Happy new year everyone,
I'm back online to put out a fire. My inbox was full of alerts that the CPU on the server that runs the site was maxing out.
Well boys and girls, it turns out www.turnkeylinux.org has been under an escalating distributed denial of service attack that started about two weeks ago. To the best of my knowledge the site continued operating normally. We use a ton of caching. Did any of you notice a slowdown?
Lucky for us the "attack" was braindead simple so it was easy to figure out what was happening and block the offending IPs. 32 nodes from 4 Chinese /16 network blocks which I sincerely hope aren't home to any TurnKey fans:
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
All using the same User Agent:
Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Supposedly identifies as Firefox but from the logs it's transparent it isn't behaving like a real browser. For example, a real browser gets CSS and image files. This just crawls all over the site and POSTs a zillion times the kind of predictable crap our spam filter blocks half-asleep.
What does that sound like? Ah yes, a poorly programmed, incredibly persistent spam bot network from hell. None of the spam attempts went through our countermeasures but it still took up a ton of CPU time.
Being naturally inquisitive I investigated the offending IPs and it turns out most of them are running a remotely exploitable version of SSH (SSH-2.0-OpenSSH_4.3). I'm half tempted to run metasploit to get into these systems and clean away the spambot software as a public service but that's illegal and I'm a bit busy besides.
Wouldn't it be neat though if we had a net equivalent of the Justice League to deal with the kind of lowlife scum who commandeer hapless machines to run very low quality spam software?
Note that I tried doing the right thing and looked up the abuse contact for the network that was attacking us (and presumably thousands/millions of other sites) on WHOIS:
person: Jinneng Wang address: 17/F, Postal Building No.120 Changjiang address: Middle Road, Hefei, Anhui, China country: CN phone: +86-551-2659073 fax-no: +86-551-2659287 e-mail: email@example.com nic-hdl: JW89-AP mnt-by: MAINT-NEW changed: firstname.lastname@example.org 19990818 source: APNIC
Then instead of sending off an angry e-mail into the void I actually picked up the phone, dialed the number, and listened to some funky Chinese elevator music until some guy (Mr. Jinneng Wang I presume?) who didn't speak English picked up and eventually hung up on me after an akward mutually incomprehensible exchange. Of course. How could it be any different?
I don't get it, what's the point of putting up an abuse contact in the WHOIS records if the person listed doesn't speak English? Just list the abuse contact in Mandarin and get it over with.
Sometimes I feel like a character in a Neal Stephenson novel.