a couple of occasions was > overloaded, it never came anywhere close to collapsing.
> Usually, when a DDoS fails, the attacker moves on. Not in this case > though. The attack has persisted ever since, for a whole two and a half > months without interruption. Keeping on top of such a thing day after day, > week after week, is tiresome and ends up being Very Annoying.
> So I researched the attack, together with Rick. By now we know its origin, > its reasons and also the guy behind it. I even phoned him to see if I > could talk some reason into him, but he's as cuckoo as they get.
> There are three ways to deal with a thing like this: give up, defend, or > counterattack. One thing I learned already as a kid is to never, ever, for > any reason and under any circumstances, give in to extorsion. The attacker > is an extorsionist; what he says is simply "if you don't remove that page > from the web, I will cause you a lot of pain". Well, that page will be > removed from the web over my dead body. (He is also one of those stupidly > agressive characters, because if he only had picked up the phone instead > of launching a DDoS attack, called Rick, and asked for his name to be > removed from the page, Rick would happily h ave obliged. Too late for that > now though.)
> So I defended. And when I got sick and tired of defending, I attacked > back. Kind of.
> Almost 75% of the bots are concentrated in Greece, the rest are mainly in > the adjacent countries; Montenegro, Serbia, Turkey, Croatia, Slovenia, > with some odd ones in other parts of the world. 97% of the legitimate > visitors of rickross.com are concentrated in the US, with the rest in > Canada, the UK and some odd ones in the rest of the world. The resulting > equation makes sense, so I fed the bot countries fake DNS data, pointing > them to a machine owned by the botmaster, while the rest of the world > could still visit the site as usual. Perfect bliss: the attacker was > attacking his own machine, while we got a moment of peace in which to > contemplate the next step. It took three weeks for the atacker to realise > what happened, although I kept him updated from day one. Bruce, you should > really read your n9...@hotmail.com account, it's in your own interest. I > always play with (almost) open cards, ask around and people will confirm.
> So just a couple of days ago he switched to IP address-based addressing > and my DNS trick works no more. Therefore, I'm moving on to the next: > creating mirrors of the attacked article at a rate faster than the > attacker can count, let alone attack. (Yes Bruce, I already told you this > too. Weeks ago. Do read your mail.) The idea is to make the attack > completely counterproductive; since the attacker wants that article off > the net, if I can make the attack multiply the presence of the article, > the attacker will have a serious incitament to stop attacking.
> R. Hill wrote: > > Since a few days, I haven't been able to reach rickross.com, obtaining > > a "bad request" page instead.
> Run an updated virus scanner on your machine. I mean it. Then e-mail > me your IP address so I can unblock you.
> > What is going on? Something is trying to "handle" to Internet?
> No, just me trying to handle a DDoS attack. Details below.
> JAFAW wrote: > > I read that blog entry. I dunno bout all the technical stuff but he really > > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > > personal attack nonsense. Most bizarre.
> Elsewhere has Raisley copy/pasted long chunks from my DA page on > religiousfreedomwatch, so yes, you could say it's cultish. But as > far as anyone knows or can guess, the CoS has nothing to do with > this. In fact, I'm certain they don't.
> zeeorger wrote: > > It sounds more like a DNS cache poisoning attack, which > > would explain why you got re-directed to the blogger's > > site.
> No cache poisoning, just plain DNS answer differentiation. Anyone > familiar with BIND's views will know how this is done, although in > this case it was done differently.
> Here's the story. By some weird coincidences I ended up doing system > administration for rickross.com some time ago. On October 1, I noticed > a DDoS attack against one particular page,http://www.rickross.com/reference/perverted_justice/perverted_justice... > It was nothing the server couldn't handle, but better watch it anyway.
> Three hours later I was sitting with my hands in my hair. The DDoS > was growing by the minute and I had hell on earth trying to block > left and right. It cost me hell, but the server stayed up.
> The attack consists of rapid HTTP requests, 3 to 8 per second, for > a 28 KB page, and comes from an average of 5.000 bots, with peaks > around 11.000. Do the math. If all these requests were fullfilled, > using averages, the outgoing traffic alone would be 5.000 x 5 x 28KB > = 680 MiB/s. Megabytes, not megabits, which translates to a volume > of roughly 60.000 GB per day. On top of that we had a fairly big > ICMP attack coming in. Of course I kept blocking and blocking, so > even if the server on a couple of occasions was overloaded, it never > came anywhere close to collapsing.
> Usually, when a DDoS fails, the attacker moves on. Not in this case > though. The attack has persisted ever since, for a whole two and a > half months without interruption. Keeping on top of such a thing > day after day, week after week, is tiresome and ends up being Very > Annoying.
> So I researched the attack, together with Rick. By now we know its > origin, its reasons and also the guy behind it. I even phoned him > to see if I could talk some reason into him, but he's as cuckoo as > they get.
> There are three ways to deal with a thing like this: give up, defend, > or counterattack. One thing I learned already as a kid is to never, > ever, for any reason and under any circumstances, give in to extorsion. > The attacker is an extorsionist; what he says is simply "if you don't > remove that page from the web, I will cause you a lot of pain". Well, > that page will be removed from the web over my dead body. (He is also > one of those stupidly agressive characters, because if he only had > picked up the phone instead of launching a DDoS attack, called Rick, > and asked for his name to be removed from the page, Rick would happily h > ave obliged. Too late for that now though.)
> So I defended. And when I got sick and tired of defending, I attacked > back. Kind of.
> Almost 75% of the bots are concentrated in Greece, the rest are mainly > in the adjacent countries; Montenegro, Serbia, Turkey, Croatia, Slovenia, > with some odd ones in other parts of the world. 97% of the legitimate > visitors of rickross.com are concentrated in the US, with the rest in > Canada, the UK and some odd ones in the rest of the world. The resulting > equation makes sense, so I fed the bot countries fake DNS data, pointing > them to a machine owned by the botmaster, while the rest of the world > could still visit the site as usual. Perfect bliss: the attacker was > attacking his own machine, while we got a moment of peace in which to > contemplate the next step. It took three weeks for the atacker to realise > what happened, although I kept him updated from day one. Bruce, you should > really read your n9...@hotmail.com account, it's in your own interest. > I always play with (almost) open cards, ask around and people will > confirm.
> So just a couple of days ago he switched to IP address-based addressing > and my DNS trick works no more. Therefore, I'm moving on to the next: > creating mirrors of the attacked article at a rate faster than the > attacker can count, let alone attack. (Yes Bruce, I already told you > this too. Weeks ago. Do read your mail.) The idea is to make the attack > completely counterproductive; since the attacker wants that article off > the net, if I can make the attack multiply the presence of the article, > the attacker will have a serious incitament to stop attacking.
Cute, very cute ... DNS warfare.
You could change the page to a forward reference, with delayed refresh, would download in short order (reduce traffic) - the next page could be made into a php script, delayed dynamic redirects ... with multiframe pages with autorefresh ... screw any system into the ground in short order.
With the right redirects in httpd.conf you could let google scan a regular page and cache what you want - your "page" would exist forever in the search engines of the world ...
> zeeorger wrote: > > "Mr Bruce Raisley looks to be an Internet loony, at least his blog on > > the subject is several BTs short of a cluster" > > ... probably explains WHY he is getting hit with a DDOS attack.
> Ehum, rather the exact opposite.
> BTW, you copyright terrorist, the "Z" signature is mine, has always been. > Cease and desist ;)
Don't make me pull out my black mamba and start spraying. ;-)
> No, just me trying to handle a DDoS attack. Details below.
I had assumed it was something like that. We seem to have two guys so obsessed with attacking each other that anyone who isn't 110% on their side is an Enemy. rickross.com has just been taking collateral damage.
I guess we should be grateful that none of our resident ARS nutters have the technical knowhow and resources to do this. DDoS attacks from Ms Schwarz would be a sight to behold - so many enemies, so little time!
Zenon Panoussis wrote: > Hi everyone, long time no see.
Hi Zenon!
> R. Hill wrote:
>> Since a few days, I haven't been able to reach rickross.com, obtaining >> a "bad request" page instead.
> Run an updated virus scanner on your machine. I mean it. Then e-mail > me your IP address so I can unblock you.
>> What is going on? Something is trying to "handle" to Internet?
> No, just me trying to handle a DDoS attack. Details below.
> JAFAW wrote:
>> I read that blog entry. I dunno bout all the technical stuff but he really >> has a go at Rick Ross and his tech guy. Very cultish dead-agent style >> personal attack nonsense. Most bizarre.
> Elsewhere has Raisley copy/pasted long chunks from my DA page on > religiousfreedomwatch, so yes, you could say it's cultish. But as > far as anyone knows or can guess, the CoS has nothing to do with > this. In fact, I'm certain they don't.
> zeeorger wrote:
>> It sounds more like a DNS cache poisoning attack, which >> would explain why you got re-directed to the blogger's >> site.
> No cache poisoning, just plain DNS answer differentiation. Anyone > familiar with BIND's views will know how this is done, although in > this case it was done differently.
> Here's the story. By some weird coincidences I ended up doing system > administration for rickross.com some time ago. On October 1, I noticed > a DDoS attack against one particular page, > http://www.rickross.com/reference/perverted_justice/perverted_justice... > It was nothing the server couldn't handle, but better watch it anyway.
I looked at this page. It's about the founder of Perverted Justice, a group that's involved with To Catch A Predator on Dateline with Chris Hanson. This is an incredible story of what happens when geeks go bad. Raisely attacked. Von Erke raised the stakes. Hell of a story!
I was surprised to learn that's what this is all about, as I know a bit about PJ and its work. Which reminds me, if any of you clams want to talk to a 13 year old named Shelly...muahahahaha!
> Three hours later I was sitting with my hands in my hair. The DDoS > was growing by the minute and I had hell on earth trying to block > left and right. It cost me hell, but the server stayed up.
> The attack consists of rapid HTTP requests, 3 to 8 per second, for > a 28 KB page, and comes from an average of 5.000 bots, with peaks > around 11.000. Do the math. If all these requests were fullfilled, > using averages, the outgoing traffic alone would be 5.000 x 5 x 28KB > = 680 MiB/s. Megabytes, not megabits, which translates to a volume > of roughly 60.000 GB per day. On top of that we had a fairly big > ICMP attack coming in. Of course I kept blocking and blocking, so > even if the server on a couple of occasions was overloaded, it never > came anywhere close to collapsing.
> Usually, when a DDoS fails, the attacker moves on. Not in this case > though. The attack has persisted ever since, for a whole two and a > half months without interruption. Keeping on top of such a thing > day after day, week after week, is tiresome and ends up being Very > Annoying.
> So I researched the attack, together with Rick. By now we know its > origin, its reasons and also the guy behind it. I even phoned him > to see if I could talk some reason into him, but he's as cuckoo as > they get.
> There are three ways to deal with a thing like this: give up, defend, > or counterattack. One thing I learned already as a kid is to never, > ever, for any reason and under any circumstances, give in to extorsion. > The attacker is an extorsionist; what he says is simply "if you don't > remove that page from the web, I will cause you a lot of pain". Well, > that page will be removed from the web over my dead body. (He is also > one of those stupidly agressive characters, because if he only had > picked up the phone instead of launching a DDoS attack, called Rick, > and asked for his name to be removed from the page, Rick would happily h > ave obliged. Too late for that now though.)
> So I defended. And when I got sick and tired of defending, I attacked > back. Kind of.
> Almost 75% of the bots are concentrated in Greece, the rest are mainly > in the adjacent countries; Montenegro, Serbia, Turkey, Croatia, Slovenia, > with some odd ones in other parts of the world. 97% of the legitimate > visitors of rickross.com are concentrated in the US, with the rest in > Canada, the UK and some odd ones in the rest of the world. The resulting > equation makes sense, so I fed the bot countries fake DNS data, pointing > them to a machine owned by the botmaster, while the rest of the world > could still visit the site as usual. Perfect bliss: the attacker was > attacking his own machine, while we got a moment of peace in which to > contemplate the next step. It took three weeks for the atacker to realise > what happened, although I kept him updated from day one. Bruce, you should > really read your n9...@hotmail.com account, it's in your own interest. > I always play with (almost) open cards, ask around and people will > confirm.
> So just a couple of days ago he switched to IP address-based addressing > and my DNS trick works no more. Therefore, I'm moving on to the next: > creating mirrors of the attacked article at a rate faster than the > attacker can count, let alone attack. (Yes Bruce, I already told you > this too. Weeks ago. Do read your mail.) The idea is to make the attack > completely counterproductive; since the attacker wants that article off > the net, if I can make the attack multiply the presence of the article, > the attacker will have a serious incitament to stop attacking.
zeeorger wrote: > You could change the page to a forward reference, with delayed > refresh, > would download in short order (reduce traffic) - the next page could > be made into a php script, delayed dynamic redirects ... with > multiframe > pages with autorefresh ... screw any system into the ground in short > order.
The bots are not likely to follow redirects, nor to even attempt to parse multiframe pages, so this approach is good theoretically, but not likely to work in practice. Think of the bots as dumb downloaders that just fetch the raw data and then throw it away.
Besides, in these situations, you need to avoid everything that's resource-greedy. mod_rewrite is fast, but not if it has to parse a table of thousands of IP addresses for each and every HTTP request to the server. Scripts of all kinds, PHP, perl, whatever, are completely out of the question resource-wise. In fact, even apache itself is too heavy for this kind of thing. One of the first things I had to do in the first hours of the attack was to switch to a stripped-down lighttpd that can handle an order of magnitude more requests than apache without eating up all the CPU.
Thus, the blocking has to be done at a much lower level, as early as possible in the processing chain. iptables is a good friend, ip route an even better one.
> With the right redirects in httpd.conf you could let google scan a > regular page and cache what you want - your "page" would exist > forever in the search engines of the world ...
Oh, it does already, but I also want it to exist on the rickross.com website. If I'd let it go from there, I would be succumbing to censorship by DDoS. That won't happen.
> I wrote: > > R. Hill wrote: > >> Since a few days, I haven't been able to reach rickross.com, obtaining > >> a "bad request" page instead. > > Run an updated virus scanner on your machine. I mean it. Then e-mail > > me your IP address so I can unblock you.
> I checked your address (assuming it's the same that google shows as > posting-host). It's not explicitly blocked, so you are not infected > as far as I can tell. However, you happen to be in one of those odd > countries with many infected machines and unresponsive ISPs, so I > have pointed the entire country to the attacker's server.
> <clicketyclick>
> No longer. He's attacking by IP address now, so there's no point > anyway. As soon as your ISP's DNS cache expires you'll be able to > reachwww.rickross.comagain. The TTL is intentionally very short.
> Z
It works from my end now, thanks.
I am still perplexed by one thing from this individual: apparently, he doesn't want people to see this article in which he is named. However, I can't understand why his blog would actually lists this article if he doesn't want people to see it. Strange.
> R. Hill wrote: > > Since a few days, I haven't been able to reach rickross.com, obtaining > > a "bad request" page instead.
> Run an updated virus scanner on your machine. I mean it. Then e-mail > me your IP address so I can unblock you.
> > What is going on? Something is trying to "handle" to Internet?
> No, just me trying to handle a DDoS attack. Details below.
> JAFAW wrote: > > I read that blog entry. I dunno bout all the technical stuff but he really > > has a go at Rick Ross and his tech guy. Very cultish dead-agent style > > personal attack nonsense. Most bizarre.
> Elsewhere has Raisley copy/pasted long chunks from my DA page on > religiousfreedomwatch, so yes, you could say it's cultish. But as > far as anyone knows or can guess, the CoS has nothing to do with > this. In fact, I'm certain they don't.
> zeeorger wrote: > > It sounds more like a DNS cache poisoning attack, which > > would explain why you got re-directed to the blogger's > > site.
> No cache poisoning, just plain DNS answer differentiation. Anyone > familiar with BIND's views will know how this is done, although in > this case it was done differently.
> Here's the story. By some weird coincidences I ended up doing system > administration for rickross.com some time ago. On October 1, I noticed > a DDoS attack against one particular page,http://www.rickross.com/reference/perverted_justice/perverted_justice... > It was nothing the server couldn't handle, but better watch it anyway.
> Three hours later I was sitting with my hands in my hair. The DDoS > was growing by the minute and I had hell on earth trying to block > left and right. It cost me hell, but the server stayed up.
> The attack consists of rapid HTTP requests, 3 to 8 per second, for > a 28 KB page, and comes from an average of 5.000 bots, with peaks > around 11.000. Do the math. If all these requests were fullfilled, > using averages, the outgoing traffic alone would be 5.000 x 5 x 28KB > = 680 MiB/s. Megabytes, not megabits, which translates to a volume > of roughly 60.000 GB per day. On top of that we had a fairly big > ICMP attack coming in. Of course I kept blocking and blocking, so > even if the server on a couple of occasions was overloaded, it never > came anywhere close to collapsing.
> Usually, when a DDoS fails, the attacker moves on. Not in this case > though. The attack has persisted ever since, for a whole two and a > half months without interruption. Keeping on top of such a thing > day after day, week after week, is tiresome and ends up being Very > Annoying.
> So I researched the attack, together with Rick. By now we know its > origin, its reasons and also the guy behind it. I even phoned him > to see if I could talk some reason into him, but he's as cuckoo as > they get.
> There are three ways to deal with a thing like this: give up, defend, > or counterattack. One thing I learned already as a kid is to never, > ever, for any reason and under any circumstances, give in to extorsion. > The attacker is an extorsionist; what he says is simply "if you don't > remove that page from the web, I will cause you a lot of pain". Well, > that page will be removed from the web over my dead body. (He is also > one of those stupidly agressive characters, because if he only had > picked up the phone instead of launching a DDoS attack, called Rick, > and asked for his name to be removed from the page, Rick would happily h > ave obliged. Too late for that now though.)
> So I defended. And when I got sick and tired of defending, I attacked > back. Kind of.
> Almost 75% of the bots are concentrated in Greece, the rest are mainly > in the adjacent countries; Montenegro, Serbia, Turkey, Croatia, Slovenia, > with some odd ones in other parts of the world. 97% of the legitimate > visitors of rickross.com are concentrated in the US, with the rest in > Canada, the UK and some odd ones in the rest of the world. The resulting > equation makes sense, so I fed the bot countries fake DNS data, pointing > them to a machine owned by the botmaster, while the rest of the world > could still visit the site as usual. Perfect bliss: the attacker was > attacking his own machine, while we got a moment of peace in which to > contemplate the next step. It took three weeks for the atacker to realise > what happened, although I kept him updated from day one. Bruce, you should > really read your n9...@hotmail.com account, it's in your own interest. > I always play with (almost) open cards, ask around and people will > confirm.
> So just a couple of days ago he switched to IP address-based addressing > and my DNS trick works no more. Therefore, I'm moving on to the next: > creating mirrors of the attacked article at a rate faster than the > attacker can count, let alone attack. (Yes Bruce, I already told you > this too. Weeks ago. Do read your mail.) The idea is to make the attack > completely counterproductive; since the attacker wants that article off > the net, if I can make the attack multiply the presence of the article, > the attacker will have a serious incitament to stop attacking.
> zeeorger wrote: > > "Mr Bruce Raisley looks to be an Internet loony, at least his blog on > > the subject is several BTs short of a cluster" > > ... probably explains WHY he is getting hit with a DDOS attack.
> Ehum, rather the exact opposite.
Bruce Raisley appears to be attacking anything with his name and "NBC" to erase the information about him, as indicated on several other articles. He's been DOSsing other sites as well for a few months. He would grope at anything including redirecting to RFW at the present time. (And this is a reminder to those attacked on this group by perverts, Tory comes to mind. and the overnight, pearly correction of behavior noted.
bruceraisley.blogspot.com/ -----Don't go to this site text here:
Dec 9, 2007
More on DDOS
The main brunt of the DDOS(Distributed Denial of Service) attack has now died down.
I have researched this guy, Rick Ross. It seams this former jewel thief hates religion. Almost every religion is slandered in some way or another on his site.
The Church of Scientology seams to hate him more than the others. The Church of Scientology is not a religion at all. But that is my personal opinion. I don't disagree with their right to worship as they please.
In the United States we are all free to choose our own religion; I don't think any one has the right to dictate what or how we believe.
Rick Ross disagrees with me. He [sick]believes no one has the right to a religion and he has the right to brainwash anyone who does. He will even go as far as to kidnap some one to do his [sic]deprogramming as he calls it.
I don't believe Mr. Ross has anything to do with the attacks on my server.
The Rickross web site has been under DDOS attacks since March of 2007, as you can see they have also laid blame to purported "cult" called "NXIVM,".
About a month ago I received a call from Zennon Panoussis. He accused me of doing a DDOS on the site and claimed that rickross.com was his [sick]site.
There are those who believe the problem is DNS poisoning, I don't. I have noticed several countries and entire DNS zones are given the incorrect IP (A-record) for www.rickross.com, countries like Brazil and Korea. It is possible that is where the brunt of the DDOS that was targeting rickross.com was coming from. Zennon may have gotten the bright idea to return the IP of my server for those zones. This type of DDOS reflection is not new. The owners of bluesecurity.com changed their IP to the Sixapart servers after they where attacked.
Mr. Ross needs to evaluate who he uses to administer his server. I have enough DDOS server logs to print on paper from New-York to LA. They all contain access requests to pages that are no where on the Net but his site.
Rick, you can thank your girly-boy friend for sending half the world to a site that will expose you.
Posted by Bruce Raisley at 7:41 PM 0 comments
Friday, December 7, 2007 DDOS Distributed Denial of Service Attacks
Recently one of my machines has been receiving a DDOS. I am getting about sixteen gigabytes a day in requests for pages that don't exist on that machine. This is below the maximum bandwidth I have for the machine so it is not affecting me economically, plus the thing has 100 gigabytes per second access to the internet. The attack is more like a mosquito but I have noticed the itch. I have investigated the attacks. About ten thousand machines are making the request to a page about perverted-justice, There are also religious and cult pages that are requested.
Here are some of the pages these bots are looking for.
A quick search of the internet and I find all these pages are on rickross.com. This [sick] website claims it is in the U.S., but like most frauds it is not. The site is run by a guy named Zenon Panoussis, You can look him up on Wikipedia. Mr. Panoussis has been launching a DDOS,
R. Hill wrote: > I am still perplexed by one thing from this individual: apparently, he > doesn't want people to see this article in which he is named. However, > I can't understand why his blog would actually lists this article if > he doesn't want people to see it. Strange.
Rule #1 of social interaction: never ascribe to complex ratio what can be explained by simple plain stupidity.
|
