OcUK DDoS attack - £10,000 reward

[Septh]

You know what's worse? Because I couldn't get on the forums today I actually had to do something productive

Indeed I've been very bored without them! I have no where online to hang out on!

This might not be much help, but Isohunt thought it was being DDoS'd the other day but it turned out to be dodgy IE plugin to do with reading rss feeds
Its was assumed it was a DDoS because of where the ips were coming from, below is from their news:

"Starting a couple hours before midnight GMT on 10-Jan-2009 we started receiving a lot more requests and traffic than we would normally have at that time of day, which topped out at 8500 CPS (connections per second) before we could get in, figure out what was happening and act to mitigate it. Thankfully, the folks that attacked us the first time made it fairly easy for us to locate and filter their traffic, since I don't think there are many people living in South America or Asia who legitimately run their browsers in Russian Smile

Update: it turns out that the /js/rss hits aren't actually a DDoS like I originally thought, and is instead the fault of one of those silly IE "toolbars" that refused to respect the TTL we set in our RSS feed. Currently testing a fix, and if the fix works, I'll be sure to turn RSS back on again.

SecretSquirrel wrote:
Rounds 2 and 3 weren't so generous. Round 2 had 171,892 unique ips all hitting /js/rss.php. Round 3 is ongoing and we're still struggling to find a way to mitigate the attack beyond completely turning off our rss (which is where things stand now). So, if you've used our RSS in the past, or are attempting to use it now, and are legitimate, I would suggest that you stop using our feed until we get this figured out (which will be accompanied by a post to the front page stating that rss feeds are back on).

If you're reading this, and you're responsible for any of these attacks, I would like to give you the opportunity to be heard. You may either PM me on the forums or send us an email at admin@this site's domain."

 

[willhub]

It's probs an evil person from that other forum smiley wink wink zoom.

 

[Chimerical]

Are we absolultely sure this isn't just an effect of Yantorsen's spamming?

If thats the case try suspending Tefal, Dangerstat, Pilky01 and Yantorsen all at the same time for a week. This will fix the problem.

 

[Nick1881]

Good to see us back to speed, been really bad all day. I had no idea the cause was something so sinister. Hope you catch those responsible.

 

[Heliospherez]

When he gets caught, can you stick a picture of him/her/them up of the website for us to have a laugh at.

 

[scorza]

I really, really hope this ddos attack isn't as a result of some petty disagreement on these forums. That would be really

 

[Solari]

I really, really hope this ddos attack isn't as a result of some petty disagreement on these forums. That would be really

I blame Fox

 

[Napaim]

If I read up on this right, does it infect other PC's?

If so, would there be symptoms?

Maybe could find it that way.

Well it's normally in the form of a virus, if you have a good av and have no popups then you're likely fine, do a netstat to check outgoing connections and check your process list.

 

[Logsi]

IGNORE

 

[Gaygle]

Well it's normally in the form of a virus, if you have a good av and have no popups then you're likely fine, do a netstat to check outgoing connections and check your process list.

How does someone distrubute a virus to thousands of computers?

If thats the case try suspending Tefal.

According to Azza's thread, Tefal has just "taken off" and just got up and left. The thread only lasted like 3 minutes, but it seems like Tefal is no more!

 

[Maccy]

That other forum was the first thing that came to mind, although thinking about it now it probably wasn't.

 

[regulus]

Ah, thought something fishy was going on. The past few days I couldn't even access the main site at times, never mind the forums. Hope you catch the scum!

 

[Neil79]

Maybe someone is annoyed over an RMA?

 

[Rroff]

netstat may be rooted tho... you need a router with the ability to list connections or a *nix shell that can list network stuff.

 

[dangerstat]

If thats the case try suspending Tefal, Pilky01 and Yantorsen all at the same time for a week. This will fix the problem.

Fixed

I read earlier up about some of the attacks being from overseas, I'd imagine that not being a huge problem, if you have a decent host you should be able to "stop" these packets upstream (and without much economic costs as OCUK are going to have like 95% UK based customers). You have to filter in tiers. What is concerning is that I think OcUK had / have blocked certain Ip *ranges* that are UK based, which anyway you look at it are going to be an absolute pain in the back side for Spie et al. Once gain all the best o luck lads.

 

[OzyOly]

I hope they arrest those responsible and show them that this kind of thing is breaching the law.

Lets see how l33t they are when they are getting an ass raping for being a noob in prison.

 

[alex24]

Well it's normally in the form of a virus, if you have a good av and have no popups then you're likely fine, do a netstat to check outgoing connections and check your process list.

Any guides/tips on how to check properly? Might be worth a go.

 

[Antx777]

I'm also part of the 1/10 peeps, who don' have an inkiling of who is suspect

Reading someones post Above RE: constant pressing of refresh button was disregarded by Spie. However, there can be "Unintentional" attacks.


---------------------------------------------
WIKIPEDIA

""UNINTENTIONAL ATTACK""

"This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site's regular users — potentially hundreds of thousands of people — click that link in the space of a few hours, having the same effect on the target website as a DDoS attack"""""""


It is Wednesday, "This-week-only" (offers) Just a thought thats all!

~Ant

 

[dangerstat]

Any guides/tips on how to check properly? Might be worth a go.

netstat -a

is a useful command, if you want to see *exactly* what you NIC is doing download something like Ethereal.

 

[Wiggins]

Its removed

Stone him.

joking

On a lighter note: