Worst DDOS attack in saidit's history blocked 6 hours ago

submitted by magnora7 from (self.SaidIt)

Worst one yet, 750k blocked connection attempts in under 1 hour! Previous attack record was 367k connection attempts, set a couple days ago. 169k in an attack yesterday too. Our previous DDOS attacks used to max out at like 50k connection attempts, usually spread across 3-4 hours. This one was just one huge dump all at once, but we were able to block it all and the site didn't flinch.

6 of the last 7 days have had a DDOS attack against saidit. Saidit's new anti-DDOS software is doing a great job keeping saidit online during these attacks.

all 68 comments
sorted by:
top
newinsightfulfun

[–]takeyourjoyjohn 21 insightful - 3 fun21 insightful - 2 fun22 insightful - 3 fun -  (14 children)

Why do you think this is happening? Do you believe saidit is gaining traction and there are outside forces trying to infiltrate?

[–]magnora7[S] 15 insightful - 3 fun15 insightful - 2 fun16 insightful - 3 fun -  (11 children)

Could be, honestly not totally sure. But someone definitely wants us to go down

[–]zyxzevn 8 insightful - 3 fun8 insightful - 2 fun9 insightful - 3 fun -  (9 children)

Are the IP addresses random? From a VPN?
We may need to investigate where it is coming from.

[–]magnora7[S] 9 insightful - 3 fun9 insightful - 2 fun10 insightful - 3 fun -  (8 children)

random, from many vpns. We have a few ideas, but nothing certain

[–]zyxzevn 8 insightful - 3 fun8 insightful - 2 fun9 insightful - 3 fun -  (7 children)

Thanks for info, and I get a bit creative.

It may be that some VPNs allow requests for blocking attacks.
Did you setup some honeypots?
If they try to break in, they may be more traceable.
It is a lot of work though, and you need a separate system for that.

I suspect that they are scrip-kiddies, and probably don't run javascript. So it may be possible to have a small startup script that only loads the real page. This real page is always on a different "random" place, so people do not easily find it.

But if they do, and you can identify them, you can connect them to the worst website ever, that spams popups and downloads.
I think you can even serve the browser its own data, to congest itself.

[–]magnora7[S] 4 insightful - 3 fun4 insightful - 2 fun5 insightful - 3 fun -  (5 children)

Thanks for the ideas.

If they try to break in, they may be more traceable.

Can you elaborate? What extra information could we gain from such a honeypot that we don't already have?

[–]zyxzevn 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (3 children)

I thought of this.
Black Hat EU 2013 - Honeypot That Can Bite: Reverse Penetration
https://www.youtube.com/watch?v=FgpWUYSi0S4

[–][deleted] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (2 children)

"Reverse Penetration" I love the sound of that! =D

[–]yellow_algebra_31 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

why?

[–][deleted] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (0 children)

I speaks of revenge on evildoers.

[–]beermeem 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (0 children)

Really?

[–]beermeem 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (0 children)

Nah boi. This be big.

[–]chumbawamba 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

you know you're in front by the arrows in your back

[–]benesatto 14 insightful - 3 fun14 insightful - 2 fun15 insightful - 3 fun -  (1 child)

Ruqqus has also been under attack - I think Saidit and Ruqqus are the heirs apparent as Reddit users flee the dumpster fire that site has become.

I could be biased, I have a soft spot for up and coming so Ruqqus is my fav, but so glad you guys are here too, can't believe the differences in communities. So refreshing,

[–]bigmaynebruh 9 insightful - 3 fun9 insightful - 2 fun10 insightful - 3 fun -  (0 children)

Yeah there's definitely someone trying to take down the reddit alternatives.

[–]ManWithABanana 9 insightful - 3 fun9 insightful - 2 fun10 insightful - 3 fun -  (0 children)

Thanks for keeping us updated.

[–][deleted] 8 insightful - 5 fun8 insightful - 4 fun9 insightful - 5 fun -  (1 child)

Wohoo! /u/magnora7 saved our bacon with some epic scripting.

[–]magnora7[S] 5 insightful - 3 fun5 insightful - 2 fun6 insightful - 3 fun -  (0 children)

Thanks. Definitely a team effort tbh, you got the 429 filter tweaked so it's working very well!

[–]m68k 8 insightful - 3 fun8 insightful - 2 fun9 insightful - 3 fun -  (0 children)

I saw the "one more step" message. NPC's at full blast.

[–]Devidose 6 insightful - 6 fun6 insightful - 5 fun7 insightful - 6 fun -  (1 child)

750k blocked connection attempts

https://m.imgur.com/gallery/BgN3XcN

[–]magnora7[S] 4 insightful - 4 fun4 insightful - 3 fun5 insightful - 4 fun -  (0 children)

Haha. This but 10,000 times a second

[–]moblack 6 insightful - 3 fun6 insightful - 2 fun7 insightful - 3 fun -  (18 children)

How do you guys learn this, Im trying to get into cybersecurity and will accept any help I can get.

[–]magnora7[S] 15 insightful - 4 fun15 insightful - 3 fun16 insightful - 4 fun -  (14 children)

I learned it by making a website that got popular enough to be attacked constantly, and I was basically forced to learn it, haha. But I do enjoy it, it's a lot like the cool computer stories I used to read about as a teenager, where you can see all this connecting activity happening to the server and you have to come up with tricks and tools to prevent each type of weakness in the system as the problems arise in real-time.

If you want to learn the basics, I suggest reading about cloudflare, and all the hundreds of settings that can be set within that commonly-used firewall program. If you understand all the options within cloudflare, you're very well on your way to having a good understanding of cybersecurity. Cloudflare sits in front of the server, and if we get a billion requests it can deal with that and only let the appropriate traffic through. The hard part is coming up with good rules for what is considered "appropriate traffic", which is often unique to every site

[–][deleted] 6 insightful - 3 fun6 insightful - 2 fun7 insightful - 3 fun -  (1 child)

i dont no if it would be helpful or not, but i use a 4g connection and i noticed when these attacks were happening i was getting caught up in the couldflare blockages, i dont no much about all this cyber stuff but if the info helps you stop them. it occured to me they may have been using a similar connection. at least before the vpns. the cell towers would be quite hard to track i would imagine. just figured id mention in case the info was useful.

[–]magnora7[S] 4 insightful - 4 fun4 insightful - 3 fun5 insightful - 4 fun -  (0 children)

Thanks!

[–]Extract 6 insightful - 3 fun6 insightful - 2 fun7 insightful - 3 fun -  (11 children)

Oh, so you are merely using CF?

From what you wrote earlier, I thought you actually wrote your own (or used open source) FW, complete with efficient ML models to study the attacker's patterns and get better over time.

Since you are actually just using all those features provided by CF, I got a question - what will you do if CF decides to stop protecting your your site? After all, they did drop 8chan (now 8kun) after enough pressure.

[–]magnora7[S] 6 insightful - 3 fun6 insightful - 2 fun7 insightful - 3 fun -  (10 children)

I did write my own scripts, it just interfaces with CF. If they stop we can change providers

[–]Extract 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (7 children)

Then I hope those scripts are modular enough to work with open source solutions.

Those DDOS attacks were just the beginning - when the hostile parties see they aren't working well enough, the next step will be to smear this site in various "journalistic" outlets, then pressure various 3rd parties (CF, Visa, PayPal, and the rest of the usual companies) to de-platform you while providing them the manufactured outrage as an excuse.

[–]magnora7[S] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (0 children)

Then I hope those scripts are modular enough to work with open source solutions.

I think they are, they can be easily adapted to other firewall services, especially if they use JSON-formatted APIs.

Yeah I know we're likely to face various troubles as we grow, I've watched what's happened to gab and voat and so on

[–]yellow_algebra_31 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (5 children)

they will try to go through the hosting provider and get it kicked off that way, like they did with gab

[–]Extract 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (4 children)

That is a pretty bad way, as there are actually countless international hosting providers outside the GCP/AWS/DO, and even more national ones.

He should be more vary of the actual danger.

[–]yellow_algebra_31 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (3 children)

hm. it seemed like gab had a lot of trouble with this though. are you sure it's not something to worry about and prepare against?

[–]Extract 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (2 children)

Of course it's something to prepare against.
I'm just saying, preparation should not be hard - if you don't believe me, you can easily find many storage providers in relatively "safe" countries, this being one example I found after a quick search.

[–]yellow_algebra_31 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

Why did gab have a difficult time with it then? Was stuff like this not available a few years ago? I guess gab didn't go down for very long but it seemed like there was somewhat of a struggle and they were extremely grateful to find a company willing to host them when they did. I didn't follow all the details but that's what I remember.

[–]beermeem 2 insightful - 3 fun2 insightful - 2 fun3 insightful - 3 fun -  (1 child)

Change on Thursday

Don't ask me how I know

[–]magnora7[S] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (0 children)

Why would we do that?

[–][deleted] 7 insightful - 3 fun7 insightful - 2 fun8 insightful - 3 fun -  (0 children)

Manage your own linux servers with something like PeerTube or NextCloud. Check out /r/selfhosted for more ideas.

[–][deleted] 6 insightful - 4 fun6 insightful - 3 fun7 insightful - 4 fun -  (0 children)

The hard way :)

[–]beermeem 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (0 children)

Go to Panama.

Not kidding.

[–]Wrang1er 6 insightful - 3 fun6 insightful - 2 fun7 insightful - 3 fun -  (1 child)

These attacks become records each time, it probably means that a lot of people are joining.

[–]magnora7[S] 4 insightful - 2 fun4 insightful - 1 fun5 insightful - 2 fun -  (0 children)

I think it's all one or two people running a botnet, it's not like thousands of actual people I'm pretty certain

[–]sproketboy 5 insightful - 4 fun5 insightful - 3 fun6 insightful - 4 fun -  (1 child)

共匪

[–]magnora7[S] 4 insightful - 3 fun4 insightful - 2 fun5 insightful - 3 fun -  (0 children)

could be wumao

[–]Tarrock 4 insightful - 2 fun4 insightful - 1 fun5 insightful - 2 fun -  (5 children)

Is cloudflare or the server host engaged in order to find the people doing this?

[–]hydr0lyze 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (3 children)

From what it seems like, CF is only the bouncer at the bar. The bouncer doesn't run the bar, and SaidIt has its own server behind CF.

[–]magnora7[S] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (2 children)

yeah that's a pretty good analogy. Except you need a really really strong bouncer because the attacks are so numerous, so there's only a few bouncers that are strong enough for the job, and CF is one of them

[–]hydr0lyze 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

What about the special anti-DDOS script?

[–]magnora7[S] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (0 children)

It lets me communicate with the bouncer very quickly and automatically about who is a problem and who isn't

[–][deleted] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (0 children)

Both, as of recently.

[–]philosopher 3 insightful - 3 fun3 insightful - 2 fun4 insightful - 3 fun -  (2 children)

It's great that you're fighting off DDOS attacks like that.

But maybe you shouldn't mention success stories, to discourage the people who do these attacks. If they see the attacks have no effect, and they're not even mentioned, then perhaps they won't want to try again. If you make a triumphant post about how you beat them, then maybe that'll encourage them to try harder?

[–]magnora7[S] 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (1 child)

Well I said nothing about it and they did it 6 days in a row, but then I say something about it and the whole community is backing me up. So as long as we're defeating the attacks easily, I don't mind mentioning it.

[–]philosopher 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

Fair enough. Glad you're making it as expensive as possible for them to keep their attacks up.

[–]beermeem 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (0 children)

It be Soros.

[–]beermeem 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (2 children)

Is this site still BASED in Europe?

[–]magnora7[S] 5 insightful - 3 fun5 insightful - 2 fun6 insightful - 3 fun -  (1 child)

no

[–]beermeem 3 insightful - 3 fun3 insightful - 2 fun4 insightful - 3 fun -  (0 children)

thumbs up

[–]yellow_algebra_31 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (10 children)

/u/magnora7 /u/d3rr this account is impersonating OANN, I reported them but it's been several days and nothing's happened.

[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (9 children)

he's banned now. Please send future reports in PMs

[–]yellow_algebra_31 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (8 children)

Oh. The report button doesn't work well for this kind of thing?

[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (7 children)

Yes it does, but I meant the message you wrote about it could be written directly to me instead of publicly posted

[–]yellow_algebra_31 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (6 children)

Oh I see. Part of the reason I wanted to post it publicly was because of transparency, and, well, I just feel more comfortable with public interactions in general, usually. It seems safer.

[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (5 children)

That's fair, but often it just stirs up more pointless drama by publicizing what bad actors are doing

[–]yellow_algebra_31 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (4 children)

I realized after I sent the message that the spam sub was probably the right place to send something like this

eta: the spam cleanup sub that is, forgot the exact name

[–]magnora7[S] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (3 children)

Yeah /s/saiditcleanup

[–]yellow_algebra_31 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (2 children)

yeah, that one. that would be a good place to send a message like this in the future?

[–]magnora7[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

Yeah or just PM me is even better, less clutter for others, but if you want to post publicly that's the place to do it