Hello!

Not sure what happened but an automated script got stuck at 100% and the scripts started after pushed the CPU to 2,600% while hogging the database server to the point of damaging the session table.

Process killed, remaining script slowly terminating and session table repaired -- you may need to reconnect via https://www.lddb.com/forum.php to trigger a new forum session.

MySQL server restarted as well for safety.

Normal #of URl hits in a month is around 6M. We are at 34M now.
Someone/something decided to bring the website down by constantly hitting from various IPs or creating a complete backup off all URLs (which is stupid).

Julien

That would be Alibaba Cloud (Singapore) Private Limited...

Blocking the whole /12.

Last time I had to block ByteDance and AWS Singapore...

Julien

Webserver is still being hammer/DDOS'ed by thousands of IPs since Nov 27th.

I'm going to block MANY, MANY IP addresses for now.

Some might get caught in the cross-fire. Contact me directly if you can't connect anymore...

Julien

Still on-going.

Blocked more than 8K+ IPs so far.

It would seem that the hits come mainly from US/GB/IR/AU/NZ and mostly from Pixel/Android phones/tablets.

A new Android botnet used to generate massive traffic?

Julien

Guess since X and other sites blocked lots of spambots they are now looking for new hosts.
Or they are just phishing for new sites and found this one.

Finally managed to put a dynamic filter/ban ("apache-badbots") on the server:

Only by catching these weird user-agents (Samsung Galaxy 5, Google Pixel 2):

Linux; Android 5.0; SM-G900P
Linux; Android 8.0; Pixel 2

I'm catching TONS of hits:



1,635 IPs banned for 30 days after only a few minutes and it's not slowing down.
New ones are popping up whenever old ones are blocked.

Curious too see how high the count will go, but I expect more than 10K IPs.

Julien

15K+ IP banned now.

They seem to be using: https://github.com/OnionTM/OnionDDoS/blob/main/README.md

Having the script is one thing.

Having thousands of IP addresses compromised to piggyback is entirely different!

Julien

22K+ IPs banned.

Still not showing signs of slowing down.

Julien

I had to restart the blocking using ipset for iptables because iptables alone was too slow. Passed 25K entries, it was taking 3 seconds to add another one.

With IPSET, I already maxed out the 65,535 limit and had to split into 3 additional ipsets.

Currently blocking about 69,631 IPs, this is definitely a big botnet.

Julien

Given the locations of the IPs + origin subnet, I would say that a popular smarthphone App (in English) has been comprised, maybe via a poisoned library, and it is now operating as a botnet, hitting site/IP/port on request.

Why is LDDb.com a target? I have no idea.
And the flooding level is not enough to bring the server down either.

Usually these attacks are not free, someone pays to initiate.

So... why?

Julien

Found the 4 user-agents used by almost all hits:



Right now, blocking 216,194 IPs, and more keep coming every second.

Julien

I got feed up after 300K IPs (309,985) and just instructed Apache2 to fail on a 403 at the first PHP request.

Logs access rates are decreasing, no more bans, CPU decreasing.

I'll keep that up for now.

Julien

Normal hits rate is 6~7M, we reached 36M before the log parser gave up on Nov 27th.



It was taking more than 10 minutes to process the logs each 10 minutes... leading to a racing processes depleting the memory (half the SWAP had to be used), crashing the forum dabatase, and making each web request painfully slow.

It seems that something weird started in October as well (bandwidth consumed jumped from ~100GB to ~1TB).

The stats finally resumed from today (Dec 8th) as I can't back-process the GB of logs generated by the flooding from Nov 27.
We should be OK now, only saw 8 hits in the past 15 minutes!

Latest count was 379,927 IPs blocked.

Julien

I heard Ricardo went back to college for a computer science degree after giving up on Laserdiscs

So much passive-agressivity and no showing off ... I'd say it sounds more like forper!

Julien

Forper? Maybe Fortran or Basic or whatever for analog computing (Abacus?)

Nov 23 - Dec 8


=> 7,891,465 hits


=> 7,892,724 hits


=> 7,900,601 hits


=> 7,970,588 hits


Well balanced, clearly not random.

Julien

And permanently blocked Hong Kong Aberdeen Alibaba Cloud Llc who was also quickly harvesting all the forum.

Julien

It's been a month and the 320K+ blocked IPs are slowly getting removed from the ban lists.

So far the flooding has completely stopped but I will leave the hits detection in paranoid mode (2 hits = 30 days ban) for safety.

From troubleshooting with a blocked user in Germany, it might be related to the Q4 2023 alert pushed by Google to update every Chrome browsers worldwide.
Some plugin/extension might have turned rogue, making Chrome browsers part of a botnet.

We might hear more about it someday when the botnet will be dismantled.

Julien

Done. All botnet IPs have been unblocked now.

I still see a few hits but few come back for another attempt, and they get blocked right away if they do.

Julien