Details on the recent DDoS by struguri

So over the past couple days, Weasyl has been sustaining on-and-off DDoS attacks. However, the techniques they were employing to do so were mitigated. In the aftermath of the DDoS (and now that I've got some down time at Further Confusion), I decided to take some time out to investigate the source of the attack.

Typically, attacks of this variety are carried out through botnets. Think about a thousand zombie computers all claiming a desire to make a connection to your system, but never following through. This is a classic type of DDoS attack, called a "SYN flood." However, nowadays, through an attack called DNS amplification, one doesn't necessarily need a botnet. All one has to do to carry out a DDoS attack of this variety is find a bunch of misconfigured DNS servers, then tell those DNS servers to query the utter-living fuck out of a victim domain.

DNS amplification can essentially be summarized as thousands and thousands of dickheads waiting in line for a question they give no fucks about the answer to. Not only are all these assholes asking these questions they don't care about the answer to, but equally, they're also asking way too verbose of questions. Imagine if instead of asking the question "where's the bathroom?" all these pricks instead decided to word their question as "excuse me mada'am, while this domecile is quite lovely, frankly, I have a very strong desire to relieve my bladder of its burden. Perhaps you can point me in the direction of the local facilities by which I can expunge this urine." As a result, you-- the user-- never get the answer to the question you actually want, which is the IP address behind the domain name. The result is effectively a denial of service, as no one can access Weasyl via its expected domain name.

Unfortunately, in the aftermath of the attacks and doing the reconnaissance on the addresses we were attacked by, we don't have any conclusions on who the attacker was. Because DNS amplification attacks require bouncing off of misconfigured DNS servers, the only way we can do any more investigation on the attack as to the "who" behind it (which is, perhaps, the most interesting part) is to control the servers themselves. Frankly, that's impossible. The DNS servers came from all around the world-- Taiwan, Brazil, the Netherlands, the United States and more. As a result, the DDoS attack on Weasyl was effectively anonymous, and not necessarily of the 4chan variety. Though if Anon thinks Weasyl is interesting enough to DDoS as some sort of test of wits, a tip of the hat to my fellow hackers! But try harder. Smurfing is lame. ;)

Summary: Weasyl was hit by a DNS amplification attack. Because of the nature of the attack, unfortunately, we cannot conclusively say who initiated the attack.

Report

Details on the recent DDoS

struguri

January 18, 2014 at 20:36:08 UTC

Journal Information

Views:: 916
Comments:: 10
Favorites:: 8
Rating:: General

Comments

Link

SiGe on January 18, 2014 at 21:20:31 UTC

Ah! I already thought it's one of those newer attacks that got to do with NTP which works similarly :/
Link

Vaerinn on January 18, 2014 at 21:40:23 UTC

Given the timing of the DDoS, I have my suspicions regarding the parties responsible for it.
Link

Forge on January 18, 2014 at 22:08:58 UTC

You know who it was. You know why too.
- Link
  
  struguri on January 19, 2014 at 00:36:44 UTC
  
  Well, there are inklings. My strongest suspicion as to who performed the attack, frankly, are some random Anons who thought it might be cute to try and start a war between the two furry sites because one of them is exploding in drama. Anon is a benevolent creature on the hunt for amusement-- and what better way to fan the flames of furries than to make the Hatfields and McCoy's fight each other for their own personal popcorn consumption. Based on the murmurs I've heard on the whats and why's of the various hacker-related attacks on furry sites, that's my current theory. But I have nothing conclusive just yet.
  
  Frankly, though, I'm extremely fascinated as to who could have truly done it. So I'm doing as much investigation as I can. There are records of an earlier attack that I'm working on tracing right now.
  - Link
    
    Forge on January 19, 2014 at 04:02:08 UTC
    
    If it IS FA or they have direct links to FA, what will be done about it?
    - Link
      
      Moofers on January 20, 2014 at 09:53:45 UTC
      
      Well nothing can be done can there? There is no proof that can be directly linked to them, considering the way the DDOS was done. Legal action wouldn't work ether as proof would be needed still.
Link

ManaPuddingFox on January 19, 2014 at 00:04:05 UTC

Damn that is a shame that it can't be traced back :/ Was hoping to get a definite answer.
Link

Rossyfox on January 19, 2014 at 01:27:25 UTC

The timing indicates that it was clearly someone who is either a furry, or observes the furry fandom closely enough to know about recent events. I think it's really weird that someone would care enough to do this.
Link

Kirrlaos on January 20, 2014 at 16:54:33 UTC

butthurt furries I call it now or someone who thought it who be smart to start a war between the sites, BUT seeing as Fa wasn't DDOS ... I'm gonna go with the first one
Link

Thorndyke on January 21, 2014 at 01:20:54 UTC

Thanks for the explanation of how it works, as well! I had my own ideas but the layman's wording really helped me 'get it'. Great job handling the attack!

Welcome! Sign in, register, or learn more about Weasyl.

Details on the recent DDoS by struguri

Details on the recent DDoS

Report Journal

Journal Information

Tags

Comments

Sign In

Details on the recent DDoS by struguri

Details on the recent DDoS

Report Journal

Journal Information

Tags

Comments