What's going on with athas.org - Downloaded from the Wizards Community, all coding removed by Solauren

What's going on with athas.org

Post/Author/DateTime Post
#1
flip
Jul 17, 2003 17:10:07 Some of you have probably noticed that athas.org is inaccessable.

My sever admin had to take the site off the net.

Sometime around 9:30 Eastern, somebody started requesting the DS3 pdf, then closed the connection. Since HTTP is a really stupid protocol, it continued to try and send the file. This happened a couple of times a second, more or less non-stop. In all, a pretty brutal Denial of Service attack that basically brought the server to it's knees.

Jay had to take the site offline, because there are other (paying) sites on that server which were suffering as well.

We're looking into blocking off the source of the attacks, and (hopefully) we'll be back up and running sometime this evening. After hearing Jay's description of what happened this morning, there is absolutely no doubt in my mind that this was a targeted attack, and we will be looking into this further.

Sorry about this fellas, but we're working on it ...
#2
player1
Jul 17, 2003 17:25:35 Any mirror links for DS conversion?
#3
jon_oracle_of_athas
Jul 17, 2003 18:02:52 Bastards. No official mirror up, no, but you can send me an e-mail, and I'll see what I can do. athas[at]online.no
#4
star_gazer_02
Jul 17, 2003 20:51:24 Chris... what was happening a couple of times a second? the PDF was trying to be sent? Or was it an interrupted request that was happening a couple of times a second? Makes a big difference, IMO.

The first is most likely an accident. I get my connection interrupted all the time, I'm on dialup and can't *70 call waiting into oblivion.

The second is a crime.
#5
flip
Jul 17, 2003 23:26:31 Well, I'm not looking at the logs myself, and I only know through talking with the server admin.

However, from the description I got, it's NOT an interrupted download.

Spider connects to the web server, says "GET $pdf_file" and then BREAKS THE CONNECTION. HTTP, being a dumb protocol, keeps trying to send the file, even though there's nobody listening. An instant later, new connection, same IP. Issues a GET and breaks the connection.

Lather, Rinse, Repeat.

And that was happening for most of the day.

Now, that's either an attack, or the dumbest download manager ever coded. I'm willing to bet that a legitimate user would have given up upon noticing that the download wasn't going ANYWHERE. Insetad, they brought the server to it's knees, and lopped off the poor fellow's head.

And, yes, Roger, I know the rules on this. Keep in mind what sort of things I read to amuse myself. I do intend on doing something about this ... and, seeing as there are paying customers on the server, in the e-commerce business, there are even real live damages involved.
#6
xlorepdarkhelm_dup
Jul 18, 2003 11:11:55 There's a couple dozen different methods that could have been done to stop the attack, if that's all it was, and keep the server running fine. Funny that they chose the one method which I could think of that results in athas.org being shut down (and it's not even the easiest/simplest/best method).
#7
flip
Jul 18, 2003 12:46:50
Originally posted by xlorepdarkhelm
There's a couple dozen different methods that could have been done to stop the attack, if that's all it was, and keep the server running fine. Funny that they chose the one method which I could think of that results in athas.org being shut down (and it's not even the easiest/simplest/best method).

It was the panic method. The admin has a day job, and didn't really have the ability to take the time fully evaluate what was going on at the time ...

Meaning that he really wasn't sure if it was a DDoS or just a garden variety DoS ... and there's really not many ways to combat a DDoS ...

At the moment, the admin is taking the opportunity to move the site to another server (Had been planning on doing this in the near future anyway ...)
#8
zombiegleemax
Jul 22, 2003 1:51:24 Any news as to when the site will some back online? As of right now its down

Post/Author/DateTime	Post
#1 flip Jul 17, 2003 17:10:07	Some of you have probably noticed that athas.org is inaccessable. My sever admin had to take the site off the net. Sometime around 9:30 Eastern, somebody started requesting the DS3 pdf, then closed the connection. Since HTTP is a really stupid protocol, it continued to try and send the file. This happened a couple of times a second, more or less non-stop. In all, a pretty brutal Denial of Service attack that basically brought the server to it's knees. Jay had to take the site offline, because there are other (paying) sites on that server which were suffering as well. We're looking into blocking off the source of the attacks, and (hopefully) we'll be back up and running sometime this evening. After hearing Jay's description of what happened this morning, there is absolutely no doubt in my mind that this was a targeted attack, and we will be looking into this further. Sorry about this fellas, but we're working on it ...
#2 player1 Jul 17, 2003 17:25:35	Any mirror links for DS conversion?
#3 jon_oracle_of_athas Jul 17, 2003 18:02:52	Bastards. No official mirror up, no, but you can send me an e-mail, and I'll see what I can do. athas[at]online.no
#4 star_gazer_02 Jul 17, 2003 20:51:24	Chris... what was happening a couple of times a second? the PDF was trying to be sent? Or was it an interrupted request that was happening a couple of times a second? Makes a big difference, IMO. The first is most likely an accident. I get my connection interrupted all the time, I'm on dialup and can't *70 call waiting into oblivion. The second is a crime.
#5 flip Jul 17, 2003 23:26:31	Well, I'm not looking at the logs myself, and I only know through talking with the server admin. However, from the description I got, it's NOT an interrupted download. Spider connects to the web server, says "GET $pdf_file" and then BREAKS THE CONNECTION. HTTP, being a dumb protocol, keeps trying to send the file, even though there's nobody listening. An instant later, new connection, same IP. Issues a GET and breaks the connection. Lather, Rinse, Repeat. And that was happening for most of the day. Now, that's either an attack, or the dumbest download manager ever coded. I'm willing to bet that a legitimate user would have given up upon noticing that the download wasn't going ANYWHERE. Insetad, they brought the server to it's knees, and lopped off the poor fellow's head. And, yes, Roger, I know the rules on this. Keep in mind what sort of things I read to amuse myself. I do intend on doing something about this ... and, seeing as there are paying customers on the server, in the e-commerce business, there are even real live damages involved.
#6 xlorepdarkhelm_dup Jul 18, 2003 11:11:55	There's a couple dozen different methods that could have been done to stop the attack, if that's all it was, and keep the server running fine. Funny that they chose the one method which I could think of that results in athas.org being shut down (and it's not even the easiest/simplest/best method).
#7 flip Jul 18, 2003 12:46:50	Originally posted by xlorepdarkhelm There's a couple dozen different methods that could have been done to stop the attack, if that's all it was, and keep the server running fine. Funny that they chose the one method which I could think of that results in athas.org being shut down (and it's not even the easiest/simplest/best method). It was the panic method. The admin has a day job, and didn't really have the ability to take the time fully evaluate what was going on at the time ... Meaning that he really wasn't sure if it was a DDoS or just a garden variety DoS ... and there's really not many ways to combat a DDoS ... At the moment, the admin is taking the opportunity to move the site to another server (Had been planning on doing this in the near future anyway ...)
#8 zombiegleemax Jul 22, 2003 1:51:24	Any news as to when the site will some back online? As of right now its down