Re: [OT] website DoS attack - help!

["kinchyuk" <alex@xxxxxxxxxxxxx>]

--- In ukha_d@xxxxxxx, Andy Davies <dajdavies@...> wrote:
>
> Sounds kinda bogus to me - having a clustered system should prevent
them
> from supplying you with server logs (what's their stats tool
supposed to
> use, if they don't keep the data?)
>
> kinchyuk wrote:
> > Yep I have asked.. they've replied that as its a clustered system
they
> > can't provide logs - but I should use their own stats tool. Which
> > doesn't show anything :)
> >
> >
>

Well yes, that's what I thought. Here's the full sorry saga.. if you
ever think of using Servage read this first :) Top is newest, bottom
is the original ticket I opened.


Feb 19 - 22:46 GMT
Servage - Patricia
Hello Alex,

Thank you for updating this ticket. I understand your frustation about
this uncontrolled load/hits. We are unfortunately not able to say why
or from where it comes. We only have the same information as you have
in the statisitcs.

Regards,
Feb 19 - 20:00 GMT
Customer
Yes I appreciate it's on more than one server but sorry I think
you're missing the point.. there should not be anywhere near this
amount of traffic hitting the site. Absolutely no way on this earth is
that traffic figure 'normal'. As I said earlier I was hoping for your
assistance, but as you've closed the ticket looks like I'm not gonna
get it?!

I'm annoyed that this continued apparent high traffic is taking the
website (along with the handful of others) hosted on my Servage
account offline. Now that someone has figured out they can take the
website off air by swamping it with traffic (which it seems they are
doing, from the stats you have provided) then there's not much hope
for the site!
Feb 19 - 16:04 GMT
Servage - Patricia
Hello Alex,

Thank you for updating this ticket. Due to the clustered structure of
our systems there is no single log file for you to use as your site is
served by many servers. For statistic purposes we recommend using the
statistic system which is pre-installed in the control panel. We are
continue working to improve this system.

Thank you for your understanding,
Feb 19 - 13:45 GMT
Customer
Hi Patricia,

Thanks for the email. Yes it is '{website}' that is causing
suspensions to this account. However, it wasn't causing any issues
when it was hosted at Rackspace. It's one HTML web page, and one small
JPG. Nothing more. The problems only seem to have started since I
moved it to Servage.

The stats to me indicate that there is some malicious activity taking
place to cause these suspensions. I was hoping for your co-operation
to assist in this, but so far I'm not getting much help. I will be
speaking to The Metropolitan Police Service Computer Crime Unit
tomorrow as I now firmly believe that this is a malicious attack.
Feb 19 - 13:37 GMT
Servage - Patricia
Hello Alex,

Thank you for updating this ticket. I'm sorry to inform you that your
account has been suspended due to exceeding the daily limit with 20.95
GB transfer. Your accoutn will be unsuspended at GMT AM 01.00

We kindly ask you to remove the domain name "{website}" to avoid
future suspensions. It looks like the domain is causing the
suspensions.

We will appreciate your cooperation :o)
Feb 19 - 10:18 GMT
Customer
Yet again I've got an email from Steffan saying the account has been
suspended. Sunday's stats so far:

Today 122 648534 842467 18.31 GB

122 unique visitors (visitor sessions?), 648,534 page impressions and
18.31 GB transferred. Please can you help with this?
Feb 18 - 18:42 GMT
Customer
Hi Neil,

Thanks for the response. Hotlink protection is enabled on my account
as far as I know (just checked as well and it looks turned on). As
there's only one HTML one image file it seems rather suspicious that
the site has suddenly got a huge amount of traffic from such a low
number of unique visitors..
Feb 18 - 18:39 GMT
Servage - Neil
Hello Alex,

It seems that it is the issue of hotlinking rather then the denial of
service attack we have system developed that catch if any kind of
denial system attack will be done. It seems like a Bandwidth theft,
also known as "hotlinking" is the term used to describe the
practice
of an unauthorized party linking to content such as images and video
on another person's site for display on their own pages. This means
that every time the page loads on the site using hotlinking, the
legitimate owner of the content pays for the bandwidth.

You are able to prevent hot-linking from your web sites via the
control panel. To enable the "Hotlink Protection" please click on
the "Web Server" tab and via the menu on "Hotlink
Protection" tab -
here are you able to enable or disable the Hotlinking feature.

Hope this will helps you.

For any further assistance please feel free to contact us.

Have a nice weekend :-)
Feb 18 - 17:54 GMT
Customer
Hi again,

Just analysing those stats..

Sat: 282 unique, 652586 imps, 18.28 GB xfer. Equiv 2314 imps/unique
Fri: 500 unique, 81884 imps, 2.23 GB xfer. Equiv 163.768 imps/unique
Thu: 555 unique, 75033 imps, 2.04 GB xfer. Equiv 135.194 imps/unique
Wed: 264 unique, 472 imps, 9.17 MB xfer. Equiv 1.787 imps/unique

So it looks like on Thursday something happened.. 135, 163 impressions
per unique visitor to a single page that doesn't say anything is a
little high, and makes me think it's a denial of service attack. But
2,314 impressions per unique visitor today? I don't just think it's a
DoS, I'm absolutely certain.





Feb 18 - 17:48 GMT
Customer
Hi Steffan and team

I've just read your emails regarding high usage on my account, and to
be honest this is rather concerning. I have gone through the sites
that are hosted on this server, and indeed you are right - there is a
rather high load, in particular on www.{website}

The stats for the last few days indicate:

Uniques: Pageviews: Hits: Transfer:
Today 282 652586 848479 18.28 GB
Friday 500 81884 106595 2.23 GB
Thursday 555 75033 97730 2.04 GB
Wednesday 264 472 745 9.17 MB

Considering www.{website} is just a single html page and graphic, I'm
wondering whether someone has been attempting a denial of service
attack on this site. Unfortunately I don't have anything more than the
above stats, could you assist?

I am more than happy to help clear up this problem, and am very
worried about why such a large level of traffic has suddenly appeared.
Any more information you could provide would be beneficial.

Thanks,
Alex