DDoS Attack

[NUance]

Looks like a Distributed Denial-of-Service Attack tonight boys. They created several hundred Korean language threads in the basketball and football forum.

I'm banning as fast as I can. But can we prevent new members from joining temporarily?

 

[NUance]

Here is the Whois data on one of the accounts I banned:

========================================================================

Whois IP 61.251.27.52
Updated 1 second ago
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '61.248.0.0 - 61.255.255.255'

inetnum: 61.248.0.0 - 61.255.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
status: ALLOCATED PORTABLE
source: APNIC
mnt-irt: IRT-KRNIC-KR
changed: email@apnic.net 20010321
changed: email@apnic.net 20010606

irt: IRT-KRNIC-KR
address: Seoul Songpa-gu Jungdae-ro 135
e-mail: email@nic.or.kr
abuse-mailbox: email@nic.or.kr
admin-c: IM574-AP
tech-c: IM574-AP
auth: # Filtered
mnt-by: MNT-KRNIC-AP
changed: email@nic.or.kr 20150513
source: APNIC

person: Host Master
address: 135 Jungdae-ro Songpa-gu Seoul
country: KR
phone: +82-2-405-5118
e-mail: email@nic.or.kr
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: email@nic.or.kr 20160315
source: APNIC

% Information related to '61.251.16.0 - 61.251.31.255'

inetnum: 61.251.16.0 - 61.251.31.255
netname: KINXINC-KR
descr: KINX
country: KR
admin-c: MI443-KR
tech-c: MI443-KR
status: ALLOCATED PORTABLE
mnt-by: MNT-KRNIC-AP
mnt-irt: IRT-KRNIC-KR
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: email@nic.or.kr
source: KRNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

 

[NUance]

Not a very extensive DDOS attack. There were a half dozen or so new members who posted a few hundred threads in the basketball and baseball forums. All are banned now, and their threads are in the junkyard.

What if there had been a hundred new members? Or a thousand? Do we have a way of preventing new members from starting more than a couple of threads each, per day?

 

[NUance]

I also notice there have been about 300 350 guests on HB four the past couple of hours. Most of them are viewing the Community Index. A few of them are searching HB. The guests mostly have overseas IP addresses. Here's a sampling:

202.46.57.162(ShenZhen,China);

163.172.66.107(France);

164.132.161.23(France);

51.255.65.28(France);

163.172.65.118(France);

104.129.3.229( Los Angeles)

120.27.35.11(Beijing, China)

Can guests use the HB search function? I thought you had to be logged in to search HB.

:

Is there any info from the Community Index that could be used to hack into HB or user accounts?

 

[AR Husker Fan]

It appears to simply be a script. The default "challenge/response" question had never been changed - I've changed it and made it Husker-specific, but broad enough that anyone registering can answer it (Question - What colors are worn by the Huskers Acceptable Answers - Red and White, Scarlett and Cream).

We pretty much have to allow searches by anyone or we'd be kicking out Google or other reliable search bots, which would harm folks finding us.

Sorry, everyone. Let's hope this change does it.

 

[zoogs]

Is that case sensitive?

 

[AR Husker Fan]

Don't think so, zoogs. At least, nothing that indicates it is.

We've had one attempted registration since I set up the Question and Response, and it's sitting there in the Validating spot, so I'm thinking it might be working.

EDIT: Got another - baseballdeacon. Stuck in validation. IP address is reported to be "toxic" by stopforumspam.com. So, looks like it's working.

 

[NUance]

Hey, thanks to whatever mod combined all those Korean threads in the Junkyard. It didn't occur to me to do that, or I would have taken care of it myself. I was most concerned about getting all those guys banned, and clearing their crap threads out of the basketball and baseball forums before they clogged up the whole board.

 

[Mavric]

Hey, thanks to whatever mod combined all those Korean threads in the Junkyard. It didn't occur to me to do that, or I would have taken care of it myself. I was most concerned about getting all those guys banned, and clearing their crap threads out of the basketball and baseball forums before they clogged up the whole board.

No problem.

You did all the heavy lifting by getting them moved and banned. I was just the janitor doing the cleanup on aisle 5.

 

[Saunders]

I've been super busy and haven't been on here much lately, but I just wanted to say thanks to you guys for taking care of this so quickly and efficiently. Ya'll do a good job!

 

[Mavric]

We getting hit with something again or just slow? Pages don't seem to want to load right?

 

[AR Husker Fan]

No registrations occurring at all today. Page seems to load okay for me. Is it all pages or a particular page?

 

[Mavric]

Yeah, now that I look around a bit the main page and forum pages load fine. But any threads won't load completely.

They load probably 90% and I can see all the posts but the quotes don't show up right, it doesn't jump to the first unread post, the footer doesn't load and it just sits there and spins like it's still trying to load something.

 

[Mavric]

Seems to be an issue in Chrome but not IE