use the following search parameters to narrow your results:
e.g. subreddit:pics site:imgur.com dog
subreddit:pics site:imgur.com dog
advanced search: by author, sub...
~5 users here now
This is Saidit's main sub for things related to the saidit.net website itself.
If you need help with using this website or related tools, post in /s/help. If you want a place to post any topic to the community, try /s/whatever or /s/asksaidit. If you want to create a wiki page, use /s/wiki.
Saidit is currently undergoing the largest DDOS attack we've ever had
submitted 3 years ago * by magnora7[A] from self.SaidIt
view the rest of the comments →
[–]magnora7[S] 32 insightful - 3 fun32 insightful - 2 fun33 insightful - 2 fun33 insightful - 3 fun - 3 years ago* (5 children)
Our connection counts log per hour looks like this:
7pm: 241,253 connections (normal traffic)
8pm: 227,166 connections
9pm: 3,918,069 connections
10pm: 11,287,220 connections
Seems like someone has a botnet at their disposal or something, there's no way one computer can generate so many requests I don't think
edit: 11pm: 6,990,516 connections
12am: 1,196,567 connections
So maybe getting back to normal...
edit2: I think it's done, we had a total of 23 million connection attempts in excess of normal (compared to 1 million normal connections over this same period). So they 23x'd our traffic for the duration of the attack, basically. But it wasn't evenly spread across time, so at the peak it was probably around 200x our normal traffic rate. D3rr and I learned a new spot to improve so our defenses only got better. Have a good night everyone!
[–]wicklesnarf 12 insightful - 17 fun12 insightful - 16 fun13 insightful - 16 fun13 insightful - 17 fun - 3 years ago (0 children)
I think about a million of those connection attempts were me. It just kept giving me endless bicycle captchas and wouldn't let me in. I thought maybe I was banished forever
[–]quipu 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - 3 years ago (1 child)
Check the IP ranges to see if they correlate to a known cloud provider or one of those P2P VPN services like Hola. If so you may be able to get someone banned for abuse.
[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - 3 years ago (0 children)
Yeah it's like 20 VPN services, or a really good VPN or something. The amount of IPs they have at their disposal is unreal
[–]motionlessoracle 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - 3 years ago (1 child)
Just talking out loud, here.
Sometime around 10pm, traffic hit a maximum. This suggests that compromised devices were either being powered on or a huge batch of unblocked Tor exit nodes opened up (or something else I haven't thought of). The decay in traffic is probably Cloudflare identifying the attack IPs and clamping down on them, or else maybe those devices were slowly being powered down.
If the surge is because devices were being powered on, then that narrows the time range to the beginning of typical work hours or the beginning of typical leisure hours. Workplaces are usually (but not always) harder to compromise en masse, and many workplaces remain closed due to COVID, so my instinct is that this surge is powered by leisure activity. Since many of the people who can work from home are doing so, laptops and all, you wouldn't expect this kind of surge behavior if people were working all day at home on compromised laptops and then using the same laptops to switch to leisure activities. You'd expect a steady state. Routers and other IoT devices that are always on also wouldn't generate this pattern.
To me, this has the feel of compromised, internet connected devices that are not always on. Things like tablets and gaming consoles, or maybe point of sale terminals. Stuff with a physical on/off switch, or at least in a sleep state most of the day. The width of the surge is only about five hours long. That also suggests, to me, leisure devices more than workplace devices. It suggests a surge at end of workday and a taper when people go to bed.
Am I barking up the wrong tree?
[–]magnora7[S] 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 0 fun5 insightful - 1 fun - 3 years ago (0 children)
It wasn't tor, we were monitoring tor and traffic through tor didn't increase. But they were using vpns.
The traffic numbers are just the raw connection numbers, so there should be no smoothing or delay, but interesting ideas.
It does seem to take a while to "power up" which indicates to me it's a series of bots that they have to get started 1 by 1, and the fact it lasted almost exactly 4 hours indicates it's probably an hourly paid hire service. Like hire-a-DDOS. Otherwise they would just leave it on 24 hours a day, but they don't.
It's an odd situation, that's for sure. You have some good ideas in the right areas.
view the rest of the comments →
[–]magnora7[S] 32 insightful - 3 fun32 insightful - 2 fun33 insightful - 2 fun33 insightful - 3 fun - (5 children)
[–]wicklesnarf 12 insightful - 17 fun12 insightful - 16 fun13 insightful - 16 fun13 insightful - 17 fun - (0 children)
[–]quipu 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (1 child)
[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (0 children)
[–]motionlessoracle 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 0 fun3 insightful - 1 fun - (1 child)
[–]magnora7[S] 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 0 fun5 insightful - 1 fun - (0 children)