I have just recovered from a DDOS/Brute force attack on my server from a botnet running on Amazon EC2 instances. (Technical) (1 Viewer)
- Thread starter Gromett
- Start date
Affiliate links here may earn MHF compensation
They have ceased all attacks on port 443 (https) and now just seem to be pinging my server from all their IP addresses.
They are cycling through the servers they own trying to find one that can get through I think.
I suspect they don't realise that Amazon publishes a full list of all their IP addresses and that I have blocked them using this list. Funny
They are cycling through the servers they own trying to find one that can get through I think.
I suspect they don't realise that Amazon publishes a full list of all their IP addresses and that I have blocked them using this list. Funny
Realist
LIFE MEMBER
- Nov 4, 2018
- 1,746
- 2,662
- Funster No
- 57,061
- MH
- Caravan: Buccaneer
- Exp
- Caravan before 2000 / Motorhome From 2018 to 22 / Now Caravan again.
most probs someone tying out a new toy they had for Christmas.
Amazon were not clear on their procedures. They asked for a log file showing the frequency of the attack. So I gave them a one second sample to show the intensity. I then gave them a list of IP's taking part in the attack.
They have only dealt with the IPs in the 1 second sample.
Then they came back to me asking for what DNS requests were being made and the time stamp of each one. This is even after I have told them I have firewall their entire IP address range. I do not have that information.
The attackers have given up (for now) and I needed to release the firewall blocks, so I am just going to let this go. Amazon are frustrating in the extreme to say the least.
If they were clear up front. Or provided a full description in detail of what they required I would have been able to give them all this up front. Oh well...
Attack over (for now) and things are back to the normal levels of attacks.
Subscribers do not see these advertisements
PS: If it kicks off again. They are going to get a detailed report for each and EVERY IP individually with full data.
If the attack reaches anything like the previous level they are going to get 8,000 odd individual reports. Shame this is necessary
If the attack reaches anything like the previous level they are going to get 8,000 odd individual reports. Shame this is necessary
I just feel sorry for the next target. Because Amazon haven't dealt with this, someone else is now suffering and it may be a small single one man band who can't afford a server admin. A small business now may either get hacked or put out of business by what is in effect a DDOS if not technically a DDOS.
Oh crap...
That just encourages the hackers unfortunately. Until people stop paying them they will continue to do it. Sadly in the cases of small companies it may be the only choice I have a custom backup system that works by pulling data from the system to be backed up.
Most people backup using either network attached storage device, a USB device plugged in or some software that backs up to the cloud.
The problem with those methods is the second the backup system gets connected to the infected system the backups get corrupted as well.
My method is I have a totally independent server that runs absolutely no services and is totally firewalled from the internet.
This server connects (one way) to the computer to be backed up and pulls the data remotely. The computer being backed up has no way of connecting directly to the backup server.
This prevents crypto ransomware being installed on the computers. I also do a backup similar to how the Apple Mac does the time machine. I am able to step back daily (for 7 days) weekly (for 5 weeks) and monthly for 6 months to see how and when the ransomware got installed.
I run this service for quite a few clients.
Fortunately it has never been needed in anger as I keep servers quite secure. However, it has been used due to client error. Ooops I deleted the wrong database HELP! type things.
Subscribers do not see these advertisements
In case anyone is interested. This is what a true DDOS attack looks like and how amplification attacks take place.
One point missed by the article is that the amplification attack makes it look like the attack is coming from a different source and means it is very hard to identify the attackers.
arstechnica.com
One point missed by the article is that the amplification attack makes it look like the attack is coming from a different source and means it is very hard to identify the attackers.
Microsoft fends off record-breaking 3.47Tbps DDoS attack
While a crude brute-force attack, DDoSes are growing ever more potent.
Join us or log in to post a reply.
To join in you must be a member of MotorhomeFun
Join MotorhomeFun
Join us, it quick and easy!
Log in
Already a member? Log in here.