Another update from the mothership on the DDoS attack

Our (mostly) benevolent but unfortunately all-too-uncommunicative Seed Overlords have finally bestowed upon us another report regarding the ongoing DDoS attack. Believe me, I know many of you can't access ScienceBlogs and, most important of all to me, this blog, the better to read every word of Insolence, Respectful and otherwise, that pours from my keyboard. I can even see it reflected in my traffic over the last week or so.

Here is the latest on the explanation:

Let me apologize again for the problems that many of you and your readers are experiencing. The attack is ongoing, originating from Turkey and Qatar, and until it stops, Rackspace must block IP ranges in order for the site to be accessible to anyone. They are also unwilling to manually unblock hundreds upon hundreds of individual IPs. They have advised that we invest in a firewall and additional services from them, but we are still working out what these will cost and how effective they will be. I am not sure if I was correct in thinking that these attacks are not malicious, but I said so because we were told the attackers were trying to use our servers as an open proxy, with the request "GET http://www.kosmodiskmedikal.com/ HTTP/1.1." Upon reflection, I have no idea what that means.

Perhaps people more knowledgeable about this sort of thing can enlighten me as to what this means. I also apologize. It's very depressing to know that some of my most reliable and regular commenters are, in essence, locked out, at least from their home computers. Unfortunately, this allows some of the trolls to run more free than they have in the past. I can only hope that those who still have access are able to increase their efforts at troll control until this situation is resolved.

More like this

Scienceblogs management informs me: Let me apologize again for the problems that many of you and your readers are experiencing. The attack is ongoing, originating from Turkey and Qatar, and until it stops, Rackspace must block IP ranges in order for the site to be accessible to anyone. They are…
But we do have a little more information from Seed management. Let me apologize again for the problems that many of you and your readers are experiencing. The attack is ongoing, originating from Turkey and Qatar, and until it stops, Rackspace must block IP ranges in order for the site to be…
Hi Bloggers, Let me apologize again for the problems that many of you and your readers are experiencing. The attack is ongoing, originating from Turkey and Qatar, and until it stops, Rackspace must block IP ranges in order for the site to be accessible to anyone. They are also unwilling to…
For some of you, access to ScienceBlogs has been wonky. It's not because our Seed Overlords have neglected to feed the hamsters that power the Blogerator 9600. Turns out it's a denial-of-service attack: We have been forwarding reports from bloggers and users to our hosting service, Rackspace,…

Essentially, it means that the attackers are trying to get your servers to act as a middle-man and forward their request on to kosmo disk medikal, whoever that is. The idea is that the proxy (apparently intended to be the ScienceBlogs servers) would then fetch the requested page from the other site and send it back. This sort of thing is often done to disguise traffic to prevent network filters catching it.

Since it's gone on this long though, I'd have to agree that it's probably malicious; surely anyone wanting a legitimate proxy would have realized that it isn't working by now.

By Redattack34 (not verified) on 15 Mar 2011 #permalink

Over at Pharyngula, some people are speculating that this may be an odd DDoS attack aimed at Kosmo Disk Medikal, using Seed/Science Blogs servers to overload Kosmo Disk Medikal. Even if they're right, knowing this may not help anything.

By Vicki, Chief A… (not verified) on 15 Mar 2011 #permalink

All I know about this stuff is that http/1.1 is the version of hypertext transfer protocol in most common use. Can't find out any details about the URL, though.

Currently in a cafe in my town, using their WLAN, so I can get online and see this blog.

"Rackspace must block IP ranges in order for the site to be accessible to anyone."

Still doesn't help me, though. Rackspace need to start unblocking individual IP addresses because eventually this thing could get so that nobody is able to see the blogs.

"I am not sure if I was correct in thinking that these attacks are not malicious"

Umm... this attack is not an accident, ergo it has to be malicious: it has had an effect of disrupting traffic to this site, and this is the only possible intention on the part of any person or persons launching an attack of this sort.

"The attack is ongoing, originating from Turkey and Qatar"

... in which case, maybe some communication with the authorities in those countries is needed in order to get them to sort out their citizens' behaviour. I live in a town with many Turkish people in it, and I can honestly say that most of the ones I know would be ashamed to have their country implicated in anything like this. I don't know any Qatari people, and am no sure that there are any in Finland at all.

By David N. Andre… (not verified) on 15 Mar 2011 #permalink

Basically, hackers are trying to make your servers look like that website, causing hundreds (or thousands) of queries to the server, jamming up traffic. It must be HUGE if a site as often-visited as scienceblogs.com is having traffic jams like that.

I recommend to your users to look into using TOR PROJECT browser to change their IP address without having to know heavy programming. (It's also how I managed to post to AoA right under their noses. But don't tell anyone.)

If folks use TOR, though, the web experience will be slow and some sites that depend on location to function will not work well. Also, it's not guaranteed that some TOR IP addresses won't be blocked.

My guess - and it really is just a guess - would be that somebody hard-coded your IP address into some piece of software. Why would they do that? Because that IP address previously belonged to someone else who was also hosted at Rackspace, and for whom "GET http://www.kosmodiskmedikal.com/ HTTP/1.1." would have been a perfectly reasonable kind of request. It wouldn't be the first time such a thing had happened, by any means.

You might want to try contacting Rackspace to find out who had that IP address before, so they can be contacted for a remedy. Alternatively, you could try having them move you to a less-afflicted address.

The for me most irritating detail is that I'm able to access SB.com via anon-proxy, but not via my provider.
Oh, lost info: From germany...

It makes no sense. If they wanted to test whether scienceblogs.com is an open proxy, a single request would do. There's no need to make it appear to be a DDoS attack.

It's definitely malicious; the only real question would be whether ScienceBlogs (or Rackspace, potentially) is the real target or just collateral damage. Probably the latter; I can't imagine why people in Turkey or Qatar would want to take out ScienceBlogs. (And if they were specifically after SB, you'd think the attack would be more distributed.)

By Calli Arcale (not verified) on 15 Mar 2011 #permalink

I didn't think that it was such a large problem until i looked at the comments on RI, Pharyngula and other science blogs pages. i have not had any trouble getting on to science blogs from any of the computers i have used both home networks or public networks, even my work proxy appears to be working fine. Maybe it has something to do with being in Australia but not knowing much about how this stuff actually works my commens are probably meaningless

By Skeptiverse (not verified) on 15 Mar 2011 #permalink

IIRC, can't this trick also be used to multiply the effects of a DDoS attack? The originating computer has only a small piece of data to send (the request), but the Rackspace servers then have a relatively bigger chunk of data to retrieve (the whole page).

Of course, it has been years since I have had a chance to really brush up on my programming et al. skills, in the pursuit of specialization. It is entirely likely I am wrong, and it still doesn't explain the choice of request.

Checked out KosmoDisk, looks like a product from Planet Woo for sure. Is it possible that this isn't retaliation for a possible bad review or some other kind of childish reaction on their part?

As for the open proxy argument, that wouldn't make a lot of sense unless you're seeing a LOT of different requests like that for different sites. Essentially that whole line is a web server request for a different site. For example, your browser would send a similar request for this page (GET http://scienceblogs.com/insolence/2011/03/another_update_from_the_mothe… HTTP 1.1). It could be that the DNS for www.kosmodiskmedikal.com is messed up and causing the problem, especially if there are several different web requests your seeing. If a hosting site's DNS entry got mixed up with scienceblogs.com it could be the source of the problem.

Finally, I just have to say...do you not have an IT person on staff (or even on contract) to help with this stuff? It would probably be worth the cost if you don't...just sayin'.

"Finally, I just have to say...do you not have an IT person on staff (or even on contract) to help with this stuff? It would probably be worth the cost if you don't...just sayin'."

That is what the Seed Overlords are supposed to do...individual blogers at science blogs should never have to worry about such stuff any more than I should have to worry about Google's IT when I post to Picasa.

I wonder how things are over at Scientopia...

I have noticed Turkish spam on SB in the past which appears to be for some sort of medicaments. Maybe they've automated their spamming with this result?
As far as Denial of Service is concerned, I'm being denied service by you! My home IP (in Cyprus) is blocked as are three proxies in the UK and one in the Netherlands. I can get thru via either a proxy in Canada or one in Germany. The ranges that are being blocked seem to be a bit random.

I can get in from work but not home, unless I use anonymouse.com or my MIFI. Someone on Pharyngula's Endless Thread suggested turning off the router for 5 minutes to reset the IP address. I might try that tonight.

Sorry to read about the troll infestation, Orac. I've been too busy at work to do much troll hunting. With not being able to access from home, my fangs and fur aren't as "sniny" as they should be.

Dawn

Mi Dawn

By triskelethecat (not verified) on 16 Mar 2011 #permalink

@ triskelethecat

Someone on Pharyngula's Endless Thread suggested turning off the router for 5 minutes to reset the IP address.

Depending on your setup, you might need to reboot your computer rather than restart your router.

By Matthew Cline (not verified) on 16 Mar 2011 #permalink

Hi, Matthew Cline. Well, to reboot the router I have to do a 3 step process - turn off the computer (and, I had actually rebooted the computer for some updates to install anyway), turn off the wireless modem, turn off the router. Wait 5 min. Turn back on in reverse order. Unfortunately, that didn't work either. I CAN access from work, at home I can either go in through anonymouse or use my MIFI. I just hope that they get this taken care of soon so I don't have to play games just to read Sciblogs!

By triskelethecat (not verified) on 17 Mar 2011 #permalink

I tried that turning off the router and modem (during a thunder storm), and it didn't work. At least it is back on for the library. Now I just need to remember to use the spell check on my very old laptop (it is seven years old, I stripped off lots of extra software... including FireFox so that it only takes a half hour to turn on).

Woooo! I can finally see you! *waves* Good to be back.

At Scientopia, we were affected by another DOS attack, aimed at Wordpress, a couple of weeks ago, and then by this latest attack last week (we're also using Rackspace as a host). That this one was aimed at ScienceBlogs did cause us some amusement.

Yeah, I've got access now, finally, for the first time in a week (almost exactly to the hour!). Whilst I'm still a bit sceptical of the DDoS claim, the general ghist of what's being explained/claimed above does seem to explain (perhaps with a few reasonable-ish assumptions) most of the symptoms I saw.

And a big THANK YOU to Orac for passing on my IP address, even if it seems RackSpace was unwilling to unblock it.

Cool! I can see this now using the 3G modem!

By David N. Andre… (not verified) on 19 Mar 2011 #permalink

My dearest Lord Draconis, Grandest of Mavoons,

Darling one: while I realise that you are deeply immersed in anxious creche-to-hatchling watching or some other highly-predetermined Glaxonian tendency, could you kindly. inform. the _friggin'_ ladies on 3S/112 B ( for b#tch) to remedy our f#cking inter-shill comm-uni-ca-tion matrix so we may commence our professional activities?

It is exceedingly difficult to serve your magnifent Lordship to the utmost of our abilities when so incapacitated.

I don't want to hear who's responsible: FIX IT! just do it.

I remain your faithful and affectionate, though perturbed, servant, DW

Writing from Manchester (in the UK) this is the first time I've been able to access the site on my home computer since the problems began, although oddly I could access it from university (the university of Manchester) on Thursday. I don't know if this information helps anyone, but I thought I'd throw it out there anyway.

By anonymous (not verified) on 19 Mar 2011 #permalink