Home » Blogs » gretavo's blog

Recent "Internal Server Errors" Caused by Denial of Service Attack...

gretavo's picture
Submitted by gretavo on Sat, 2007-10-27 11:03.
3950 38.99.44.104 57 min 32 sec
2277 64.1.215.164 32 min 17 sec

 

The big number on the left is the number of hits from the IP address listed that the site received in the last three days... for scale, the third biggest number of hits was only 130.

I suspect that these IP addresses have been spoofed, i.e. we are supposed to believe the attack is coming from them (both in the Washington DC area, hmmm!) as if we didn't know that real "web terrists"  cover their identity with the simple method of spoofing someone else's IP.  And choosing an IP to spoof that will make the person all paranoid and stuff.

To any site admins who notice internal server errors, check under Administer/Logs/Top Visitors to look for this kind of attack and block the offending IP address (at least makes the responsible parties have to work harder by spoofing a new unbanned IP each time we catch 'em!)

All in all I'd say we're being pretty effective if these methods are being used to try to silence us!

»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
casseia's picture

Hey... good to know

Submitted by casseia on Sun, 2007-10-28 01:40.

I have noticed some internal server error messages in the last week AND I was looking at that log and noticed the "Top Visitors".  I'll keep an eye on it.

 

By the way, if you're a regular annoymouse who has a reason for not registering and your IP gets banned, be sure to let us know ASAP.  You can email me at ye olde Yahoo. 

»
dicktater's picture

Here's who you need to address:

Submitted by dicktater on Sun, 2007-10-28 03:24.

The IP's resolve to PSI.NET, that I believe is a hosting provider that also caters to hosting resellers.  A lookup I performed found the IPs to be associated with

 CUILL.COM

 http://www.cuill.com 

From this page: 

http://www.cuill.com/twiceler/robot.html 

find the following regarding the IPs in question from your log:

Twiceler Info

Twiceler is an experimental robot. The user-agent is “twiceler”. It could take 24-48 hours for us to re-read your robots.txt file. If you need something blocked immediately, please let us know. We crawl from the following IP addresses:

38.99.13.121 38.99.44.101 64.1.215.166 208.36.144.6

38.99.13.122 38.99.44.102 64.1.215.162 208.36.144.7

38.99.13.123 38.99.44.103 64.1.215.163 208.36.144.8

38.99.13.124 38.99.44.104 64.1.215.164 208.36.144.9

38.99.13.125 38.99.44.105 64.1.215.165 208.36.144.10

38.99.13.126 38.99.44.106

If you have questions or concerns about Twiceler you can contact Jim (crawler(at)cuill.com). He's the guy who keeps track of Twiceler, when he's not busy with his horses.

Gretavo,

You may want to edit your robots.txt file to deny CUILL.COM's obnoxious robots from future scanning.

At least they are up front about what they are doing, though they must be having HAL9000-like problems with their robots.

»
Annoymouse's picture

Peer to Peer networks would

Submitted by Annoymouse on Sun, 2007-10-28 05:32.

Peer to Peer networks would be harder for DoS to hit. Another reason why I was saying it should at least be invested. : / The DoS prolly came from zombie terminals that were comprimised through spyware then coordinated from somewhere else. A linux box I had in college was hacked by some script kiddie who implemented something along those lines. Luckily they didn't erase the root .history file. Definitely report this to the FBI.

»
dicktater's picture

Call the FBI?

Submitted by dicktater on Mon, 2007-10-29 03:54.

Why call the FBI and have them waste valuable resources better spent tracking Americans, uh, I mean El CIAduh?  The domain I gave above, CUILL.COM, manages those IP addresses in question.  They have a page explaining that they are used for an experimental webbot, “twiceler”.

They offer to block “twiceler” from crawling a domain immediately.
Admittedly, I have no idea how quickly they will respond to such a request. But, there is another option.

 robotstxt.org

 get /robots.txt
http://www.robotstxt.org/

"This is the main source for information on the robots.txt Robots Exclusion Standard and other articles about writing well-behaved Web robots." 

Write a robots.txt file that tells “twiceler” to take a hike.  

Robots Exclusion, two ways:

The Robots Exclusion Protocol A Web site administrator can indicate which parts of the site should not be vistsed by a robot, by providing a specially formatted file on their site, in http://.../robots.txt.

In a nutshell, when a Robot vists a Web site, say http://www.foobar.com/, it firsts checks for http://www.foobar.com/robots.txt. If it can find this document, it will analyse its contents for records like:
User-agent: *
Disallow: /

The Robots META tag A Web author can indicate if a page may or may not be indexed, or analysed for links, through the use of a special HTML META tag.

For more, see: 

htts://www.robotstxt.org/wc/exclusion.html

Done deal.

 

 

»