Denial of Service attacks

[Guest]

It is increasingly my view that on 5th July we witnessed a small scale denial of service attack on this board with an enormous increase in bandwidth usage. Back in February we experienced a similar but much larger attack which resulted in us being knocked off line for a few days

This message is a warning to whosoever is doing this that my suspicions have been reported to the software suppliers who are currently investigating the IPs involved. Once I have some solid evidence I will be reporting the matter to the police

[Graham Davies]

The Web as a whole has a habit of slowing down or locking up on certain days. I am never sure whether it's my system, my ISP or some external force. But I think I can trace a couple of "slow days" to the release of new viruses over the last few months. New variants of the Lovgate virus appeared in early July, and SomeFool (aka Netksy) is bombarding my mailbox 20-40 times per day.

[Guest]

The Web as a whole has a habit of slowing down or locking up on certain days. I am never sure whether it's my system, my ISP or some external force. But I think I can trace a couple of "slow days" to the release of new viruses over the last few months. New variants of the Lovgate virus appeared in early July, and SomeFool (aka Netksy) is bombarding my mailbox 20-40 times per day.

Unfortunately the facts are that we have suffered denial of service attacks before. The last time it happened I traced it to one independent school and reported it to their service provider who took the necessary steps. I believe that 5/7 revealed the first signs of a similar attack in progress. I would urge all administrators and moderators to be vigilant. Particularly please check the online users button regularly and check for abnormal traffic. Report any suspicious activity to me.

It disappoints me that there are people who would like to see this forum pushed offline

[John Simkin]

The Web as a whole has a habit of slowing down or locking up on certain days. I am never sure whether it's my system, my ISP or some external force. But I think I can trace a couple of "slow days" to the release of new viruses over the last few months. New variants of the Lovgate virus appeared in early July, and SomeFool (aka Netksy) is bombarding my mailbox 20-40 times per day.

Unfortunately the facts are that we have suffered denial of service attacks before. The last time it happened I traced it to one independent school and reported it to their service provider who took the necessary steps. I believe that 5/7 revealed the first signs of a similar attack in progress. I would urge all administrators and moderators to be vigilant. Particularly please check the online users button regularly and check for abnormal traffic. Report any suspicious activity to me.

It disappoints me that there are people who would like to see this forum pushed offline

I encountered an attack like this a few years ago. It is possible that it is the same person behind this attack.

What happened was that my main source of income was a company that provided click-through advertising. They informed me that someone was attempting to rig the system by constantly clicking on the adverts. At first they thought I was behind this scam. They changed their mind when I called in the police (there is a special unit that deals with this kind of behaviour). The company and the police were able to trace the computer to a chemist shop in Brighton. It seems that the man behind it was a young man employed to set up the shop’s computer system. He disappeared when the police were called in. Obviously he had been paid to set up this software to constantly click on the ads. He knew the company’s system would pick up on this and that my contract would be revoked.

There was two possible susjects. Both had close links to Brighton. One was a man who ran an educational website. Although based in London he lived in Brighton. He had invested heavily in this website and hoped to sell it on to one of the large media corporations. However, he had failed to do this and had now reached the second-round funding stage. As a result of his low web traffic he was not able to do this. Therefore he tried to buy my website. The plan was to integrate my website with his so that he could claim my traffic (and the revenue it was bringing in). After long negotiations I decided that he was not offering me enough money for the site. This made him very angry because the decision would force him into bankruptcy. I therefore suspected that he was trying to cut off my revenue stream in order to force me to sell the website to him.

The other suspect was an individual who I had upset a few months previously. At the time I wrongly thought it was much more likely to be the first suspect. As he had failed in his attempt to hurt my business (I was in fact able to negotiate a more lucrative deal as a result of this scam) I decided not to get the police to carry on with the investigation. I now realise this was a mistake as it would have revealed that the perpetrator was suspect 2 rather than suspect 1.

There is a chance that the current problem is being caused by the same person. The software causes the same page to be constantly requested. This makes it very difficult for real users to access the page. It seems we will have to call in the police again. This time I will insist that the investigation discovers who the culprit is.

[Guest Andrew Moore]

Much of this activity is malicious, but it is rarely personal - it's mostly automated. In the UK the Nachi virus was particularly effective last September. Why?

A lot of teachers took home laptops, and used them, without protection over the summer holidays. Then came back to school and attached them to the school networks, many of which instantly became spam/virus factories.

Our county network guru has this year taken some radical steps, with the school network managers, to head off the problem at the pass.

I'm not sure what the service is for this board, but can speak with some more authority about our county network - it receives attempts to break in more or less non-stop. The network designer has various responses to this - in general these are to identify the offender as such both by his (or her?) IP address and type of activity. We have some honey-traps: areas of the network (outside the real security) that appear to be easy to hack, but which in fact re-direct the malicious activity to another site that can look after itself (might be connected with a famous mouse).

Apparently the country from which most attempted break-ins come is North Korea.

Any teacher in England who wants to have secure hosting, should be able to get this from the regional grid. If you are in Yorkshire and Humberside (I know that's not many of you) I can help arrange this.

[Graham Davies]

A lot of teachers took home laptops, and used them, without protection over the summer holidays. Then came back to school and attached them to the school networks, many of which instantly became spam/virus factories.

One of the messages that I hammer home in my ICT training courses is that teachers using computers at home must ensure that they are adequately protected with antivirus software, a firewall, adware/spyware removers, etc.

Apparently the country from which most attempted break-ins come is North Korea.

Korea as a whole is constantly trying to send me spam and hack into my system.

[Richard Jones-Nerzic]

A lot of teachers took home laptops, and used them, without protection over the summer holidays. Then came back to school and attached them to the school networks, many of which instantly became spam/virus factories.

We had the same problem with our students. Even though we give every student a laptop computer, we can no longer expect them to do homework that requires internet access. Although the laptops all have modems built in, we have taken the decision to stop students using the internet at home. A real shame.

[Graham Davies]

Although the laptops all have modems built in, we have taken the decision to stop students using the internet at home. A real shame.

A shame, indeed! Unfortunately, this is a growing trend. I get around a lot of schools in the UK as a free-lance trainer. In many schools Internet access is so restricted and filtered - even for staff use - that most of its facilities cannot be used. My local school has a language centre that has no Internet access for students. The Head of Modern Languages regards the Web as too dangerous/distracting and only uses software installed locally, over which he has tight control. He does, however, encourage the kids to access the Web at home - but then he's not responsible if they wreck their own computers.

I run a small private business. A few years ago we regarded email as a blessing. We are now so overwhelmed with spam and viruses - 70% of incoming mail - that I am no longer so convinced of its virtues. We are, of course, well-protected against invasions, but the odd virus might slip through, and spam is like the Hydra: cut off one head and...

[Guest]

Following further clear evidence of malicious activity aimed against this forum today - this time from IPs based in the UK, I have reinstated the necessity for members to log in and have banned 2 IPs from accessing the site at all.

I'll free access to the forum up again when I feel comfortable that it is safe to do so.

[Derek McMillan]

I have mentioned in the media studies forum that the Bush administration is making extensive efforts to silence independent media in the run up to the election. This has included an attack on indymedia. I have no connection with indymedia but they are quite an interesting source of independent information and seeking to be as democratic as they know how.

Details and updates and a petition

http://solidarity.indymedia.org.uk/

They also have a great radio network "democracy now" in the states and Bush would use any dirty trick in the book to silence them

[Max dAyala]

Following further clear evidence of  malicious activity aimed against this forum today - this time from IPs based in the UK, I have reinstated the necessity for members to log in and have banned 2 IPs from accessing the site at all.

I'll free access to the forum up again when I feel comfortable that it is safe to do so.

<{POST_SNAPBACK}>

It's interesting that recently I had a significant attack on my Science Forum. I've had several persistent spammers posting on it recently. What's worse is that I guess I had a DNS attack of some sort. A quick look at the server logs shows that a single IP address (looked to be an AOL address from reverse DNS lookup) requested something like 20,000 pages in just over one hour. Looks like I'll have to take better security precautions, although I'm not sure how you can stop someone from automatically requesting a page.

Max

[John Simkin]

It's interesting that recently I had a significant attack on my Science Forum. I've had several persistent spammers posting on it recently. What's worse is that I guess I had a DNS attack of some sort. A quick look at the server logs shows that a single IP address (looked to be an AOL address from reverse DNS lookup) requested something like 20,000 pages in just over one hour. Looks like I'll have to take better security precautions, although I'm not sure how you can stop someone from automatically requesting a page.

Max, see this posting on the software that causes this problem.

http://educationforum.ipbhost.com/index.php?showtopic=2233

Andy Walker should be able to tell you how you can solve this problem. See this thread:

http://educationforum.ipbhost.com/index.php?showtopic=1751