Stardot hit by an attack over the weekend

[rubber_jonnie]

Looks like Stardot got hit by an attack over the weekend, I was unable to access the site all yesterday and had some issues on Saturday too.

We are not alone in being attacked...

[exxos]

AF is being hit just like us. I think the German forum and others were being hit at and went down at some point also.

We have around 2,000-5,000 IPs hit us each day multiple connections. It's not that much, but if not banned thousands of new ips per day add up up tens of thousands then hundreds of thousands of connections. Then after a few days the server runs out of resources.

I've seen 2 ISPs get hacked and they start hitting sites like our forum. It was big news in the USA at the time. The problems get rather complex when you look into what's going on more closely.

[exxos]

Looks like they turned off guest access https://www.stardot.org.uk/forums/ ?

Thing is, while forum wiki attacks are common, a lot of attacks happen on the route domain. We redirect to the forum URL, so when I see lots of hits to the route domain without redirects I know something is wrong. At that point the forum isn't even being hit. So turning off guest access doesn't really help all that much.

Then there's server attacks which don't even show up in the nginx / Apache logs, like port scanning, DDoS type attacks..Then bad bots / scrapers etc Its why it took me such a long time to work though all the attack vectors. Its really mindblowing what goes on.

[rubber_jonnie]

Yeah, it's not good at all.

If the attack is purely malicious to bring I site down, I just don't get it though, what possible gain is there just to stop access?

I do understand if it's an attempt to break in though, as we have plenty of PII that could be stolen.

The world has gone to pot.

[exxos]

Yeah it's odd. I think most are just script kiddies using hacking tools from like 20 years ago. They don't rate limit and cause the server to crash. It looks like a ddos type attack but I don't think it is.

BUT. I had a site hacked years ago when I wasn't even hosting my own server. It was when there was a bug when people could write code to the end of pages like index.html. They would put their hacking logo there and brag on hacker forums how many sites they hacked.

Possible people may be seeing how many sites they can crash but like you say. No real point. It will be the small hobby servers which will go down first. Easy pickings really.

Most attacks seem to be looking for vulnerabilities which were patched years ago. A lot simply seem to be very badly setup hacking bots.

Then you get fake Google bots. You first think they are not obeying robots.txt, they generally are, just hackers are making it look like Google Amazon bots etc. I've got scripts scanning and verifying bots which claim to be Google are actually Google..

The list of what hackers do is almost endless. It's very difficult to detect them all.

[rubber_jonnie]

The list of what hackers do is almost endless. It's very difficult to detect them all.

Indeed it is, and there are a lot of sophisticated tools available either free or for rent/purchase from the shadier parts of the web, so definitely possible its people just trying their hand and think it's fun to break a site.

Of course it could also be a trial run for something bigger down the line, I guess you have to learn somehow.

[exxos]

Of course it could also be a trial run for something bigger down the line, I guess you have to learn somehow.

Yeah a learned a hell of a lot over the past year.. Problem is with AI in the mix now.. The script kiddies may start getting "clever".. But at least I have AI also ;)

[rubber_jonnie]

Of course it could also be a trial run for something bigger down the line, I guess you have to learn somehow.

Yeah a learned a hell of a lot over the past year.. Problem is with AI in the mix now.. The script kiddies may start getting "clever".. But at least I have AI also ;)

Yeah, AI isn't helping IMHO, but there you go.

[exxos]

They have a single post up now...

Good morning all

Over the weekend (12-13th July) we have experienced unprecedented traffic levels, resulting in unwanted downtime. I attempted to mitigate this as best I could, however my efforts this time around rendered marginal improvements, and on the advice of 1024MAK, and others, I decided to make the forum private. This, combined with several other techniques, including blocking many IP ranges - which is simply whack-a-mole and temporary at best - means it looks like things have settled down for now.

For the time being, the forum will remain log-in only, until we have more robust processes in place to prevent this kind of outage happening in the future.

Making the forum private won't help much :(

whack-a-mole indeed. It's why I took me months of work to clamp it all down.

[rubber_jonnie]

whack-a-mole indeed. It's why I took me months of work to clamp it all down.

Not really fun for what probably isn't your full time job...