OzBargain under DDoS attack (Oct 2013)

scotty on 21/10/2013 - 10:05
Last edited 22/10/2013 - 15:42

You probably found the OzBargain is inaccessible or incredibly slow this morning. We have actually been under distributed-denial-of-service attack last night (20 Oct) and this morning. It lasted about 1.5 hours last night, and it has been 1.5 hours since the attack came back this morning and no sign of stopping so far.

It's traffic based DDoS with both UDP and ICMP flood. Basically our connection to the Internet is jammed by those illegitimate packets so the real users are not able to use OzBargain.

I have contacted our hosting provider (Crucial Cloud Hosting) as there's no much we can do on our end. All those packets are dropped on our own firewall, but they should have been dropped much further upstream.

I will update this post throughout the day. Other updates will be on our Facebook and Twitter pages.

22 Oct 3:25PM. DDoS has now been stopped at the upstream. Almost 2 hours of downtime.

22 Oct 1:35PM. DDoS is now back. Same mechanism (UDP flood) but on a different port so didn't get blocked on the upstream router. Hosting company contacted again to have mitigation in place.

21 Oct 10:20AM. Looks like the UDP flood has been subsided. Slowed down rate allowed me to take a bit of look at the pattern and it appears they are using remote hosts' chargen port (UDP 19) to bounce those packets to us.

21 Oct 10:14AM. From our hosting provider:

It appears we have identified a DDOS attack on your service. We are in the process of contacting our upstream providers to address this issue.

Finger crossed.

21 Oct 08:35AM. DDoS came back this morning. Exactly the same pattern. Hosting company notified.

20 Oct 10:05PM. First round of DDoS attack. UDP and ICMP flood from botnet so source IP is from all over the world. Our in-bound connection was completely congested and was not able to serve normal traffic. Hosting company notified at 10:13PM, and attack died down at around 11:35PM.

Site Discussion

Comments

  • Scrooge McDuck on 21/10/2013 - 10:09
    +20

    Came into the forums to report the slow service. Found the answer waiting for me.

    +1

  • The Quote Train on 21/10/2013 - 10:18
    +13

    Came into the forums to report the slow service. Noticed the new 'New' icons.

  • _Bruce_ on 21/10/2013 - 10:21
    +2

    Very sorry you have to endure this because some kid is bored.

    • scotty on 21/10/2013 - 10:26
      +16

      You mean it's not by an evil masked villain plotting his sinister plan in some secret cave somewhere? Damn kids these days.

      • one man clan on 21/10/2013 - 11:05
        +46

        Most probably Harvey Norman amateurs

        • scotty on 22/10/2013 - 14:51
          +4

          Amateurs who are jealous of us Professionals?! I should have thought of that!

      • Scrooge McDuck on 22/10/2013 - 14:46
        +10

        Once you find the perpetrator, you could get revenge by posting a Freebie deal for something like a surfboard, Whopper or lens cup except link it to the perp's website.

        It's a guaranteed free DDoS attack.

  • anawth on 21/10/2013 - 10:52
    +28

    Probably from a certain surfboard selling company haha

    • [Deactivated] on 21/10/2013 - 22:58

      I actually lol'd at this one.

      Or it could be revenge for the $5 cups…

  • MasterNoob on 21/10/2013 - 11:07
    +12

    Gerry Harvey is responsible!

    • nismo on 22/10/2013 - 19:26

      Considering the unusually good HN deals that have been on here the last few days, it wouldn't make sense for him/them to be the culprit.

      Wait. Or were you just making a general statement about Gerry's personality?

    • [Deactivated] on 23/10/2013 - 09:22
      +1

      You know, it probably IS Harvey Norman employees… Because when I go there, the sales guys in the computer section are gathered around one computer on the Internet, and ignoring customers.

  • bossmode on 21/10/2013 - 11:15
    +1

    Has this got anything to do with the new revamped stamps I've been seeing on the site?

    • foobar on 21/10/2013 - 11:37
      +23

      Almost certainly, any time a site anywhere updates icons it inevitably results in an automatic denial of service attack.

      • bossmode on 21/10/2013 - 19:40
        +1

        Just thought the site was updated / transferred to a new server in response to the DDoS attacks, and that was reflected in the new icons. Regardless it's clear how limited my knowledge of website maintenance is in the above post.

    • Astro551 on 21/10/2013 - 13:27

      and did we get an influx of rep deals over the night? or is that just because the icons are more obvious :L

  • Food on 21/10/2013 - 22:30
    +1

    Love the new icons Ozb. staff! Good job!

  • tanksinatra on 21/10/2013 - 23:09

    Srsly though, what could anyone hope to gain by taking OzBargain offline?

    • scotty on 21/10/2013 - 23:59

      Kids these days do things for lulz, at the expense of many others…

    • The Quote Train on 22/10/2013 - 15:51
      +2

      Some men just want to see the world burn.

  • ChickenAdobo on 22/10/2013 - 00:10
    -2

    Maybe some kids are angry at the hivemind nature of this ozbargain community. Something I observe for quite awhile. And before anyone here accuse me of acting those DDoS attacks. I didn't do it.

  • MarkB4 on 22/10/2013 - 03:14

    If it wasn't for youthful rebellion we would be stuck in the low tech feudal past. DDOS in OZB must surely have been beginners experience …

  • andyken on 22/10/2013 - 11:12

    just wondering scotty, why not use cloudfare?

    • scotty on 22/10/2013 - 12:06

      It does nothing when someone found out your IP address, which is quite trivial for websites sending out emails. Yes there are ways around it doing email delivery without revealing the source IP but would require a bit of work.

      CloudFlare also adds another layer of reverse proxy to our stack, which means extra things to take care of for development.

      Finally, I have used CloudFlare before, for a different project in the past that gets way more DDoS than OzBargain (I believe it's our first one here). They were not that useful. Maybe because that was ~2 years ago and I had the free option :)

      • andyken on 22/10/2013 - 16:00

        Yes, Now CloudFlare improve a lot, especially for DDos attack imo

  • Speckled Jim on 22/10/2013 - 11:44

    N00b question here…

    If OzB is revised to exclude guests viewing the site (an unpopular move, I'm sure) could these attacks be prevented?

    • scotty on 22/10/2013 - 12:07
      +3

      I don't think excluding guests would make a valid DDoS mitigation strategy :)

    • _Bruce_ on 22/10/2013 - 12:15
      +3

      No. The only way to prevent this is to not be on the internet.

  • m0nkeycheese on 22/10/2013 - 12:58
    +1

    I reckon its this guy

    https://www.facebook.com/photo.php?fbid=10152028467694131&se…

    • 01011010 on 22/10/2013 - 13:13

      surely if he can't get stickers correct then he can't DDoS a server.

  • scotty on 22/10/2013 - 14:27

    DDoS is back. UDP flood on a different port.

  • freakitude on 23/10/2013 - 00:41
    +6

    never should have posted those free udemy hacking courses.

  • onlyletters on 23/10/2013 - 08:28

    scotty, who did you upset?

  • Ozfan on 23/10/2013 - 09:08

    Is this 'new' icon thing is a tick to safe (source)ip list of members or guests?

  • Shwayne on 23/10/2013 - 10:03
    +2

    Who wants to bet it's Ruslan Kogan?

  • Gnostikos on 25/10/2013 - 00:01

    Site still seems really slow as of the 24th Oct, 9PM AWST/12PM AEST.

  • neil on 25/10/2013 - 00:27

    Yeah looks like another DDOS. Currently experiencing 34 x average inbound traffic.

  • scotty on 25/10/2013 - 07:39

    The attack died down after 1:30am. They just don't want to stop, do they?

  • gudetama on 27/10/2013 - 23:51

    Site is quite slow as at 27/10, 11:45pm… is it another DDOS?

    • neil on 27/10/2013 - 23:59

      It's fast here.

      Looking at the traffic graphs, inbound is currently 277k compared to 60MB when the DDOS was occuring.

    • happychild100 on 28/10/2013 - 01:28

      Had the same slowness too, even still a bit now. Sites didn't load at all or just very slowly so thought the same thing :/

Login or Join to leave a comment
Login Join