It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Need help with Stock Market-related DOS Attack
page: 12
share:
This is probably the right forum for this post, but I'd rather it be somewhere where more techies might be reading because I'd like some help
tracing the source of a DOS attack on my web site yesterday. I'll try to tell the story without sounding like I'm trying to plug my web site and
investment service.
On Thursday night I initiated my 4 computer cores to run their 17 hour process as they do each night. This produces an accurate stock market "Pressure reading." The number that was spit out yesterday/Friday morning was extremely high. I warned some people at various places on the internet.
Then during the first 15 minutes of the trading day yesterday/Friday, there was a mini Flash Crash of sorts in the stock market. The media ignored it. My computer program nailed it.
Then, I guess because it disturbed some people who know that the danger DOES still exist of these Flash Crashes, my web site was attacked with thousands of requests for hours. It began at 5:47 pm Eastern time and had hits of about one every few seconds. Here's one of the thousands of web log lines... the last one of the day...
95.252.69.229 - - [31/Dec/2010:23:59:50 -0500] "GET /favicon.ico HTTP/1.1" 200 1334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 BTRS35926 Firefox/3.6.13 (.NET CLR 3.5.30729)"
...and the attack continued until midnight:53 Eastern time. All of the IP's were exactly the same. My trace puts it in Rome, Italy. But can anyone else do a better trace? Could that have just been a proxy server?
Here's the full attack if anyone needs it...
5:47 pm to Midnight
First 53 Minutes of New Years Day
I'm pretty sure this was a true attack. I've been running web sites for over 15 years and this has only happened one other time. That attack was similar, but was geared more towards burning up bandwidth that I used to have to pay for. The source of THAT attack started in England, and when the real crime-level of the attack kicked into gear (like once every few seconds), it came from China, Turkey and one other untraceable IP address.
Thanks in advance if anyone can give me answers. The funny thing is, this is exactly the reason why my subscription service does NOT use a "Login" at my web site. The info I send to subscribers goes out in an eMail every morning.
Edward Slayton
On Thursday night I initiated my 4 computer cores to run their 17 hour process as they do each night. This produces an accurate stock market "Pressure reading." The number that was spit out yesterday/Friday morning was extremely high. I warned some people at various places on the internet.
Then during the first 15 minutes of the trading day yesterday/Friday, there was a mini Flash Crash of sorts in the stock market. The media ignored it. My computer program nailed it.
Then, I guess because it disturbed some people who know that the danger DOES still exist of these Flash Crashes, my web site was attacked with thousands of requests for hours. It began at 5:47 pm Eastern time and had hits of about one every few seconds. Here's one of the thousands of web log lines... the last one of the day...
95.252.69.229 - - [31/Dec/2010:23:59:50 -0500] "GET /favicon.ico HTTP/1.1" 200 1334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 BTRS35926 Firefox/3.6.13 (.NET CLR 3.5.30729)"
...and the attack continued until midnight:53 Eastern time. All of the IP's were exactly the same. My trace puts it in Rome, Italy. But can anyone else do a better trace? Could that have just been a proxy server?
Here's the full attack if anyone needs it...
5:47 pm to Midnight
First 53 Minutes of New Years Day
I'm pretty sure this was a true attack. I've been running web sites for over 15 years and this has only happened one other time. That attack was similar, but was geared more towards burning up bandwidth that I used to have to pay for. The source of THAT attack started in England, and when the real crime-level of the attack kicked into gear (like once every few seconds), it came from China, Turkey and one other untraceable IP address.
Thanks in advance if anyone can give me answers. The funny thing is, this is exactly the reason why my subscription service does NOT use a "Login" at my web site. The info I send to subscribers goes out in an eMail every morning.
Edward Slayton
Have you tried going to the police to see if they have a cyber crimes unit? With all the attacks coming from a single IP it helps heaps in tracing it.
The ISP's do keep logs of who has what IP address, however you usually need a court order to access these logs. The collaboration between nations on
cyber crime is improving, not exactly sure of the state of things due to so many complex local laws. Defiantly worth a try.
The engineers at my web hosting company, Network Solutions, are looking into it. It's actually still going on. I yanked the favicon.ico image so they
can't hit it any more. The favicon.ico image (at this web site) is the little tiny black and white image above near the ATS web address in your
browser that says "ATS." They typically use this image to attack because it doesn't burn bandwidth (might not be noticed), and is a quick request
to complete.... so many more requests can be made more frequently.
Edward Slayton
Edward Slayton
Sounds to me like someone is utilising the low orbital ion cannon (loic) programme against you.
One person will be directing the attack against you, whilst all the others are part of the hive mind.
Basically people will be running the loic in hive mind which will allow one primary user to control the hive mind to attack a certain destination.
You would have to trace the person controlling the hive mind, which would probably be next to impossible.
This is the same method being used in the current cyber war
One person will be directing the attack against you, whilst all the others are part of the hive mind.
Basically people will be running the loic in hive mind which will allow one primary user to control the hive mind to attack a certain destination.
You would have to trace the person controlling the hive mind, which would probably be next to impossible.
This is the same method being used in the current cyber war
I am interested to know what program takes 17hrs to run on 4 cores.
Not that I know how to do it, but there should be a way you can set up a timer - so that your web server can only take in a specific number of
requests during a specific period of time... again, I don't know how to do this myself, I'm just brainstorming some ideas to try and help out -
would something like this be a logical solution? How many connections need to be available per second / how many connections per second can your web
server handle?
www.cert.org...
learn-networking.com...
Hope this helps some
www.cert.org...
learn-networking.com...
Hope this helps some
Well this is odd. The techies at Network Solutions (or maybe law enforcement) have disabled my normal ability to delete my raw web log files. I
normally go through every now and then to delete them from my FTP account because I save copies of them on my home computer's hard drive. I've never
not had the ability to delete a raw web log file. It's acting as if (for example)... the same way as if you try to delete a .doc file from your My
Computer, if that file is opened and being used by Word Pad. But obviously there is no operating system at the FTP. Maybe the tech/law enforcement are
running a script within my web server that is tracking/tracing IP's, while at the same time comparing them in some way to the previous raw web log
files. Anyway...
Red_xi,
Usually several computers at one time will do the attack. I yanked the favicon.ico before I could figure out if any more computers began it. Since it DID continue beyond the time frame I mentioned above, maybe they sent out commands to other Spooks who would have had their computers doing it too. Hitting me with one request every 10 seconds isn't going to shut down a Network Solutions web site. (Like when I'm on the radio and plug my web site... they have other servers kick in during high traffic) But like I said above, things are out of my hands now, and for all I know, the attack could be continuing and NetSol or law enforcement is re-routing repeated requests for favicon.ico and maybe I'm not even seeing them in the log unless they are legitimate requests. I did put the favicon.ico back up.
Time2Think,
Yes, like I said above. There are programs that can run WITHIN a web site. My site is simple. I've always kept things simple. There isn't even a COOKIE at my web site, let alone some fancy script. ( .htm only)
Maybe NetSol or someone else is running a program like that... like I said above. I know when I had the last (and only other) DOS Attack in 2009, Network Solutions took it very seriously. They see it as Cyber Crime against their SERVERS, not just my web site.
Edward Slayton
Red_xi,
Usually several computers at one time will do the attack. I yanked the favicon.ico before I could figure out if any more computers began it. Since it DID continue beyond the time frame I mentioned above, maybe they sent out commands to other Spooks who would have had their computers doing it too. Hitting me with one request every 10 seconds isn't going to shut down a Network Solutions web site. (Like when I'm on the radio and plug my web site... they have other servers kick in during high traffic) But like I said above, things are out of my hands now, and for all I know, the attack could be continuing and NetSol or law enforcement is re-routing repeated requests for favicon.ico and maybe I'm not even seeing them in the log unless they are legitimate requests. I did put the favicon.ico back up.
Time2Think,
Yes, like I said above. There are programs that can run WITHIN a web site. My site is simple. I've always kept things simple. There isn't even a COOKIE at my web site, let alone some fancy script. ( .htm only)
Maybe NetSol or someone else is running a program like that... like I said above. I know when I had the last (and only other) DOS Attack in 2009, Network Solutions took it very seriously. They see it as Cyber Crime against their SERVERS, not just my web site.
Edward Slayton
new topics
-
Late Night with the Devil - a really good unusual modern horror film.
Movies: 57 minutes ago -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest: 2 hours ago -
The Good News According to Jesus - Episode 1
Religion, Faith, And Theology: 4 hours ago -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three: 6 hours ago -
Bobiverse
Fantasy & Science Fiction: 9 hours ago -
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 9 hours ago -
Former Labour minister Frank Field dies aged 81
People: 11 hours ago
top topics
-
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest: 9 hours ago, 8 flags -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs: 13 hours ago, 7 flags -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest: 2 hours ago, 7 flags -
This is our Story
General Entertainment: 15 hours ago, 4 flags -
Former Labour minister Frank Field dies aged 81
People: 11 hours ago, 4 flags -
Bobiverse
Fantasy & Science Fiction: 9 hours ago, 3 flags -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three: 6 hours ago, 2 flags -
Late Night with the Devil - a really good unusual modern horror film.
Movies: 57 minutes ago, 2 flags -
The Good News According to Jesus - Episode 1
Religion, Faith, And Theology: 4 hours ago, 0 flags
active topics
-
British TV Presenter Refuses To Use Guest's Preferred Pronouns
Education and Media • 140 • : Annee -
Florida man's trip overseas ends in shock over $143,000 T-Mobile phone bill
Social Issues and Civil Unrest • 16 • : grey580 -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three • 22 • : RickyD -
President BIDEN Vows to Make Americans Pay More Federal Taxes in 2025 - Political Suicide.
2024 Elections • 92 • : SchrodingersRat -
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs • 35 • : Consvoli -
Late Night with the Devil - a really good unusual modern horror film.
Movies • 1 • : DAVID64 -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest • 6 • : ColeYounger2 -
Ditching physical money
History • 18 • : annonentity -
Lawsuit Seeks to ‘Ban the Jab’ in Florida
Diseases and Pandemics • 32 • : SchrodingersRat -
"We're All Hamas" Heard at Columbia University Protests
Social Issues and Civil Unrest • 279 • : KrustyKrab
2