Denial of Service Attack

[Tiberius]

Last night, an anonymous user joined the chatroom and told the members there (myself included) that he was attacking the server. This attack was easily thwarted by simply blocking his IP address, but he still managed to send nearly 7,000 requests to the server in the space of 10 minutes, knocking it offline for a short while.

I traced the IP to a church and school in Ohio, and sent an email to the operators of these organisations asking for an investigation. I suspect this was carried out by a student of the school, who thought it would be "cool" to take an "atheist" website offline.

Here is a copy of the email I sent.

To Whom It May Concern,

I am writing to you to let you know that last night at around 22:00 GMT, almost 7,000 requests were sent to our server in the space of about 10 minutes, all from the IP address 72.240.43.146, which I believe is used by various domain names owned by your organisation, including a school. At the same time, an anonymous user joined a public chatroom used by our organisation, and informed the members there (myself included) that they were attacking the server. They managed to take the server offline by overloading it with requests, but I was able to block the IP used (72.240.43.146) and the server quickly recovered.

Looking over the logs, it is clear that the attacker was running some form of malicious attack script, which tried various requests that were designed at either taking down the server or gaining access to the server itself. This type of attack is of course illegal, and though I do not wish to press any charges this time, I would be gracious if you could launch an investigation into this incident. As the IP is linked to a school, it may be that one of your students thought it would be "amusing" to try and take our server offline. I would not expect this kind of behaviour from an adult.

The server runs various websites, but the most prominent is AtheistForums.org, an organisation that promotes discussion between both believers and non-believers. I note that your organisation is linked to a church, and the school is religious in nature. Our organisation has no problems with the religious; indeed we readily accept religious members, and have both Christian and Muslim members of staff. AtheistForums.org is not an anti-religious organisation, nor is it a "pro-atheism" organisation; we have no specific agenda other than to create open dialogue between people of different beliefs.

Apart from AtheistForums.org, the server also runs numerous other websites, not related to religious discussion. These websites were also affected by the attack. I hope that you can shed light on this situation; as I said before, I do not wish to press any charges, as the attack was thwarted quite quickly and did not affect the server for long. That said, I would like the perpetrator to be found and reminded that this behaviour is illegal, and that attacking organisations whose beliefs your disagree with helps nobody, especially when our organisation is one which promotes discussion between people of different beliefs.

Kind regards,

Adrian Hayter

P.S. You may not be able to access our server, as the IP address 72.240.43.146 is still blocked, and will remain so until I can be assured that this event has been dealt with.

[The Grand Nudger]

Hayter on call and on duty.

[Tiberius]

Response from their technical admin:

Dear Mr Hayter,

My name is Ken Smith and I am the technical person for Blessed Sacrament. I will certainly investigate this but I would guess this is either a bot that got installed on one of my computers, or they person doing the denial of service was spoofing out ip address. The school is just a K-8 and the students have limited resources, and they do not have access to the school at 10:00PM on a Sunday night. This was probably triggered by someone from outside. I will let you know of any results that I find,

Ken Smith

My reply:

Dear Ken,

Thanks for looking into this. As I mentioned, this was carried out at 10pm GMT, so the time in America would have been in the afternoon. I'm not sure of the exact timezone difference, but I hope that helps you in some way. If you require it, I can send you the log of all requests sent from the IP I specified.

Kind regards,

Adrian Hayter

[fr0d0]

Nice email Adrian. The guy doesn't sound too clued up, but I'll give him the benefit of the doubt for now.

[Autumnlicious]

The tech guy is a fucking idiot. I've whet my teeth on them a hundred times throughout my elementary to high school career. They usually understand little more than 'type static IP into Windows box and win!'

One tried to sic the disciplinarian comittee on me once because I was 'sabotaging the network'. In reality, the fucker had loaded VNC onto all the workstations and interrupted (by accident?) several of my Starcraft games (in Digital Photography), eventually culminating with my sharp eyes noticing the mouse moving by itself. Without a second thought, I slightly unplugged the network cord, giving it the appearance it was in, but in reality had no physical connection.

I excused myself to answer the call of nature, and reflect on sending zeroes down a septic tube (since everyone knows how to send a one). Just when I got back and sat down, he bursts through the door, tromps over to my computer and begins shouting at me while rubbing his hands all over my workstation. The Digital Photo teacher, a meathead who coached Football and probably stuffed people like the Tech guy down the trash perhaps once upon a time, stares at him with a glazed look as the guy rambles off incoherent accustations.

At the climax of his tizzy, the Tech yanked the power on the workstation. Now, as you might not know, many schools employ a software named 'Deep Freeze' on their equipment. Deep Freeze wipes and restores a computer to a set state on reboot, losing all new data.

Well, by power cycling my machine, he lost all logs and screen caps of what I could be doing (I was navigating through the unsecured Windows Network). And he realized that.

And immediately left, without further words.

I proceeded to launch Starcraft once again, and play. Because while he knew something was happening, Starcraft is a DirectX game that seizes control of the framebuffer, preventing spy applications from seeing anything more than an empty black box.




Anywho, back on topic, the next time you talk to these people, don't mention AtheistForums and do threaten legal action. Only way to get their attention and since the server IP serves more than AtheistForums, has not those other websites unduly suffered? Then make their suffering, the 'bystander caught in the crossfire', be the basis of the potential 'legal claim' when you next contact them.

American conduct against schools is chiefly characterized by lawsuits. I suggest you adopt the customary poses and threats, regardless of your intention to truly enact legal action, in order to get the most efficient and fast response.

[5thHorseman]

Hayter hating on hackers.

Triple H

[Tiberius]

Further conversations:

I do apologize, I am not used to getting international time. That would be in the afternoon. Though the students still do not have access at that time.

Yes, I would appreciate any information that you have,

Ken Smith

My response:

Hey Ken,

Attached is the access log (filtered to just the requests sent by the IP in question). As you can see, the first request was sent at around 9:55pm, and the last (just before I blocked the IP) was sent at 10:05pm. There are 6,911 requests in total, the last 2,000 or so all go to the same location (search.php) so it appears that this was the main DOS attack, however previously the requests contained "strange" parameters, which look like they are from a script trying to gain access to privileged files on the server.

For example, on lines 950, 1046, 1132, and many others, the script tries to use directory traversal to get access to password files. Most other requests are for pages that don't exist, which makes me think that this particular script is just a generic one which tries a long list of vulnerable URLs and hopes for a hit.

Kind regards,

Adrian Hayter

If you want to have a look at the log, I have uploaded it (in 7zip format) to the server: http://atheistforums.org/dos-log.7z

Ken's response:

Thanks for the documentation, and sorry about my confusion on time and identity.

Looking at your data I am wondering if the IP was spoofed from another location. The only thing that points me in that direction is all of the entries I looked at (I just browsed the list but looked at most of them) the user agent is listed as Windows NT 6.0. That refers to Windows Vista or Server 2008. We are not using either of those operating systems (who would still be using Vista). All of our computers are Windows XP with just a couple of Windows 7 laptops used only by teachers. I have not found anything yet, but I will be asking if there were people in the building last night. The IP that is on the list is used only by the school and not the church or parish operation. They have a separate system form the school.

Looking at the data, it does look like the person either used multiple computers, or a separate scripting system. He user agent is different in 25 of the entries, these are probably the ones where the person manually accessed your system, and they are reporting a different browser.

If you see any other suspicious activity coming from us , please let me know as soon as possible. I have set the system up to email me the logs daily so I can monitor them.

Ken Smith

My response:

Hey Ken,

Thanks for keeping me updated. It could be that your IP was spoofed, but I'd be wary of using the User-Agent data as an accurate measure; User-Agents are quite easy to change, since they are optional headers and are usually set by the browser (or a script) when making an HTTP request. Given the relative difficulty of spoofing IP addresses, it is far more likely that the User-Agent was changed by the script, making it appear as if multiple computers were involved. The user who entered our chatroom did say they could take down our site using only one computer, which makes me think they were simply using a script to generate HTTP requests.

Most internet routers have some form of protection against IP spoofing as well, and the attack was using direct HTTP requests rather than other techniques such as ICMP flooding (where IP spoofing is much easier to do). Hopefully we'll get to the bottom of this!

I've set up a log to catch any further activity from the IP, but the ban is still in place so any further attacks shouldn't be able to affect the server again.

Kind regards,

Adrian Hayter

[5thHorseman]

He did it.

Call me Sherlock.

[Welsh cake]

Adrian, you'll have to threaten legal action next time. Its the only language these people speak.

I can promise you were the shoe on the other foot they wouldn't have hesitated to sue for damages.

[Erinome]

He did it.

Call me Sherlock.

Sherlock, my gut tells me it was Jebus. Working through him, of course.