Author Topic: Yet another DDoS  (Read 16367 times)

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 846
  • E-points: +44/-12
  • ¯\(°_o)/¯
    • View Profile
Yet another DDoS
« on: October 15, 2014, 01:01:20 am »
It was bound to happen eventually.

As usual, FA jumped to conclusions on Twitter. First, the problems were reported as "lag" (Instead of, you know, "connectivity issues" or some actual term not from bideo gamez), which prompted the kneejerk reaction of putting the site into magical, mystical, fix-everything "Read-Only" mode.

Site is in read-only mode for an estimated 5-10 minutes while we continue looking into lag/inaccessibility issues.

Though, a post on FA Forums puts it differently, with Dragoneer making a point to remind people that the site is still "up", you just can't get to it!!!

Our host is currently experiencing connectivity issues which is causing problems access the site. The site is still online, just inaccessible.

Later, their host informs them it was a DDoS attack that took out more than just FA:

Our ISP has followed up. The downtime has been caused by a massive DDOS which took out FA and several other sites.

FA then throws the Irony machine into maximum overdrive:
When you DDOS a site like FA you don't hurt us as much as you hurt the artists who use the site to make a living. We hope you're happy.

So just keep in mind, when you DDoS FA, you're hurting the artists who rely on FA to make a living. But if FA goes down for days to weeks at a time due to their own gross incompetence, "IT'S A FREE SITE YOU SHOULDN'T RELY ON FA HLAUGHLAUGLHULAUGH PLEASE RAPE MY FACE".

As usual, when confronted with DOWNTIME, Dragoneer took to Twitter and decided to reply to people making jokes with bizarre promotions of other sites.


The last tweet on the matter was that the the host was "securing their routers", whatever that means.
Our ISP is working on an investigation of the DDOS and securing their routers. Once done, FA should be back up.

However, Dragoneer posted the response from InfoRelay on FA Forums:

Quote
"InfoRelay experienced intermittent network connectivity issues during 10:10pm - 11:13pm on October 15th, 2014. This issue was caused by large attack on our network at the IAD2 facility. Our Network Administrators have confirmed that the DDoS attack has been originated from your IP block, this attack was causing issues for other customers in the IAD2 facility. To resolve the issue we were forced to blackhole the netblock, after the change was made connectivity has been stable at the IAD2 facility for the past hour.

Our Network Administrators will follow up on this issue, please standby for an update."

I'd like to point out the "the DDoS attack has been originated from your IP block" part, which appears to indicate InfoRelay is bad at English, or someone found a new exiting way to exploit FA, which caused it to DDoS the datacenter it is in.


nrr

  • Sean Piche Fan Club
  • Cabalistic Fuckhead
  • **
  • Posts: 125
  • E-points: +8/-3
  • OMG SO CUTE ^__^
    • View Profile
Re: Yet another DDoS
« Reply #1 on: October 15, 2014, 05:14:05 am »
I'd like to point out the "the DDoS attack has been originated from your IP block" part, which appears to indicate InfoRelay is bad at English, or someone found a new exiting way to exploit FA, which caused it to DDoS the datacenter it is in.

Sigh.

I wouldn't read too much into the particulars of the language being used there; they're probably talking to a NOC person, who likely doesn't have the level of give-a-fuck required to communicate the most effectively.

Nevertheless, if this becomes a trend, and they start disrupting service for other customers, InfoRelay may ask them to leave.
im glad the "I saw a furry IRL" thread is so good at bringing goons together

YOUR PARTICIPLES AREN'T THE ONLY THINGS DANGLING

DJ_Izumi

  • *
  • Posts: 33
  • E-points: +1/-17
    • View Profile
Re: Yet another DDoS
« Reply #2 on: October 15, 2014, 05:19:55 am »
When you DDOS a site like FA you don't hurt us as much as you hurt the artists who use the site to make a living. We hope you're happy.

"When you DDOS a site like FA you don't hurt us so much as you increase Weasyl's userbase!  Please stop!

Seriously, have you noticed this?  The two biggest boosts in Weasyl's usage has been FA's October 2013 outage and then the Rape Outrage of early 2014.



The two spikes you see, which do level off but still show significant lasting growth in the aftermath?  That's ALL thanks to FA.  The greatest thing that's ever happened to Weasyl has been FA's fuckups.  If this one lasts we should see another spike.

Dima

  • *
  • Posts: 47
  • E-points: +7/-2
  • Inadequate
    • View Profile
Re: Yet another DDoS
« Reply #3 on: October 15, 2014, 08:38:19 am »
Seriously, have you noticed this?

I feel it's my duty to point you in the direction of this thread.

GreenReaper

  • transphobic shitheel raccoon puppetmaster
  • **
  • Posts: 136
  • E-points: +12/-28
  • Rambling norn
    • View Profile
    • GreenReaper Studios
Re: Yet another DDoS
« Reply #4 on: October 15, 2014, 12:26:18 pm »
I'd like to point out the "the DDoS attack has been originated from your IP block" part, which appears to indicate InfoRelay is bad at English, or someone found a new exiting way to exploit FA, which caused it to DDoS the datacenter it is in.

Sigh.

I wouldn't read too much into the particulars of the language being used there; they're probably talking to a NOC person, who likely doesn't have the level of give-a-fuck required to communicate the most effectively.

True. But given how many old servers FA has hanging around in its rack, the chances of one of them being compromised and turned into a bot is far from zero. Would it really take this long to get FA back up if it one of the other servers on the block were responsible?

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 846
  • E-points: +44/-12
  • ¯\(°_o)/¯
    • View Profile
Re: Yet another DDoS
« Reply #5 on: October 15, 2014, 01:19:40 pm »
Tell me, why would Net-Cat have to stay up late to work with InfoRelay to "diag[nose] the problem" if they were simply the target of the DDoS?

We'd like to thank @thevirtualcat for staying up 'til 2:00am working with our host and helping diag the problem.

Something tells me they had a box get compromised, or Yak finally did what we all thought he was going to do.

GreenReaper

  • transphobic shitheel raccoon puppetmaster
  • **
  • Posts: 136
  • E-points: +12/-28
  • Rambling norn
    • View Profile
    • GreenReaper Studios
Re: Yet another DDoS
« Reply #6 on: October 15, 2014, 03:10:43 pm »
SoFurry and Inkbunny are now under attack.

JigsawJones

  • Posts: 21
  • E-points: +0/-0
  • Uninitiated Rube
    • View Profile
Re: Yet another DDoS
« Reply #7 on: October 15, 2014, 03:49:49 pm »
SoFurry and Inkbunny are now under attack.

>>DDOS on Sofurry

How can you tell?

winserv03fan

  • Dumbest Username Award - May 2012
  • *
  • Posts: 84
  • E-points: +6/-9
  • A Duck!
    • View Profile
Re: Yet another DDoS
« Reply #8 on: October 15, 2014, 04:02:33 pm »
Weasyl as well:


GreenReaper

  • transphobic shitheel raccoon puppetmaster
  • **
  • Posts: 136
  • E-points: +12/-28
  • Rambling norn
    • View Profile
    • GreenReaper Studios
Re: Yet another DDoS
« Reply #9 on: October 15, 2014, 04:03:09 pm »
Well, they said so. As for IB, I say so, though it seems like whoever it is just bought an hour.

Edit: And then another hour. :-)

nrr

  • Sean Piche Fan Club
  • Cabalistic Fuckhead
  • **
  • Posts: 125
  • E-points: +8/-3
  • OMG SO CUTE ^__^
    • View Profile
Re: Yet another DDoS
« Reply #10 on: October 15, 2014, 04:45:53 pm »
True. But given how many old servers FA has hanging around in its rack, the chances of one of them being compromised and turned into a bot is far from zero. Would it really take this long to get FA back up if it one of the other servers on the block were responsible?

Granted, and this right here is what we call a Reasonable Deduction™. I don't particularly mean to sound condescending, but congratulations on showing capacity for logical reasoning.

That said, with intelligently implemented monitoring in place (and I'm talking using a TSDB and employing some form of hysteresis and the accompanying data analysis, not simply Nagios' "CRITICAL: oh, this is broken"), it's generally pretty easy to figure out where things are not right. Oh, wait, this is FA we're talking about here…
im glad the "I saw a furry IRL" thread is so good at bringing goons together

YOUR PARTICIPLES AREN'T THE ONLY THINGS DANGLING

rodox_video

  • Posts like Kage drinks
  • ****
  • Posts: 641
  • E-points: +61/-14
  • HURF DURF DUH BLUH
    • View Profile
Re: Yet another DDoS
« Reply #11 on: October 15, 2014, 07:51:00 pm »
They'll be back in less than a week. Nothing short of the Surprise Truck is going to kill FA and you know it.
Zeriara is part of a series on Whores.

nrr

  • Sean Piche Fan Club
  • Cabalistic Fuckhead
  • **
  • Posts: 125
  • E-points: +8/-3
  • OMG SO CUTE ^__^
    • View Profile
Re: Yet another DDoS
« Reply #12 on: October 15, 2014, 08:00:54 pm »
They'll be back in less than a week. Nothing short of the Surprise Truck is going to kill FA and you know it.

Wow, yeah, you're right. Damn.
im glad the "I saw a furry IRL" thread is so good at bringing goons together

YOUR PARTICIPLES AREN'T THE ONLY THINGS DANGLING

Fate

  • James Woods with a Handgun and a Hardon
  • *
  • Posts: 58
  • E-points: +9/-2
  • Talking Asshole
    • View Profile
Re: Yet another DDoS
« Reply #13 on: October 16, 2014, 05:02:02 am »
Once again, FurAffinity shows that it has fantastic administration from the ground up. Film at fucking 11.

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 846
  • E-points: +44/-12
  • ¯\(°_o)/¯
    • View Profile
Re: Yet another DDoS
« Reply #14 on: October 16, 2014, 05:10:28 am »
Just want to point out that their secondary netblock is still operational, where one server lives running a version of Apache that was released in 2006. Naturally, it is running some FOSS network monitoring software.

net-cat-talking-about-not-ignoring-security-concerns.txt


Fate

  • James Woods with a Handgun and a Hardon
  • *
  • Posts: 58
  • E-points: +9/-2
  • Talking Asshole
    • View Profile
Re: Yet another DDoS
« Reply #15 on: October 16, 2014, 05:11:37 am »
Wonder if they're running updated bash on their boxes.

nrr

  • Sean Piche Fan Club
  • Cabalistic Fuckhead
  • **
  • Posts: 125
  • E-points: +8/-3
  • OMG SO CUTE ^__^
    • View Profile
Re: Yet another DDoS
« Reply #16 on: October 16, 2014, 05:19:52 am »
Wonder if they're running updated bash on their boxes.

Considering that /bin/sh isn't bash on FreeBSD, I'm not particularly sure they really have to. You do kinda have to go out of your way to use /usr/local/bin/bash as $SHELL there.
im glad the "I saw a furry IRL" thread is so good at bringing goons together

YOUR PARTICIPLES AREN'T THE ONLY THINGS DANGLING

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 846
  • E-points: +44/-12
  • ¯\(°_o)/¯
    • View Profile
Re: Yet another DDoS
« Reply #17 on: October 16, 2014, 06:30:24 am »
Wonder if they're running updated bash on their boxes.

Considering that /bin/sh isn't bash on FreeBSD, I'm not particularly sure they really have to. You do kinda have to go out of your way to use /usr/local/bin/bash as $SHELL there.

I believe their primary boxes are FreeBSD, but I seem to recall in the past that some of the VMs ran CentOS (One of them for a while had the "Apache powered by CentOS" placeholder page). Though I find it hard to believe that a single compromised VM would be able to do the amount of damage they claim was being done.

pmart

  • *
  • Posts: 39
  • E-points: +2/-0
  • BAWWWWW
    • View Profile
Re: Yet another DDoS
« Reply #18 on: October 16, 2014, 12:28:45 pm »
Not only is FA still down, SoFurry is too.

Inkbunny's downtime was part DDoS, part maintenance:


winserv03fan

  • Dumbest Username Award - May 2012
  • *
  • Posts: 84
  • E-points: +6/-9
  • A Duck!
    • View Profile
Re: Yet another DDoS
« Reply #19 on: October 16, 2014, 05:12:16 pm »
Just took a look at FA and it looks like they're running through cloudflare now:


Oh boy...