Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


HAZI.ro - new unclaimed DDoS attacks | Is your provider here too?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

HAZI.ro - new unclaimed DDoS attacks | Is your provider here too?

FlorinMarianFlorinMarian Member, Host Rep

Good evening!
Because there was a lot of silence, someone thought to restart the DDoS attacks on our website and again, there was no dispute with anyone before the start of this attack, so we have no idea who is attacking and why, but it is irrelevant.
What I want to share with you (both my clients and potential clients) is the fact that we will not be beaten and moreover last Monday my research topic was approved for my bachelor's degree at the Faculty of Computer Science where I study in the last year and refers exactly to protection methods against Layer4 and Layer7 attacks, the most common attack methods today.
Until I come with news on the research side, I leave below the list of IP addresses that were blocked because they are with 100% accuracy sources of attacks. The list is created by analyzing the access log, but overnight we also had CloudFlare and although it did not assure us that the website runs without problems, it blocked no less than 700 million requests in only 8 hours.
https://pastebin.com/nbkNu4Xf

«1

Comments

  • yoursunnyyoursunny Member, IPv6 Advocate

    1 push-up per IP address.
    You'll be safe from DDoS, guaranteed.

    Thanked by 2ralf greentea
  • Pull the plug off. For a week or few. Tell clients that this is for their own good. You will save electricity too.

  • Weren't you protected by diamwall?

    Thanked by 1Blazingfast_IO
  • Not_OlesNot_Oles Moderator, Patron Provider

    @FlorinMarian @dosai

    Yeah, Hi Florin! What's happening with @MiguelM and diamwall.com?

    https://lowendtalk.com/profile/MiguelM says: "Last Active July 18"

  • FlorinMarianFlorinMarian Member, Host Rep

    @Not_Oles said:
    @FlorinMarian @dosai

    Yeah, Hi Florin! What's happening with @MiguelM and diamwall.com?

    https://lowendtalk.com/profile/MiguelM says: "Last Active July 18"

    Hello!
    I had a discussion with Miguel today and he told me that the project has evolved, now they have a dashboard through which clients can add their own domains and pay their bills.
    Unfortunately, I can't afford to be their client because at the moment the project is in the BETA phase, the CDN for a personal website costs 20 euros per month and in the case of a small business the price is 200 euros per month . I received a 50% discount on the condition that I promote them in certain predetermined ways, but I refused because the price is much higher than what I am willing to offer.
    I want to thank him anyway, he saved my skin a few months ago without a doubt.

    Thanked by 2Not_Oles greentea
  • @dosai said:
    Weren't you protected by diamwall?

    Gen 12 bots entered the game

  • yoursunnyyoursunny Member, IPv6 Advocate

    Mentally strong people deploy enough capacity to serve all requests, regardless of whether they come from human or bots.

    We have 4U server with 8 PCIe x16 slots.
    Each slot fits a ConnectX-5 dual-port 100 Gbps Ethernet adapter.
    That's 1.6 Tbps network capacity per server.

    Thanked by 1Blazingfast_IO
  • @yoursunny said:
    Mentally strong people deploy enough capacity to serve all requests, regardless of whether they come from human or bots.

    We have 4U server with 8 PCIe x16 slots.
    Each slot fits a ConnectX-5 dual-port 100 Gbps Ethernet adapter.
    That's 1.6 Tbps network capacity per server.

    Sounds more like “walletly thick” people

    Thanked by 1tjn
  • @jmaxwell said:

    @yoursunny said:
    Mentally strong people deploy enough capacity to serve all requests, regardless of whether they come from human or bots.

    We have 4U server with 8 PCIe x16 slots.
    Each slot fits a ConnectX-5 dual-port 100 Gbps Ethernet adapter.
    That's 1.6 Tbps network capacity per server.

    Sounds more like “walletly thick” people

    The same people shop at balenciaga. They all brag.

  • my research topic was approved for my bachelor's degree at the Faculty of Computer Science where I study in the last year and refers exactly to protection methods against Layer4 and Layer7 attacks, the most common attack methods today.

    Maybe one of those faculty thought “oh this guy owns a hosting company let’s see if he has implemented those ‘protection methods’ himself “

  • risharderisharde Patron Provider, Veteran

    @FlorinMarian said:

    @Not_Oles said:
    @FlorinMarian @dosai

    Yeah, Hi Florin! What's happening with @MiguelM and diamwall.com?

    https://lowendtalk.com/profile/MiguelM says: "Last Active July 18"

    Hello!
    I had a discussion with Miguel today and he told me that the project has evolved, now they have a dashboard through which clients can add their own domains and pay their bills.
    Unfortunately, I can't afford to be their client because at the moment the project is in the BETA phase, the CDN for a personal website costs 20 euros per month and in the case of a small business the price is 200 euros per month . I received a 50% discount on the condition that I promote them in certain predetermined ways, but I refused because the price is much higher than what I am willing to offer.
    I want to thank him anyway, he saved my skin a few months ago without a doubt.

    Forgive me for the question, this is not intended to shame you so please LET members do not use this for creating unnecessary drama. Is it that the cost of diamwall after discount 100 EUR per month (50 pedcent of 200 eur)? Or is the price more than this? Just wanted to make sure because the assumption can be easily made that 1. Diamwall is able to block the attack and 2. It's 100EUR per month which is a lot but not out of the reach of many providers for the level of protection if it will stop the attacks.

    If this is the case, how drastic would your prices increase to make use of this option? If not drastic then there is your short term answer.

  • AdvinAdvin Member, Patron Provider
    edited October 2022

    I'm not up to date on this, so forgive me if I'm wrong, but can't you just use Cloudflare and run a captcha all rule? Or is this targeting your subnets?

    Thanked by 1tjn
  • @Advin said:
    I'm not up to date on this, so forgive me if I'm wrong, but can't you just use Cloudflare and run a captcha all rule? Or is this targeting your subnets?

    Not really, it is very easy to bypass that.

  • @FlorinMarian It is Tiny, he attacking you because you terminated his VPS. Just apologize to him and the attacks will end.

  • stefemanstefeman Member
    edited October 2022

    @FlorinMarian Why not copy kiwi farms with L7 protection? https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS

    Seems to work for them lol.

    Thanked by 1FlorinMarian
  • @Advin said:
    I'm not up to date on this, so forgive me if I'm wrong, but can't you just use Cloudflare and run a captcha all rule? Or is this targeting your subnets?

    In the last DDoS wave series, Florin tried CF and probably all those within budget but the attacks still continued and then someone called Diamwall appeared explaining that the attacks are coming from some Gen 3 (or 4? can’t remember) bots which mimic human activity pattern closely thus traditional mitigation methods are infective. He claimed his own DDoS mitigation service can prevent such attacks and Florin was given a free trial or something which was found effective.

    Thanked by 1FlorinMarian
  • @jmaxwell said: Florin tried CF

    Properly configured CF is unbeatable in compare to rivals. Rough guide to basic CF security implementation:

    1. Go with PRO plan;
    2. Do not deploy MX on the same server;
    3. Enable WAF, tune it on strict;
    4. Allow only CF IPs reach the server;
    5. Change server IP (different subnet) after enabling CF;
    6. Once again, adapt WAF ruleset;
    7. Rate limit;

    These are only basic steps. Highly doubt that clueless admin™ done even 3 of those steps.

    Once you lack in knowledge, you must hire specialists or go with managed services, which costs a lot.

  • @LTniger said:

    @jmaxwell said: Florin tried CF

    Properly configured CF is unbeatable in compare to rivals. Rough guide to basic CF security implementation:

    1. Go with PRO plan;
    2. Do not deploy MX on the same server;
    3. Enable WAF, tune it on strict;
    4. Allow only CF IPs reach the server;
    5. Change server IP (different subnet) after enabling CF;
    6. Once again, adapt WAF ruleset;
    7. Rate limit;

    These are only basic steps. Highly doubt that clueless admin™ done even 3 of those steps.

    Once you lack in knowledge, you must hire specialists or go with managed services, which costs a lot.

    I only did 2,4 & 5 and layer 7 attacks stopped soon after, also had to ensure image uploads via editor are proxied through a proxy server so potential bad actors can't get your server ip. Maybe if i get hit by those "new gen bots" i will upgrade to pro & utilise waf.

  • yoursunnyyoursunny Member, IPv6 Advocate

    @jmaxwell said:

    @yoursunny said:
    Mentally strong people deploy enough capacity to serve all requests, regardless of whether they come from human or bots.

    We have 4U server with 8 PCIe x16 slots.
    Each slot fits a ConnectX-5 dual-port 100 Gbps Ethernet adapter.
    That's 1.6 Tbps network capacity per server.

    Sounds more like “walletly thick” people

    The ConnectX-5 is $1200 each.
    They can last many years.

    @LTniger said:
    The same people shop at balenciaga. They all brag.

    I checked Balenciaga.
    They sell hoodies for $1150 each.
    I can get the same from Target for $30 each.

    I often play in the mud and that ruins hoodies over time.
    Thus, I only get the cheapest ones.

  • borowskyborowsky Member
    edited October 2022

    @LTniger said:
    Once you lack in knowledge, you must hire specialists or go with managed services, which costs a lot.

    Depends on how much time and efforts you are willing to spend. (and how critical are issues)
    By trying to resolve issues on your own you automatically getting more and more of knowledge
    Its not like explosion but slow learning curve
    Getting attacked and trying to mitigate those issues are good starting points. (not necessary when you are host provider)

  • ❯  nslookup www.diamwall.com
    Server:         127.0.2.2
    Address:        127.0.2.2#53
    
    Non-authoritative answer:
    www.diamwall.com        canonical name = proxy.diamwall.com.
    Name:   proxy.diamwall.com
    Address: 167.114.13.215
    
    NetRange:       167.114.13.212 - 167.114.13.215
    CIDR:           167.114.13.212/30
    NetName:        OVH-CUST-224599973
    NetHandle:      NET-167-114-13-212-1
    Parent:         OVH-ARIN-8 (NET-167-114-0-0-1)
    NetType:        Reassigned
    OriginAS:       AS16276
    Customer:       LDA, DiamWall (C08779046)
    RegDate:        2022-07-28
    Updated:        2022-07-28
    Ref:            https://rdap.arin.net/registry/ip/167.114.13.212
    
    

    Why are they using OVH services directly without their own firewall? Do they really support IPv6? If you choose diamwall, why don't you just use OVH's Anti-DDoS and WAF service? :)

  • @FlorinMarian said:
    Unfortunately, I can't afford to be their client because at the moment the project is in the BETA phase, the CDN for a personal website costs 20 euros per month and in the case of a small business the price is 200 euros per month . I received a 50% discount on the condition that I promote them in certain predetermined ways, but I refused because the price is much higher than what I am willing to offer.
    I want to thank him anyway, he saved my skin a few months ago without a doubt.

    I can't remember the discussion too well, but have some recollection there was speculation at that time that he might also have been behind the attack in order to promote his service. If that was true, it wouldn't be an amazing coincidence if the attacks started up again not long after you cancel the service.

    Thanked by 2Blazingfast_IO adly
  • What does your bachelor's have to do with DDoS and how is that relevant at all?

    And, "research topic"? Do you mean normal classwork?

    Or you meant to write Master's / Ph.D.?

  • @yoursunny said:

    @jmaxwell said:

    @yoursunny said:
    Mentally strong people deploy enough capacity to serve all requests, regardless of whether they come from human or bots.

    We have 4U server with 8 PCIe x16 slots.
    Each slot fits a ConnectX-5 dual-port 100 Gbps Ethernet adapter.
    That's 1.6 Tbps network capacity per server.

    Sounds more like “walletly thick” people

    The ConnectX-5 is $1200 each.
    They can last many years.

    @LTniger said:
    The same people shop at balenciaga. They all brag.

    I checked Balenciaga.
    They sell hoodies for $1150 each.
    I can get the same from Target for $30 each.

    I often play in the mud and that ruins hoodies over time.
    Thus, I only get the cheapest ones.

    I just saw your video about the mud. What the actuql f was that. So creepy but cool. Grown ass man with clothes goes to the mud and submerges. Complete silence. That's how you fight ddos

    Thanked by 1yoursunny
  • @LTniger said:

    @yoursunny said:

    @jmaxwell said:

    @yoursunny said:
    Mentally strong people deploy enough capacity to serve all requests, regardless of whether they come from human or bots.

    We have 4U server with 8 PCIe x16 slots.
    Each slot fits a ConnectX-5 dual-port 100 Gbps Ethernet adapter.
    That's 1.6 Tbps network capacity per server.

    Sounds more like “walletly thick” people

    The ConnectX-5 is $1200 each.
    They can last many years.

    @LTniger said:
    The same people shop at balenciaga. They all brag.

    I checked Balenciaga.
    They sell hoodies for $1150 each.
    I can get the same from Target for $30 each.

    I often play in the mud and that ruins hoodies over time.
    Thus, I only get the cheapest ones.

    I just saw your video about the mud. What the actuql f was that. So creepy but cool. Grown ass man with clothes goes to the mud and submerges. Complete silence. That's how you fight ddos

    he's actually getting probiotics and improving his immunity system.

    maybe that's helping him do more push ups.

    Thanked by 1yoursunny
  • @cybertech said:

    @LTniger said:

    @yoursunny said:

    @jmaxwell said:

    @yoursunny said:
    Mentally strong people deploy enough capacity to serve all requests, regardless of whether they come from human or bots.

    We have 4U server with 8 PCIe x16 slots.
    Each slot fits a ConnectX-5 dual-port 100 Gbps Ethernet adapter.
    That's 1.6 Tbps network capacity per server.

    Sounds more like “walletly thick” people

    The ConnectX-5 is $1200 each.
    They can last many years.

    @LTniger said:
    The same people shop at balenciaga. They all brag.

    I checked Balenciaga.
    They sell hoodies for $1150 each.
    I can get the same from Target for $30 each.

    I often play in the mud and that ruins hoodies over time.
    Thus, I only get the cheapest ones.

    I just saw your video about the mud. What the actuql f was that. So creepy but cool. Grown ass man with clothes goes to the mud and submerges. Complete silence. That's how you fight ddos

    he's actually getting probiotics and improving his immunity system.

    maybe that's helping him do more push ups.

    @yourmuddy

  • @yoursunny said:

    @jmaxwell said:

    @yoursunny said:
    Mentally strong people deploy enough capacity to serve all requests, regardless of whether they come from human or bots.

    We have 4U server with 8 PCIe x16 slots.
    Each slot fits a ConnectX-5 dual-port 100 Gbps Ethernet adapter.
    That's 1.6 Tbps network capacity per server.

    Sounds more like “walletly thick” people

    The ConnectX-5 is $1200 each.
    They can last many years.

    @LTniger said:
    The same people shop at balenciaga. They all brag.

    I checked Balenciaga.
    They sell hoodies for $1150 each.
    I can get the same from Target for $30 each.

    I often play in the mud and that ruins hoodies over time.
    Thus, I only get the cheapest ones.

    Mentally strong people enter mud butt naked and goes in all the way.

    Thanked by 1yoursunny
  • VoidVoid Member
    edited October 2022

    And stay there

  • jtkjtk Member

    @FlorinMarian said:
    Until I come with news on the research side, I leave below the list of IP addresses that were blocked because they are with 100% accuracy sources of attacks.

    Would be interesting to know some stats on rate/contribution of some of those addresses. Many of them are Tor nodes. Also, what if any similarities in the request details that were part of the attack.

  • jackbjackb Member, Host Rep
    edited October 2022

    @Rosebelle said:
    What does your bachelor's have to do with DDoS and how is that relevant at all?

    And, "research topic"? Do you mean normal classwork?

    Or you meant to write Master's / Ph.D.?

    I don't know how it works where he is in Romania, but in the UK you do an undergraduate dissertation where you research a topic independently and write 8-15k words about it.

    This can be on existing work (usually unlike PhD)- or novel work as would be done on a PhD, but obviously a PhD expectations are higher.

    Thanked by 2Stryp yoursunny
Sign In or Register to comment.