IP 194.176.158.32

[Guest]

Having just checked through the board logs I notice that IP 194.176.158.32 has consumed 40% of our allocated monthly bandwidth in 3 days. This can only be the result of the use of malicious software.

We have no members registered from this IP and no one has ever made a post from it.

To protect us from further damage I have set things up that members have to log in to see the board. I hope this doesn't inconvenience anyone too much.

I have traced the IP to Bedfordshire County Council - I wonder what they have got against us?

[John Simkin]

This is very strange. It clearly appears to be a malicious attack on the forum. The fact that it happening at the weekend suggests that it is not a student who is doing this. It also implies that the person responsible has a good understanding of our forum software works. By using the ISP of Bedfordshire County Council he knows that we are unable to identify him. It also makes it very difficult to block the whole of the ISP from using our forum.

It would seem that this person is psychology disturbed. It would appear that he is a teacher and has access to his children. I hope if his identity is discovered, he is forced from the profession.

I hope Bedfordshire be able to discover who this person is. They will not be happy to discover that a teacher using their ISP is involved in trying to bring down an educational forum.

The timing of this is very unfortunate. I have advertised several aspects of the forum in today’s Teaching History Online. As it has a circulation of 40,000, we could have expected a large number of visitors over the next couple of days.

[Guest]

This is very strange. It clearly appears to be a malicious attack on the forum. The fact that it happening at the weekend suggests that it is not a student who is doing this. It also implies that the person responsible has a good understanding of our forum software works. By using the ISP of Bedfordshire County Council he knows that we are unable to identify him. It also makes it very difficult to block the whole of the ISP from using our forum.

It would seem that this person is psychology disturbed. It would appear that he is a teacher and has access to his children. I hope if his identity is discovered, he is forced from the profession.

I hope Bedfordshire be able to discover who this person is. They will not be happy to discover that a teacher using their ISP is involved in trying to bring down an educational forum.

The timing of this is very unfortunate. I have advertised several aspects of the forum in today’s Teaching History Online. As it has a circulation of 40,000, we could have expected a large number of visitors over the next couple of days.

I have registered a complaint with Bedfordshire CC and sent off our board log statistics for the month for them to investigate. This should ensure we find out who exactly is behind all this. Interestingly the very first time we experienced a problem like this it was traced to a private fee paying school in Bedford - could be a coincidence of course

[Guest]

Full details of the origin of this attack can be read below

inetnum: 194.176.158.0 - 194.176.159.255

netname: BEDFORD

descr: Bedfordshire County Council

country: GB

admin-c: DE19-RIPE

tech-c: IH22-ORG

status: ASSIGNED PA

mnt-by: AS5378-MNT

changed: roberts@insnet.net 20011017

source: RIPE

route: 194.176.128.0/19

descr: Recovered Alladin Allocation Assigned to uk.wisper

descr: ALLOCATED PA Space do not break up

origin: AS1273

mnt-by: CW-EUROPE-GSOC

changed: rotherh@de.cw.net 20040305

source: RIPE

route: 194.176.128.0/19

descr: Recovered Alladin Allocation Assigned to uk.wisper

descr: ALLOCATED PA Space do not break up

member-of: RS-AS5378

origin: AS5378

mnt-by: AS5378-MNT

changed: alistair@insnet.net 20000412

source: RIPE

role: Internet Network Services Technical Department

address: Cable and Wireless UK Operations

address: 76 Hammersmith Road

address: Hammersmith

address: London,

address: GB

phone: +44 20 7825 6000

fax-no: +44 20 7825 6000

e-mail: support@uk.cw.net

trouble: ------------------------------------------------

trouble: Please do NOT e-mail abuse to the contacts given

trouble: here, e-mail them to abuse@uk.cw.net instead.

trouble: ------------------------------------------------

trouble: Network Status Page: http://www1.uk.cw.net/

trouble: Information: http://www.cw.com/

trouble: ------------------------------------------------

trouble: ** Contact by E-Mail ONLY. ***

trouble: ------------------------------------------------

admin-c: RW1210-RIPE

tech-c: RW1210-RIPE

tech-c: FM466-RIPE

tech-c: JH71-RIPE

tech-c: RC1510-RIPE

tech-c: FM1414-RIPE

tech-c: SM2390-RIPE

tech-c: AM3376-RIPE

notify: hm-dbm-msgs@ripe.net

nic-hdl: IH22-ORG

mnt-by: AS5378-MNT

changed: rob@uk.cw.net 20031021

source: RIPE

person: Diane Earl

address: Bedfordshire County Council

address: Cauldwell Street

address: Bedford

address: GB

phone: +44 1234 22801

e-mail: diane.earl@bescc.gov.uk

nic-hdl: DE19-RIPE

changed: roberts@insnet.net 20011017

source: RIPE

[John Simkin]

I have registered a complaint with Bedfordshire CC and sent off our board log statistics for the month for them to investigate. This should ensure we find out who exactly is behind all this. Interestingly the very first time we experienced a problem like this it was traced to a private fee paying school in Bedford - could be a coincidence of course

What I cannot understand is why this individual would pick on this forum. The LGF, for example, did not like us posting critical comments about George Bush and Tony Blair. Therefore, there was a kind of logic behind the desire to take our forum offline. If it is a student, what would be their motivation? It also depends on knowledge on how a forum works. Most websites would be unaffected by these tactics (unless it was organized that a large number of people used this software to target the website). It only make sense to do this if you have a website that pays for a limited amount of bandwidth.

[Guest]

Here is the evidence of there activities on our site

Top 30 of 6256 Total Sites

# Hits Files KBytes Visits Hostname

1 109576 18.45% 82089 22.23% 10716514 54.42% 11 0.09% 194.176.158.32

2 25669 4.32% 25450 6.89% 3528202 17.92% 77 0.61% 212.85.1.1

3 25418 4.28% 25121 6.80% 3475210 17.65% 84 0.66% 212.85.1.101

4 23506 3.96% 2650 0.72% 17448 0.09% 120 0.94% 12.221.38.138

5 21085 3.55% 3833 1.04% 30119 0.15% 106 0.83% 82.34.88.127

As it has gone up considerable in 3 hours this morning I have banned them outright from our site as we are dangerously low on bandwidth. I will place an order for more now but we may go down for a few hours whilst this is processed

[John Simkin]

I have just been in contact with Bedfordshire County Council. They are convinced they will be able to trace the offender. It is slightly complicated because that the IP is also used by all Cambridgeshire schools.

[Guest]

I have just been in contact with Bedfordshire County Council. They are convinced they will be able to trace the offender. It is slightly complicated because that the IP is also used by Cambridgeshire schools.

The school involved has now been traced thanks to the perseverance of John.

Bedford and Cambridge will now be able to see us again!

[John Simkin]

I have now discovered that the attack came from a school using the East of England Broadband Network (E2BN). Unfortunately, this meant we had to block all schools in Bedfordshire, Cambridgeshire, Essex, Hertfordshire, Luton, Milton Keynes, Norfolk, Peterborough, Southend, Suffolk and Thurrock (maybe that was what they were after).

E2BN has tracked it down to a particular school (all will be revealed later). I have just spoken to the head and he is determined to discover the student or member of staff behind this attack.

I will report back when the offender is caught.

[Guest]

Similar problems were also discovered in August and traced back to the Consortium which supplies the bandwidth connection for most London and Suffolk schools- Equinox Solutions tel: 0870 300 4010.

The investigation into this problem continues. I have spoken to Mark from Equinox this morning who has promised to get back to me asap. For now the Forum remains innaccessible to those schools.

It would appear within the realms of possibility that someone (possibly a teacher) is coordinating an attack using contacts within schools around the country.

It is also possible that the attacks are unconnected. However if the former is correct I may well be the first teacher in England to get value for money out of the GTC

[Guest]

Despite assurances from E2BN we have literaly in the last few minutes had another massive visit from 194.176.158.32 pushing up bandwidth dramatically - see below

194.176.158.32 Url: /index.php?showtopic=1158&view=getnewpost Http Code : 403

Date: Sep 28 21:11:23 Http Version: HTTP/1.1" Size in Bytes: -

Referer: - Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API Request

I believe the key words are the ones I have highlighted. I think this is an attempt to use a spider to view and download all the pages on the site - hence the dramatic effect on bandwidth.

See also attached graphs for visual representation of he effects of this one visit. I have had to block access for the whole region again.

[Guest]

Security Update

On the advice of IPB I have made some changes to security settings for the forum. They are outlined below - please feedback if they are causing you problems

Basically, the forum sets various 'cookies' each time a person visits a site, this helps us keep track of who the person is, lets them come back to the fourm without logging in again, etc. Generally, the 'bots' that attack sites cannot accept cookies, so what I have tried to do is set it up so that you cannot access the forum unless you can accept cookies. If you cannot it will take you to a simple page which takes up next to no bandwidth saying your browser must accept cookies www.some.org/some.html

If you have an old browser that doesn't accept cookies you may experience some problems.

I have got both broadband consortia involved tracking specifically times and dated attacks - we should know very soon where they are coming from. I think the problem is that the Proxy Servers withinn individual schools are open to abuse from external users.

Given that the nature of the attack is always the same this is consistent with the notion that a single individual is deliberately coordinating these attacks. Why they should want to do this is beyond me

[Graham Davies]

Generally, the 'bots' that attack sites cannot accept cookies, so what I have tried to do is set it up so that you cannot access the forum unless you can accept cookies.

I set up my system to accept cookies, but they are zapped daily. I use Window Washer at boot-up to get rid of the masses of Web clutter that accumulates while browsing the Web.

[Guest Andrew Moore]

It's still some way off, but the development of the various regional grids into a national network for education has got Becta working hard on standards for authentication of users.

In my own LEA some of the schools use systems that conceal user IDs from our county network guru - but since he has to build the system that will authenticate them to the networks beyond, then this is something that will have to change.

This means, in effect, that no-one will be able to use a school network that connects to the wider grid - from which also it goes out to the public Internet - without being identified by the system, and identifiable as a real named individual in the case of a check on abuse.

If someone in an East Riding school were to attempt a denial of service, we could quickly trace the source and stop it. More to the point, such is the spread of malicious exploits, that as well as checking people at the front door, we now monitor continuously what is going on inside, and can spot most kinds of abuse. Where an individual is using a fat share of the bandwidth, we have spotted it (a network manager was downloading feature films) and stopped it.

In general, the people who run the broadband grid won't know precise details of what goes on at school level. This will lie with the individual LEA, or, sadly, in many cases (but not the East Riding's) with the commercial organization which manages their network. Most LEAs that I know still get a telco (BT, NTL etc.) to do this - in which case the LEA people will find it hard to know what is really going on. We rent the wires and optic fibre from BT and Kingston Communications - and also use a lot of our own microwave and wireless connections - but the management of the traffic for all public services (schools, emergency services, local government and so on) - our tech guys look after that, and know what's happening all of the time.

The grids are organizations that manage the partnerships, coordinate projects, represent the member LEAs to the DfES and so on - but they do not provide the technical management of the LEA networks.

[Susan Wilde]

I dunno if this is at all related to this stuff, but I have found that idle browsing in the English forum is difficult, ...unless I log into a thread pdq I find myself brought back to this front area of the board