New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It's not IRC... it's competition trying to take out competitors...
The Maidenhead facility seems to be pretty forthcoming about the attacks. Mind you repeated info copied over as I am an end customer. Nothing extremely useful. They have with one VPS company spent many hours on the phone and dealing with attacks. Way more than I'd do for a customer that paid much more.
Problem with the two UK facilities from my perspective is they are bringing the bad traffic in house and not snubbing it with their upstream. So incurring transit use and costs. Once the threshold is crossed regarding profitability, well the VPS company seems to be told to get out or pay up for the transit.
@24khost, I am wondering in addition to the IRC allowed, how many servers each of these companies had deployed in the UK? An estimate... Range... whatever. Easy to see a 1-3 dedicated customer with tons of IPs and bad traffic as an issue the facilities just want gone.
Hate to say it, but in many ways the entire issue really casts negative light on the industry here, the customers and the viability of said Crazy Eddie pricing.
Maybe because other providers who are not LET members do not rely on LEB/LET's offers section to bring in a majority of their revenues like a few of the providers here do. If LEB/LET is someone's primary customer acquisition method then the attacker probably regards other providers as the enemy, and the posting of a competing offer is seen as an act of war (which may be why in many cases the attacks occurred shortly after an offer was posted). The attacker should be spending their time developng a viable business plan instead of DDoSing because a reliance on a 3rd party site (or two sites if you include WHT) to generate the lion's share of your revenues can only lead to...the...deadpool.
Also how many of these providers allow tor exit nodes? There is another question.
It might not just be one issue but multiple issues.
@24khost you will have very hard time to find LEB vps provider in UK who don't allow IRC. I mean for sure it exist some but most of them allow IRC.
evorack allow irc, vooservers allow irc, allsimple allow irc, XenVZ allow irc (on request), minivps allow irc, edis allow irc, NECS allow irc...
@Spirit per minivps TOS I thought it said no irc.. Could be wrong.
I was looking at LET providers.
Wrong.
-
?
Actually they don't
@LukeT of course they allow it.
IRC server = IRCd, not irc clients, bouncers, bots... things the most of us at IRC use.
@Spirit hm, maybe I misread the TOS
@LukeT no, no - you read it correct I just didn't explain it well
It's a bit difference between hosting IRC clients and hosting IRC servers. Most vps providers don't have issue with hosting IRC clients but some of them dislike IRC servers. (irc usage is allowed but not irc servers).
An IRC client is a program that allows you to connect to an IRC server.
'ffs'? It's really not hard to make a list of UK providers. It's hardly a target list. If someone has the capability to mount these attacks I am sure they are a capable of searching through here and LEB for UK offers. There are most likely a number of providers who are just dealing with these attacks hence 'publicly'.
DDOS is an issue that affects most providers. I think the issue is here that that when success is seen in an attack it will continue to fulfil its purpose. Which is why I raised the question about the DCs involved and how they are helping providers handle these attacks.
If no one is going to say this I will, these attacks are obviously some child (mentality wise) host who has managed to spend some time gathering up a mass of open resolvers and knows how to run an amplification attack, the DC's are just doing an armature job of dealing with it.
Given that all the serious lengthy attacks have been on OpenVZ hosts who are in the UK and very vocal in here about them I honestly think you can narrow it down to around 5 suspects and no doubt they are taking part in these discussions deflecting attention.
I would ask that everyone stops with the UK DDOS threads and communicates privately if at all or sets up some scripts as I have to do a full network capture of all traffic for 10 - 15 minutes once 5+ pings are dropped from the gateway.
If you want to send me your pcap formatted captures afterwards for analysis I am happy to go through them but please stop making this whole thing so public it is only going to put a smile on the face of the responsible person and will not achieve anything that a few select PM's can do without all the drama.
(paste from UGVPS thread but applies)
What is the problem with even discussing it? It's not security through obscurity is going to do any good with this stuff.
Scan for LEB UK hosts, match against patterns + downtime ??? = profit
@AnthonySmith
Well, it has obviously already failed..
Yeah the let's be quiet and pretend we don't exist method won't work. That is unless you stop selling and making offers on here.
It would be curious to seek out other LEB style or near in pricing UK providers in the two facilities in question and see how they have faired recently and TOS on IRC.
I doubt this is a script kiddie. My money is on it being a provider in the market or near to it. VPS offers $20 and under. Not necessarily LEB territory. Face it, plenty of LEB buyers otherwise would be buying the similar product at the slightly higher price absent the LEB style offerings.
Your choice, my opinion stands and it comes from a qualified position.
@blergh_ indeed kids will be kids.
I am not saying it should not be discussed but as @AnthonySmith has said and is quite correct, it's the most vocal ones on this site that are the worst affected, discuss all you like, all I am saying is let's not start pulling other providers into this for no reason, what purpose does highlighting those that are not affected or are just more sensible than others by dealing with it away from here.
I can't see any names being called out publicly yet...
Only OpenVZ hosts are being attacked however as mentioned which is really odd.
I would agree that Anthony's assessment of the situation is as educated and clear as it can be in this situation. If he says the best move is A, unless you've got a real good idea and quite frankly I haven't seen a new one on either of the two threads here, I'd say do A.
Honestly, this brainstorming going on here, it's all great but it's all been done on here and you can dig through old threads to find it. The only thing I think hasn't been done is comparing client details, and that's risky business. I suggest it be considered, but it should be done in person, not packaged up and passed around the internet.
Uhuh, too risky, I like many others would not be happy at my personal info being passed about to hosts that have no right to see that information.
That's why I said in person, and elsewhere said with nondisclosure agreements. Possibly with an external and legally responsible party in the middle. If it's that serious, it should be treated seriously.
I don't think the issue is an end client.
My understanding is while the original attacks were narrow and focused, in recent weeks the attacks are multiple in nature and covering broad IP ranges.
That is the only response you need to quote if it's Ecatel.
I've got a solution for that too. You need a fake passport, a very convincing disguise.
^ this is why Ecatel has been blocked / probably still is by some transit providers.
As dangerous as total bans can be, there needs to be liability and recourse. Block Ecatel.
If I stole a vehicle and ran into people, I am liable.
Now if monthly people go to the same place, steal vehicles and run them into people, well they are liable, but the place providing the stolen vehicles runs out of legitimate excuses real quick. Laws and reasoning would push them out of business in fairly quick order.
The Wild West routine of the internet needs lassoed.
Blocking ecatel will not make any difference. Do you think that all spoofed traffic is coming from ecatel ? Anyone serious is probably running their own network or just using a botnet. Blocking ecatel would just block SEXY BOOTER KUSH BOOTER #1 ON HF etc. for all of 24 hours until they find another host to abuse
The real solution is to rethink entire aspects of how the internet operates. This is a bug, a flaw, in the largest distributed system in the world. That the problem is so large in nature is of no concern, that it needs to be dealt with is. How many people came together to work on the supposed Y2K bug? We need that again. Problem is that the ones capable of gaining such cooperation can afford DDOS protection, so not dealing with it is a great way to keep the little guys down and prevent competition from rising from the ground up.
My 2c.
There are things being done to stop spoofing
When I got my network set up in germany they filtered traffic to only my /22. If I get additional allocations I need to tell them of them.
But if everyone does this (not going to happen), then what? There is still the traditional attacks of botnets, hacked servers, etc.