New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Massive Layer7 attack, more than 33 hours
This discussion has been closed.
Comments
No. It was
make IRC great again propagandaLooks like Tinyweasel never will be arrested.
he generates extra traffic for LET... which means more JBucks
Plot twist: the DoS was just LET users checking if the site loaded.
But did you tell his mom?
New abuse list.
Before last IP checked manually and..is from @Francisco
https://pastebin.com/b6naz8v0
You mean this is still happening!? Quite surprised that all the solutions didn't work as well
But he also was DDoSing LET, so maybe he now DDoSing @FlorinMarian because he removed his VPS (the same way as @Francisco ).
site's back up! ha!
Unreachable for me.
Website up and running.
Secured by https://diamwall.com future security provider for all OSI levels.
Neither yours or Diamwall websites are working for me No VPN, normal residential connection.
Also their website is hosted on OVH RBX from what I see on DNS records/IP info.
That's why I've mentioned "future provider", they are not open for public yet.
Same here
I tried from Mobile phone and Network (Telefonica Germany)
Edit
Now hazi works. Diam not
I get the same message on diamwall but I can access hazi's website, was on a page checking my browser before connecting though.
Can you try again? Fixed 1 minute ago
Your site is fine, I can connect, just getting the denied page on diamwall.com
"Neither YOURS".
Right now your website is partly working, lots of errors
It will be interesting how it will work out with them, they are using OVH.
Fixed.
inb4 attacker starts using ovh ip
Hello,
The issue is now fixed.
In order to make you understand "It will be interesting how it will work out with them, they are using OVH", I'll write a report about the attack and the current mitigation.
In case of any issues, let me know!
Best Regards!
Recently SYS servers getting a 10Gbit Downlink.
Which kinda makes this attack not longer practically.
Plus, Game AntiDDoS goes by VAC + Rack, according to OVH.
No idea what specific one he uses tho.
Hey guys,
Due to the proportions that this thread is taking, due to this issue caused by DDoS, as CTO of diamwall (Company is not opened yet, still in beta) I've decided to give my own opinion related to this issue.
First, it's important to be aware that no one claimed this attack, either no one contacted Florin to blackmail, which always gives the looking that is probably another company or other kind of competitor with the achievement of 'stealing? Or making hazi.ro with a 'bad-looking'
Before explaining what is going on, you need to understand the bots' generation and what is their current emulation, being them:
Gen 1: Simple Crawlers With Basic Action
-> These bots have fairly easy structures and they can run simple automatic patterns. They don’t have any understanding of the web’s basic contents like Cookies and Sessions and they are not difficult to detect and block. A simple script that calls the web content or an API with the GET/ POST method could be referred to as a first-generation bot.
Example: Self-Home Scripts
Detection: Absence of Cookie
Gen 2: Simple Requests, Basic Actions
-> Their structure is like the bots from the first generation but slightly more developed. They are not capable of rendering or running javascript codes and a stack of them is not like a complete browser. To distinguish and block the bots from the second generation, javascript tests, such as setting cookies, are sufficient. Tools like Scrapy are an example of second-generation bots.
Example: Tools like Scrapy
Detection: Absence of JavaScript
Gen 3: Looks Like Browsers, Start of Low and Slow Attack
-> These kinds are comparatively more challenging to prevent against. They are bots developed in PhantomJS and Selenium frameworks, that can perform the demands step by step and execute challenges that are used to tackle the bots from the first and second generations. However, they have a slower run-time compared to the first and second-generation bots. Recognizing and blocking the third-generation bots could be achieved by executing challenging tests like Captcha.
Example: Frameworks such PhantomJS, Selenium
Detection: Challenge tests and fingerprint
Gen 4: Bots Mimic Human Behaviour Such as Non-Linear Mouse Movements
-> These bots can mimic the actions of a genuine browser. Examples of this generation of bots are Headless browsers (such as headless Chromium), and confronting them using complex techniques based on artificial intelligence would be effective.
Example: Headless browsers, such as Chromium Headless
Detection: Smart challenges or AI-Based Solutions
So now, that we do understand bot generations, for everyone who is not aware, since I saw tons of comments claiming that Cloudflare is effective with "right configurations", that's not true, Cloudflare is still struggling to fight Gen3, which means, you'll not block Gen3/Gen4 on Cloudflare without proceeding to block requests based on known patterns or IP-Reputation, which would, of course, generate false positives.
Hazi attack is Gen4 bots, which are capable to bypass most Javascript challenges and Captchas, that's why path.net simple testcookie couldn't avoid those bots.
Also, you need to understand that Gen4 bots fully mimic a genuine browser which means a Deep Packet Inspection couldn't do the job for mitigation.
Deep Packet Inspection is enough to fully mitigate Gen1 and Gen2, and even drop 80% of packets of Gen3, but DPI can't do anything against Gen4, there are indeed other ways to detect Gen4 that of course, I can't reveal here.
Mitigation systems need to understand that just because their customers don't get attacked by Gen4 Generation doesn't mean it doesn't exist, most of Gen4 are seen in illegal-money-grabbing communities, such as DDoS-For-Hire, or Private Server Gaming (such as Metin2), that's why you don't see it much around.
Most providers and mitigation services are not aware of these threads, since today I didn't see anyone capable of mitigating Gen4, it can seem like a disaster, but right now we still don't see big companies or big websites under a Gen4 attack, that's also since it doesn't generate much req/s as Gen1,2,3, so most of the Individuals or bad-optimized websites are a target for them.
For everyone here,
This attack is being launched by a BotNet using Gen4, DDoS-For-Hire service likes to call this method "Browser Emulator", the attack is pretty big, our Proxy is getting about 300.000 req/s, mixed with Gen3, Gen2, and malformed attacks seem like Gen3 and Gen2 are trying to Eat the CPU while Gen4 is trying to bypass any existent protection.
Some Gen4 logs -> https://imgur.com/a/WZOazID
Understand something, Diamwall protection fully detects 4Gen generation, but instead of dropping the traffic we redirect them to a captcha (not ReCaptcha or HCaptcha), we prefer our captcha with our verifications.
Humans, shouldn't see a captcha, of course since we are on BETA there are still some false positives.
For people receiving equal attacks,
Don't try to mitigate the attack yourself you need a mitigation infrastructure 'helping' you, this attacks can't get mitigated alone, they are CPU-Exhaustive due to the number of SOCKETS that Gen3 is opening over TLS, and due to the Gen4 bypassing the protection without you even noticing it.
If this is the same attack, our systems flagged all the IPs and inserted them into our Database, I can share them with you so you avoid the same attack, you can simply drop these IPs (this might not do the job that you expect, such as stopping an attack).
IP List: https://static.diamwall.com/cdn-cgi/report/hazi/ips.txt
IP Results:
As we don't want to wait until tomorrow let's leave the result of 11k IPs: https://imgur.com/a/r3vCexh
-> Replying to last comments: This is not about the company, we are currently on OVH running our BETA, that's why we don't have our BGP yet.
-> Using OVH or using any other company doesn't matter much here (The mitigation infrastructure matters to be able to mitigate L4 attacks).
-> In our case, we are running a big OVH Machine for our BETA and is working as expected.
I'll not write more, I don't want a bible here, for companies or individuals being attacked, never pay to attackers, and remember: You don't have to fight this alone, there are people here and mitigation services ready to help you.
I hope everything can be fine with hazi from now on.
Best Regards,
Miguel Miranda
Ok time out.
Sorry, I mean no disrespect here sir but who are you again, and how are you affiliated with HAZI?
EDIT: Nevermind - Just read the comments in this thread and noticed that you're now "protecting" HAZI, as mentioned by Florin 👌
I never thought I'd see TR here 🤣
Indeed CF protection is a joke.
Montgomery County MD, Ride On Bus WiFi, public IP 166.151.247.68
He is Ch3p. But also his past are not completly "clean"
You probably are helping them but for which time? We also know you in the past that you have been DDoSed after being kicked out from Metin2 Servers...
Hi Miguel!
Want to do an Interview for Low End Box?
For example, here is Florin's interview: https://lowendbox.com/blog/anonymity-is-okay-at-hazi-ro-interview-with-florinmarian/
Everyone is curious! Even @DP! 🙂
Friendly greetings!
Tom
Hello,
Yes, that's sure, I don't have a clean past in the metin2 community, either I did "good things" in the past.
Right now I'm also working with most of Metin2 Servers providing security, I don't let any server be attacked even if that means providing free services.
As evident, someone so related to DDoS Mitigation, had to be in the DDoS World, right now I'm trying to do the best I can in order to mitigate DDoS Attacks (or any other malicious attack) and also provide other security services.
If in the past years you were attacked by me or got any issues with me, I'm sorry for that, remember that I was only a kid, and like everyone else, I did grow up and followed what 'I Love'.
I hope you understand!
Best Regards!