Respectful Insolence

Our (mostly) benevolent but unfortunately all-too-uncommunicative Seed Overlords have finally bestowed upon us another report regarding the ongoing DDoS attack. Believe me, I know many of you can’t access ScienceBlogs and, most important of all to me, this blog, the better to read every word of Insolence, Respectful and otherwise, that pours from my keyboard. I can even see it reflected in my traffic over the last week or so.

Here is the latest on the explanation:

Let me apologize again for the problems that many of you and your readers are experiencing. The attack is ongoing, originating from Turkey and Qatar, and until it stops, Rackspace must block IP ranges in order for the site to be accessible to anyone. They are also unwilling to manually unblock hundreds upon hundreds of individual IPs. They have advised that we invest in a firewall and additional services from them, but we are still working out what these will cost and how effective they will be. I am not sure if I was correct in thinking that these attacks are not malicious, but I said so because we were told the attackers were trying to use our servers as an open proxy, with the request “GET http://www.kosmodiskmedikal.com/ HTTP/1.1.” Upon reflection, I have no idea what that means.

Perhaps people more knowledgeable about this sort of thing can enlighten me as to what this means. I also apologize. It’s very depressing to know that some of my most reliable and regular commenters are, in essence, locked out, at least from their home computers. Unfortunately, this allows some of the trolls to run more free than they have in the past. I can only hope that those who still have access are able to increase their efforts at troll control until this situation is resolved.

Comments

  1. #1 Redattack34
    March 15, 2011

    Essentially, it means that the attackers are trying to get your servers to act as a middle-man and forward their request on to kosmo disk medikal, whoever that is. The idea is that the proxy (apparently intended to be the ScienceBlogs servers) would then fetch the requested page from the other site and send it back. This sort of thing is often done to disguise traffic to prevent network filters catching it.

    Since it’s gone on this long though, I’d have to agree that it’s probably malicious; surely anyone wanting a legitimate proxy would have realized that it isn’t working by now.

  2. #2 Vicki, Chief Assistant to the Assistant Chief
    March 15, 2011

    Over at Pharyngula, some people are speculating that this may be an odd DDoS attack aimed at Kosmo Disk Medikal, using Seed/Science Blogs servers to overload Kosmo Disk Medikal. Even if they’re right, knowing this may not help anything.

  3. #3 David N. Andrews M. Ed., C. P. S. E.
    March 15, 2011

    All I know about this stuff is that http/1.1 is the version of hypertext transfer protocol in most common use. Can’t find out any details about the URL, though.

    Currently in a cafe in my town, using their WLAN, so I can get online and see this blog.

    “Rackspace must block IP ranges in order for the site to be accessible to anyone.”

    Still doesn’t help me, though. Rackspace need to start unblocking individual IP addresses because eventually this thing could get so that nobody is able to see the blogs.

    “I am not sure if I was correct in thinking that these attacks are not malicious”

    Umm… this attack is not an accident, ergo it has to be malicious: it has had an effect of disrupting traffic to this site, and this is the only possible intention on the part of any person or persons launching an attack of this sort.

    “The attack is ongoing, originating from Turkey and Qatar”

    … in which case, maybe some communication with the authorities in those countries is needed in order to get them to sort out their citizens’ behaviour. I live in a town with many Turkish people in it, and I can honestly say that most of the ones I know would be ashamed to have their country implicated in anything like this. I don’t know any Qatari people, and am no sure that there are any in Finland at all.

  4. #4 René Najera
    March 15, 2011

    Basically, hackers are trying to make your servers look like that website, causing hundreds (or thousands) of queries to the server, jamming up traffic. It must be HUGE if a site as often-visited as scienceblogs.com is having traffic jams like that.

    I recommend to your users to look into using TOR PROJECT browser to change their IP address without having to know heavy programming. (It’s also how I managed to post to AoA right under their noses. But don’t tell anyone.)

    If folks use TOR, though, the web experience will be slow and some sites that depend on location to function will not work well. Also, it’s not guaranteed that some TOR IP addresses won’t be blocked.

  5. #5 Jeff Darcy
    March 15, 2011

    My guess – and it really is just a guess – would be that somebody hard-coded your IP address into some piece of software. Why would they do that? Because that IP address previously belonged to someone else who was also hosted at Rackspace, and for whom “GET http://www.kosmodiskmedikal.com/ HTTP/1.1.” would have been a perfectly reasonable kind of request. It wouldn’t be the first time such a thing had happened, by any means.

    You might want to try contacting Rackspace to find out who had that IP address before, so they can be contacted for a remedy. Alternatively, you could try having them move you to a less-afflicted address.

  6. #6 rolak
    March 15, 2011

    The for me most irritating detail is that I’m able to access SB.com via anon-proxy, but not via my provider.
    Oh, lost info: From germany…

  7. #7 Joseph
    March 15, 2011

    It makes no sense. If they wanted to test whether scienceblogs.com is an open proxy, a single request would do. There’s no need to make it appear to be a DDoS attack.

  8. #8 Calli Arcale
    March 15, 2011

    It’s definitely malicious; the only real question would be whether ScienceBlogs (or Rackspace, potentially) is the real target or just collateral damage. Probably the latter; I can’t imagine why people in Turkey or Qatar would want to take out ScienceBlogs. (And if they were specifically after SB, you’d think the attack would be more distributed.)

  9. #9 Skeptiverse
    March 15, 2011

    I didn’t think that it was such a large problem until i looked at the comments on RI, Pharyngula and other science blogs pages. i have not had any trouble getting on to science blogs from any of the computers i have used both home networks or public networks, even my work proxy appears to be working fine. Maybe it has something to do with being in Australia but not knowing much about how this stuff actually works my commens are probably meaningless

  10. #10 DaveH
    March 15, 2011

    IIRC, can’t this trick also be used to multiply the effects of a DDoS attack? The originating computer has only a small piece of data to send (the request), but the Rackspace servers then have a relatively bigger chunk of data to retrieve (the whole page).

    Of course, it has been years since I have had a chance to really brush up on my programming et al. skills, in the pursuit of specialization. It is entirely likely I am wrong, and it still doesn’t explain the choice of request.

  11. #11 Adam
    March 15, 2011

    Checked out KosmoDisk, looks like a product from Planet Woo for sure. Is it possible that this isn’t retaliation for a possible bad review or some other kind of childish reaction on their part?

    As for the open proxy argument, that wouldn’t make a lot of sense unless you’re seeing a LOT of different requests like that for different sites. Essentially that whole line is a web server request for a different site. For example, your browser would send a similar request for this page (GET http://scienceblogs.com/insolence/2011/03/another_update_from_the_mothership_on_th.php HTTP 1.1). It could be that the DNS for http://www.kosmodiskmedikal.com is messed up and causing the problem, especially if there are several different web requests your seeing. If a hosting site’s DNS entry got mixed up with scienceblogs.com it could be the source of the problem.

    Finally, I just have to say…do you not have an IT person on staff (or even on contract) to help with this stuff? It would probably be worth the cost if you don’t…just sayin’.

  12. #12 Scote
    March 16, 2011

    “Finally, I just have to say…do you not have an IT person on staff (or even on contract) to help with this stuff? It would probably be worth the cost if you don’t…just sayin’.”

    That is what the Seed Overlords are supposed to do…individual blogers at science blogs should never have to worry about such stuff any more than I should have to worry about Google’s IT when I post to Picasa.

    I wonder how things are over at Scientopia…

  13. #13 Clam
    March 16, 2011

    I have noticed Turkish spam on SB in the past which appears to be for some sort of medicaments. Maybe they’ve automated their spamming with this result?
    As far as Denial of Service is concerned, I’m being denied service by you! My home IP (in Cyprus) is blocked as are three proxies in the UK and one in the Netherlands. I can get thru via either a proxy in Canada or one in Germany. The ranges that are being blocked seem to be a bit random.

  14. #14 triskelethecat
    March 16, 2011

    I can get in from work but not home, unless I use anonymouse.com or my MIFI. Someone on Pharyngula’s Endless Thread suggested turning off the router for 5 minutes to reset the IP address. I might try that tonight.

    Sorry to read about the troll infestation, Orac. I’ve been too busy at work to do much troll hunting. With not being able to access from home, my fangs and fur aren’t as “sniny” as they should be.

    Dawn

    Mi Dawn

  15. #15 Matthew Cline
    March 16, 2011

    @ triskelethecat

    Someone on Pharyngula’s Endless Thread suggested turning off the router for 5 minutes to reset the IP address.

    Depending on your setup, you might need to reboot your computer rather than restart your router.

  16. #16 triskelethecat
    March 17, 2011

    Hi, Matthew Cline. Well, to reboot the router I have to do a 3 step process – turn off the computer (and, I had actually rebooted the computer for some updates to install anyway), turn off the wireless modem, turn off the router. Wait 5 min. Turn back on in reverse order. Unfortunately, that didn’t work either. I CAN access from work, at home I can either go in through anonymouse or use my MIFI. I just hope that they get this taken care of soon so I don’t have to play games just to read Sciblogs!

  17. #17 Chris
    March 17, 2011

    I tried that turning off the router and modem (during a thunder storm), and it didn’t work. At least it is back on for the library. Now I just need to remember to use the spell check on my very old laptop (it is seven years old, I stripped off lots of extra software… including FireFox so that it only takes a half hour to turn on).

  18. #18 Bob O'H
    March 18, 2011

    Woooo! I can finally see you! *waves* Good to be back.

    At Scientopia, we were affected by another DOS attack, aimed at WordPress, a couple of weeks ago, and then by this latest attack last week (we’re also using Rackspace as a host). That this one was aimed at ScienceBlogs did cause us some amusement.

  19. #19 blf
    March 18, 2011

    Yeah, I’ve got access now, finally, for the first time in a week (almost exactly to the hour!). Whilst I’m still a bit sceptical of the DDoS claim, the general ghist of what’s being explained/claimed above does seem to explain (perhaps with a few reasonable-ish assumptions) most of the symptoms I saw.

    And a big THANK YOU to Orac for passing on my IP address, even if it seems RackSpace was unwilling to unblock it.

  20. #20 David N. Andrews M. Ed., C. P. S. E.
    March 19, 2011

    Cool! I can see this now using the 3G modem!

  21. #21 DW
    March 19, 2011

    My dearest Lord Draconis, Grandest of Mavoons,

    Darling one: while I realise that you are deeply immersed in anxious creche-to-hatchling watching or some other highly-predetermined Glaxonian tendency, could you kindly. inform. the _friggin’_ ladies on 3S/112 B ( for b#tch) to remedy our f#cking inter-shill comm-uni-ca-tion matrix so we may commence our professional activities?

    It is exceedingly difficult to serve your magnifent Lordship to the utmost of our abilities when so incapacitated.

    I don’t want to hear who’s responsible: FIX IT! just do it.

    I remain your faithful and affectionate, though perturbed, servant, DW

  22. #22 anonymous
    March 19, 2011

    Writing from Manchester (in the UK) this is the first time I’ve been able to access the site on my home computer since the problems began, although oddly I could access it from university (the university of Manchester) on Thursday. I don’t know if this information helps anyone, but I thought I’d throw it out there anyway.

The site is currently under maintenance and will be back shortly. New comments have been disabled during this time, please check back soon.