It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


Need help with Stock Market-related DOS Attack

page: 1

log in


posted on Jan, 1 2011 @ 03:19 PM
This is probably the right forum for this post, but I'd rather it be somewhere where more techies might be reading because I'd like some help tracing the source of a DOS attack on my web site yesterday. I'll try to tell the story without sounding like I'm trying to plug my web site and investment service.

On Thursday night I initiated my 4 computer cores to run their 17 hour process as they do each night. This produces an accurate stock market "Pressure reading." The number that was spit out yesterday/Friday morning was extremely high. I warned some people at various places on the internet.

Then during the first 15 minutes of the trading day yesterday/Friday, there was a mini Flash Crash of sorts in the stock market. The media ignored it. My computer program nailed it.

Then, I guess because it disturbed some people who know that the danger DOES still exist of these Flash Crashes, my web site was attacked with thousands of requests for hours. It began at 5:47 pm Eastern time and had hits of about one every few seconds. Here's one of the thousands of web log lines... the last one of the day... - - [31/Dec/2010:23:59:50 -0500] "GET /favicon.ico HTTP/1.1" 200 1334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20101203 BTRS35926 Firefox/3.6.13 (.NET CLR 3.5.30729)"

...and the attack continued until midnight:53 Eastern time. All of the IP's were exactly the same. My trace puts it in Rome, Italy. But can anyone else do a better trace? Could that have just been a proxy server?

Here's the full attack if anyone needs it...

5:47 pm to Midnight
First 53 Minutes of New Years Day

I'm pretty sure this was a true attack. I've been running web sites for over 15 years and this has only happened one other time. That attack was similar, but was geared more towards burning up bandwidth that I used to have to pay for. The source of THAT attack started in England, and when the real crime-level of the attack kicked into gear (like once every few seconds), it came from China, Turkey and one other untraceable IP address.

Thanks in advance if anyone can give me answers. The funny thing is, this is exactly the reason why my subscription service does NOT use a "Login" at my web site. The info I send to subscribers goes out in an eMail every morning.

Edward Slayton

posted on Jan, 1 2011 @ 08:39 PM
Have you tried going to the police to see if they have a cyber crimes unit? With all the attacks coming from a single IP it helps heaps in tracing it. The ISP's do keep logs of who has what IP address, however you usually need a court order to access these logs. The collaboration between nations on cyber crime is improving, not exactly sure of the state of things due to so many complex local laws. Defiantly worth a try.

posted on Jan, 2 2011 @ 12:15 AM
The engineers at my web hosting company, Network Solutions, are looking into it. It's actually still going on. I yanked the favicon.ico image so they can't hit it any more. The favicon.ico image (at this web site) is the little tiny black and white image above near the ATS web address in your browser that says "ATS." They typically use this image to attack because it doesn't burn bandwidth (might not be noticed), and is a quick request to complete.... so many more requests can be made more frequently.

Edward Slayton

posted on Jan, 3 2011 @ 12:30 PM
Sounds to me like someone is utilising the low orbital ion cannon (loic) programme against you.

One person will be directing the attack against you, whilst all the others are part of the hive mind.

Basically people will be running the loic in hive mind which will allow one primary user to control the hive mind to attack a certain destination.

You would have to trace the person controlling the hive mind, which would probably be next to impossible.

This is the same method being used in the current cyber war

posted on Jan, 5 2011 @ 03:58 PM
I am interested to know what program takes 17hrs to run on 4 cores.

posted on Jan, 5 2011 @ 08:42 PM
Not that I know how to do it, but there should be a way you can set up a timer - so that your web server can only take in a specific number of requests during a specific period of time... again, I don't know how to do this myself, I'm just brainstorming some ideas to try and help out - would something like this be a logical solution? How many connections need to be available per second / how many connections per second can your web server handle?

Hope this helps some

posted on Jan, 6 2011 @ 12:46 AM
Well this is odd. The techies at Network Solutions (or maybe law enforcement) have disabled my normal ability to delete my raw web log files. I normally go through every now and then to delete them from my FTP account because I save copies of them on my home computer's hard drive. I've never not had the ability to delete a raw web log file. It's acting as if (for example)... the same way as if you try to delete a .doc file from your My Computer, if that file is opened and being used by Word Pad. But obviously there is no operating system at the FTP. Maybe the tech/law enforcement are running a script within my web server that is tracking/tracing IP's, while at the same time comparing them in some way to the previous raw web log files. Anyway...


Usually several computers at one time will do the attack. I yanked the favicon.ico before I could figure out if any more computers began it. Since it DID continue beyond the time frame I mentioned above, maybe they sent out commands to other Spooks who would have had their computers doing it too. Hitting me with one request every 10 seconds isn't going to shut down a Network Solutions web site. (Like when I'm on the radio and plug my web site... they have other servers kick in during high traffic) But like I said above, things are out of my hands now, and for all I know, the attack could be continuing and NetSol or law enforcement is re-routing repeated requests for favicon.ico and maybe I'm not even seeing them in the log unless they are legitimate requests. I did put the favicon.ico back up.


Yes, like I said above. There are programs that can run WITHIN a web site. My site is simple. I've always kept things simple. There isn't even a COOKIE at my web site, let alone some fancy script. ( .htm only)

Maybe NetSol or someone else is running a program like that... like I said above. I know when I had the last (and only other) DOS Attack in 2009, Network Solutions took it very seriously. They see it as Cyber Crime against their SERVERS, not just my web site.

Edward Slayton

new topics

top topics


log in