It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Need help with Stock Market-related DOS Attack
page: 12
share:
This is probably the right forum for this post, but I'd rather it be somewhere where more techies might be reading because I'd like some help
tracing the source of a DOS attack on my web site yesterday. I'll try to tell the story without sounding like I'm trying to plug my web site and
investment service.
On Thursday night I initiated my 4 computer cores to run their 17 hour process as they do each night. This produces an accurate stock market "Pressure reading." The number that was spit out yesterday/Friday morning was extremely high. I warned some people at various places on the internet.
Then during the first 15 minutes of the trading day yesterday/Friday, there was a mini Flash Crash of sorts in the stock market. The media ignored it. My computer program nailed it.
Then, I guess because it disturbed some people who know that the danger DOES still exist of these Flash Crashes, my web site was attacked with thousands of requests for hours. It began at 5:47 pm Eastern time and had hits of about one every few seconds. Here's one of the thousands of web log lines... the last one of the day...
95.252.69.229 - - [31/Dec/2010:23:59:50 -0500] "GET /favicon.ico HTTP/1.1" 200 1334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 BTRS35926 Firefox/3.6.13 (.NET CLR 3.5.30729)"
...and the attack continued until midnight:53 Eastern time. All of the IP's were exactly the same. My trace puts it in Rome, Italy. But can anyone else do a better trace? Could that have just been a proxy server?
Here's the full attack if anyone needs it...
5:47 pm to Midnight
First 53 Minutes of New Years Day
I'm pretty sure this was a true attack. I've been running web sites for over 15 years and this has only happened one other time. That attack was similar, but was geared more towards burning up bandwidth that I used to have to pay for. The source of THAT attack started in England, and when the real crime-level of the attack kicked into gear (like once every few seconds), it came from China, Turkey and one other untraceable IP address.
Thanks in advance if anyone can give me answers. The funny thing is, this is exactly the reason why my subscription service does NOT use a "Login" at my web site. The info I send to subscribers goes out in an eMail every morning.
Edward Slayton
On Thursday night I initiated my 4 computer cores to run their 17 hour process as they do each night. This produces an accurate stock market "Pressure reading." The number that was spit out yesterday/Friday morning was extremely high. I warned some people at various places on the internet.
Then during the first 15 minutes of the trading day yesterday/Friday, there was a mini Flash Crash of sorts in the stock market. The media ignored it. My computer program nailed it.
Then, I guess because it disturbed some people who know that the danger DOES still exist of these Flash Crashes, my web site was attacked with thousands of requests for hours. It began at 5:47 pm Eastern time and had hits of about one every few seconds. Here's one of the thousands of web log lines... the last one of the day...
95.252.69.229 - - [31/Dec/2010:23:59:50 -0500] "GET /favicon.ico HTTP/1.1" 200 1334 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 BTRS35926 Firefox/3.6.13 (.NET CLR 3.5.30729)"
...and the attack continued until midnight:53 Eastern time. All of the IP's were exactly the same. My trace puts it in Rome, Italy. But can anyone else do a better trace? Could that have just been a proxy server?
Here's the full attack if anyone needs it...
5:47 pm to Midnight
First 53 Minutes of New Years Day
I'm pretty sure this was a true attack. I've been running web sites for over 15 years and this has only happened one other time. That attack was similar, but was geared more towards burning up bandwidth that I used to have to pay for. The source of THAT attack started in England, and when the real crime-level of the attack kicked into gear (like once every few seconds), it came from China, Turkey and one other untraceable IP address.
Thanks in advance if anyone can give me answers. The funny thing is, this is exactly the reason why my subscription service does NOT use a "Login" at my web site. The info I send to subscribers goes out in an eMail every morning.
Edward Slayton
Have you tried going to the police to see if they have a cyber crimes unit? With all the attacks coming from a single IP it helps heaps in tracing it.
The ISP's do keep logs of who has what IP address, however you usually need a court order to access these logs. The collaboration between nations on
cyber crime is improving, not exactly sure of the state of things due to so many complex local laws. Defiantly worth a try.
The engineers at my web hosting company, Network Solutions, are looking into it. It's actually still going on. I yanked the favicon.ico image so they
can't hit it any more. The favicon.ico image (at this web site) is the little tiny black and white image above near the ATS web address in your
browser that says "ATS." They typically use this image to attack because it doesn't burn bandwidth (might not be noticed), and is a quick request
to complete.... so many more requests can be made more frequently.
Edward Slayton
Edward Slayton
Sounds to me like someone is utilising the low orbital ion cannon (loic) programme against you.
One person will be directing the attack against you, whilst all the others are part of the hive mind.
Basically people will be running the loic in hive mind which will allow one primary user to control the hive mind to attack a certain destination.
You would have to trace the person controlling the hive mind, which would probably be next to impossible.
This is the same method being used in the current cyber war
One person will be directing the attack against you, whilst all the others are part of the hive mind.
Basically people will be running the loic in hive mind which will allow one primary user to control the hive mind to attack a certain destination.
You would have to trace the person controlling the hive mind, which would probably be next to impossible.
This is the same method being used in the current cyber war
I am interested to know what program takes 17hrs to run on 4 cores.
Not that I know how to do it, but there should be a way you can set up a timer - so that your web server can only take in a specific number of
requests during a specific period of time... again, I don't know how to do this myself, I'm just brainstorming some ideas to try and help out -
would something like this be a logical solution? How many connections need to be available per second / how many connections per second can your web
server handle?
www.cert.org...
learn-networking.com...
Hope this helps some
www.cert.org...
learn-networking.com...
Hope this helps some
Well this is odd. The techies at Network Solutions (or maybe law enforcement) have disabled my normal ability to delete my raw web log files. I
normally go through every now and then to delete them from my FTP account because I save copies of them on my home computer's hard drive. I've never
not had the ability to delete a raw web log file. It's acting as if (for example)... the same way as if you try to delete a .doc file from your My
Computer, if that file is opened and being used by Word Pad. But obviously there is no operating system at the FTP. Maybe the tech/law enforcement are
running a script within my web server that is tracking/tracing IP's, while at the same time comparing them in some way to the previous raw web log
files. Anyway...
Red_xi,
Usually several computers at one time will do the attack. I yanked the favicon.ico before I could figure out if any more computers began it. Since it DID continue beyond the time frame I mentioned above, maybe they sent out commands to other Spooks who would have had their computers doing it too. Hitting me with one request every 10 seconds isn't going to shut down a Network Solutions web site. (Like when I'm on the radio and plug my web site... they have other servers kick in during high traffic) But like I said above, things are out of my hands now, and for all I know, the attack could be continuing and NetSol or law enforcement is re-routing repeated requests for favicon.ico and maybe I'm not even seeing them in the log unless they are legitimate requests. I did put the favicon.ico back up.
Time2Think,
Yes, like I said above. There are programs that can run WITHIN a web site. My site is simple. I've always kept things simple. There isn't even a COOKIE at my web site, let alone some fancy script. ( .htm only)
Maybe NetSol or someone else is running a program like that... like I said above. I know when I had the last (and only other) DOS Attack in 2009, Network Solutions took it very seriously. They see it as Cyber Crime against their SERVERS, not just my web site.
Edward Slayton
Red_xi,
Usually several computers at one time will do the attack. I yanked the favicon.ico before I could figure out if any more computers began it. Since it DID continue beyond the time frame I mentioned above, maybe they sent out commands to other Spooks who would have had their computers doing it too. Hitting me with one request every 10 seconds isn't going to shut down a Network Solutions web site. (Like when I'm on the radio and plug my web site... they have other servers kick in during high traffic) But like I said above, things are out of my hands now, and for all I know, the attack could be continuing and NetSol or law enforcement is re-routing repeated requests for favicon.ico and maybe I'm not even seeing them in the log unless they are legitimate requests. I did put the favicon.ico back up.
Time2Think,
Yes, like I said above. There are programs that can run WITHIN a web site. My site is simple. I've always kept things simple. There isn't even a COOKIE at my web site, let alone some fancy script. ( .htm only)
Maybe NetSol or someone else is running a program like that... like I said above. I know when I had the last (and only other) DOS Attack in 2009, Network Solutions took it very seriously. They see it as Cyber Crime against their SERVERS, not just my web site.
Edward Slayton
new topics
-
Don't cry do Cryo instead
General Chit Chat: 4 hours ago -
Tariffs all around, Except for ...
Predictions & Prophecies: 6 hours ago -
Gen Flynn's Sister and her cohort blow the whistle on DHS/CBP involvement in child trafficking.
Whistle Blowers and Leaked Documents: 11 hours ago
top topics
-
Trump sues media outlets -- 10 Billion Dollar lawsuit
US Political Madness: 17 hours ago, 25 flags -
Bucks County commissioners vote to count illegal ballots in Pennsylvania recount
2024 Elections: 16 hours ago, 23 flags -
Fired fema employee speaks.
US Political Madness: 17 hours ago, 10 flags -
Gen Flynn's Sister and her cohort blow the whistle on DHS/CBP involvement in child trafficking.
Whistle Blowers and Leaked Documents: 11 hours ago, 8 flags -
Don't cry do Cryo instead
General Chit Chat: 4 hours ago, 4 flags -
Anybody else using Pomodoro time management technique?
General Chit Chat: 14 hours ago, 3 flags -
Tariffs all around, Except for ...
Predictions & Prophecies: 6 hours ago, 3 flags
active topics
-
Tariffs all around, Except for ...
Predictions & Prophecies • 11 • : Dalamax -
How can you defend yourself when the police will not tell you what you did?
Posse Comitatus • 84 • : bastion -
Oligarchy It Is Then
Short Stories • 14 • : UKTruth -
Don't cry do Cryo instead
General Chit Chat • 1 • : angelchemuel -
Mike Tyson returns 11-15-24
World Sports • 54 • : angelchemuel -
President-Elect DONALD TRUMP's 2nd-Term Administration Takes Shape.
Political Ideology • 205 • : WeMustCare -
On Nov. 5th 2024 - AMERICANS Prevented the Complete Destruction of America from Within.
2024 Elections • 155 • : WeMustCare -
The Trump effect 6 days after 2024 election
2024 Elections • 143 • : cherokeetroy -
Bucks County commissioners vote to count illegal ballots in Pennsylvania recount
2024 Elections • 21 • : Irishhaf -
60s-70s Psychedelia
Music • 54 • : gort69
2