Yes, It REALLY is Friday the 13th!

[Admin]

As you probably noticed, we have had a huge amount of trouble today.

The host reports that RWD has been subject to a "distributed denial of service attack" coming from "many sources around the world." There seems to be some evidence of the problems emanating from Estonia, but we are checking further.

I *think* we are pretty stable now - but then, I thought so last week as well, so we shall see.

Apologies for the frustration and inconvenience suffered as a result of this garbage.

- Dan

[Chicagoguy]

It is interesting that RWD would be a target. Maybe that confers some new special
"status" on RWD ?   

[BC]

It is interesting that RWD would be a target. Maybe that confers some new special
"status" on RWD ?   

They say that the tallest tree in the forest is the one everyone wants to bring down.

[Gator]

Dan,

I am not familiar with the techniques that saboteurs use.  In simple terms, what happened?

[Admin]

Dan,

I am not familiar with the techniques that saboteurs use.  In simple terms, what happened?

Gator,

I am not real familiar with the techniques either. My understanding is, in this case, they utilized PC's from numerous locations that had been infected so that commands might be executed from all the infected PC's. Those PC's then mount a coordinated "attack" by sending huge amounts of traffic and/or sending commands to the target that require a lot of processing. When enough traffic/commands are sent, the target server crashes due to the weight of all the demand placed upon it.

Wikipedia has a better explanation, found here -- http://en.wikipedia.org/wiki/Denial-of-service_attack

- Dan

[diverboy70]

Glad you are up again!

I noticed that it was impossible to access the site earlier today!

Somebody here pissed of some IT-girl?

[Gator]

Diver, funny. 

Dan, somebody really does not like you to go to so much trouble.  Other than diver's example, a disgruntled agency bad mouthed on RWD pages?  A competitor?  Someone with no social life and too much time on their hands?

[Admin]

Diver, funny. 

Dan, somebody really does not like you to go to so much trouble.  Other than diver's example, a disgruntled agency bad mouthed on RWD pages?  A competitor?  Someone with no social life and too much time on their hands?

Gator,

There are really only a couple of possibilities.

I think it might be someone that is an odd combination of your latter two - "A competitor?  Someone with no social life and too much time on their hands?" - although there really is no serious competition to RWD. We are the biggest, most popular, most active, and highest integrity site of this sort on the net - by a very large margin.

In our history, we have NEVER sought to impugn other sites, nor to take any of our issues elsewhere.

As for the attacks, we are digging a bit deeper, and may be able to identify the source. If so, I am not sure it will be announced - depending on the actions we may pursue.

- Dan

[Admin]

Folks - we are now finding that several of our members have computers that were involved in the DDOS attack yesterday.

The attacks came from computers in the US, Norway, Australia, Germany, and a few others. Those RWD members that I have identified were a part of the attack, I do NOT believe intended to be involved. Their computers were compromised/infected - almost certainly through the malicious actions of others.

If you know of anyone having a problem accessing the site, it is possible their computers were used as part of the DDOS attack, and the hosting company made the decision to block their IP. Please have them send me an email to: icpilot_at_yahoo.com.

- Dan

[Ade]

Folks - we are now finding that several of our members have computers that were involved in the DDOS attack yesterday.

The attacks came from computers in the US, Norway, Australia, Germany, and a few others. Those RWD members that I have identified were a part of the attack, I do NOT believe intended to be involved. Their computers were compromised/infected - almost certainly through the malicious actions of others.

If you know of anyone having a problem accessing the site, it is possible their computers were used as part of the DDOS attack, and the hosting company made the decision to block their IP. Please have them send me an email to: icpilot_at_yahoo.com.

- Dan

Norway? Do you have many people coming in from there? As far as I can tell I've no malicious process running although it's possible that I wouldn't have noticed.

I think it's unlikely that you could track the true originating source. AFAIK it's even possible to purchase pre-seeded DDOS farms from people in Eastern Europe and the far East and probably elsewhere. Unfortunately it doesn't take a computer genius to set these DDOS attacks up either, just a script kiddie with too much spare time.

[Admin]

Norway? Do you have many people coming in from there? As far as I can tell I've no malicious process running although it's possible that I wouldn't have noticed.

I think it's unlikely that you could track the true originating source. AFAIK it's even possible to purchase pre-seeded DDOS farms from people in Eastern Europe and the far East and probably elsewhere. Unfortunately it doesn't take a computer genius to set these DDOS attacks up either, just a script kiddie with too much spare time.

SJ,

I replied to your PM.

As for the culprits - well, we shall see.

- Dan

[Sculpto]

Folks - we are now finding that several of our members have computers that were involved in the DDOS attack yesterday.

The attacks came from computers in the US, Norway, Australia, Germany, and a few others. Those RWD members that I have identified were a part of the attack, I do NOT believe intended to be involved. Their computers were compromised/infected - almost certainly through the malicious actions of others.

If you know of anyone having a problem accessing the site, it is possible their computers were used as part of the DDOS attack, and the hosting company made the decision to block their IP. Please have them send me an email to: icpilot_at_yahoo.com.

- Dan

Dan, My computer at work has not been able to get access to the forum for several weeks.  I had suspected I might be infected with something going back to the period right after my dispute with HRB.  Here is my evidence.  On three seperate occasions someone accessed my yahoo web mail account and sent out spam to everyone in my address book.  The spam led to a farse site that purported to be selling products froma chinese vendor for very cheap, but, a click on any link on the farse site downloaded bugs onto the users machine.  It was a real mess and a lot of people at first thought I was behind it.  I tried to have my password changed but got nothing but the runaround from yahoo.  I subsequently removed all addresses from my webmail account and there have been no further attacks that I could identify, except, for a few weeks I was being bombarded by what looked like mailer daemons that appeared to be coming from Russian webmail and other hosts.  I was told by a techie friend that those mailer daemons were in fact fakes.  I had thought perhaps my boss had blocked access to RWD because I was spending so much time here, but, now with what you are saying I doubt that.  The problem is, we are behind a firewall and the boss refuses to believe that any of our computers could be infected with worms or trojans and therefore will nto spend the money for any anti virus programs.  I am going to download a free prog next week and see if it turns anything up.  If you want to send me a pm perhaps we can determine if any of the DoS was coming from my machine.  If so I apologize.

And, for those who are not aware how DoS attacks work.. it goes somethign like this, but, there are variations.  The hacker creates a clandestine network of infected machines.  They can be linked via IRC subteranean networks and therefore escape detection.  High quality trojans typically are able to escape detection by norton and other commercial anti virus progs.  It is possible for a prolific hacker to have literally thousands of compromised machines on his clandestine network.  When the hacker wants to shut down a site like RWD he simply directs all of the machines on his network to send requests or pings or packets to the IP Addy he is attacking.  So much info is being directed at the host that it simply becomes overloaded and fails.  Nowadays the hackers probably use scripts to do this and they may no longer need to maintain the clandestine networks simply using worms with timers to launch a coordinated attack, or, sending an attack code simultaneaously to all machines he has managed to compromise.

I suspect if RWD is being attacked in this form it will be practically immpossible to determine the true source of the attack.  The reason is simple.. we have pissed someone off.. this isnt a script kiddie.  The economy is slowing down and agencies are more than likely feeling it.  Given the fact that many here are anti agency and there has been vitriol aimed at certain sites and agencies some scumbag loser who is seeing revenue drop because of the economy might be trying to blame us and is lashing out. 

I also want to mention that after a long lull without any random scam attempts I have recieved scam mail today.  Watch out guys.. someone may be out to get us.

And one last thing.. Dan.. if any of my outrage about scam agencies and sites has harmed RWD or attracted the scumbags who are doing this I sincerely apologize.  If htere is anything I can do to help please pm me and let me know. 

[Admin]

Dan, My computer at work has not been able to get access to the forum for several weeks.  I had suspected I might be infected with something going back to the period right after my dispute with HRB.  Here is my evidence.  On three seperate occasions someone accessed my yahoo web mail account and sent out spam to everyone in my address book.  The spam led to a farse site that purported to be selling products froma chinese vendor for very cheap, but, a click on any link on the farse site downloaded bugs onto the users machine.  It was a real mess and a lot of people at first thought I was behind it.  I tried to have my password changed but got nothing but the runaround from yahoo.  I subsequently removed all addresses from my webmail account and there have been no further attacks that I could identify, except, for a few weeks I was being bombarded by what looked like mailer daemons that appeared to be coming from Russian webmail and other hosts.  I was told by a techie friend that those mailer daemons were in fact fakes.  I had thought perhaps my boss had blocked access to RWD because I was spending so much time here, but, now with what you are saying I doubt that.  The problem is, we are behind a firewall and the boss refuses to believe that any of our computers could be infected with worms or trojans and therefore will nto spend the money for any anti virus programs.  I am going to download a free prog next week and see if it turns anything up.  If you want to send me a pm perhaps we can determine if any of the DoS was coming from my machine.  If so I apologize.

And, for those who are not aware how DoS attacks work.. it goes somethign like this, but, there are variations.  The hacker creates a clandestine network of infected machines.  They can be linked via IRC subteranean networks and therefore escape detection.  High quality trojans typically are able to escape detection by norton and other commercial anti virus progs.  It is possible for a prolific hacker to have literally thousands of compromised machines on his clandestine network.  When the hacker wants to shut down a site like RWD he simply directs all of the machines on his network to send requests or pings or packets to the IP Addy he is attacking.  So much info is being directed at the host that it simply becomes overloaded and fails.  Nowadays the hackers probably use scripts to do this and they may no longer need to maintain the clandestine networks simply using worms with timers to launch a coordinated attack, or, sending an attack code simultaneaously to all machines he has managed to compromise.

I suspect if RWD is being attacked in this form it will be practically immpossible to determine the true source of the attack.  The reason is simple.. we have pissed someone off.. this isnt a script kiddie.  The economy is slowing down and agencies are more than likely feeling it.  Given the fact that many here are anti agency and there has been vitriol aimed at certain sites and agencies some scumbag loser who is seeing revenue drop because of the economy might be trying to blame us and is lashing out. 

I also want to mention that after a long lull without any random scam attempts I have recieved scam mail today.  Watch out guys.. someone may be out to get us.

And one last thing.. Dan.. if any of my outrage about scam agencies and sites has harmed RWD or attracted the scumbags who are doing this I sincerely apologize.  If htere is anything I can do to help please pm me and let me know. 

At the moment, we have identified a modest number of servers involved in the DDOS attacks. Of those, only two are known to belong to RWD members, with one or two others being *possibly* linked to RWD members. The others have no apparent connection to RWD members.

We are narrowing things down. It may take some time yet.

- Dan

[Shadow]

Just to make clear that a real pro DDos attacker will use badly protected Linux servers which are online 24/7. Many webservers are setup rather poorly as people believe that Linux is less vulnerable. Especially small hosts where clients know the CEO such as are appearing in the FSU and South America are vulnerable as the owner thinks way too little about security and believes in solving problems locally only without checking if the traffic generated might be illegal.