Orbit Hangar Mods - Important Announcement

[Vash]

What's going on:
Some of you may have noticed lately that the Orbit Hangar Mods server has been going offline, is very slow, or just simply seems entirely unresponsive. After some extensive digging through log files, I've discovered that the site is under attack, and actually has been for quite some time. It's just that whoever's doing the attacking got a bit smarter in their tactics recently.

Unfortunately, the solution isn't as simple as banning one or two people as the attacks appear to be coming from a wide range of IP addresses. I have made a few changes on the server to slow down these attacks until I can (hopefully) come up with a better solution.

Changes that may affect the regular user:
For now, everyone is limited to making at most 3 simultaneous requests to the server. This essentially means that you can not download more than 2 files at once and still be able to browse the site while downloading. If you have 3 downloads going from the site simultaneously and try to access a page on the site, you will most likely receive a "Page can not be displayed" error.

As I said, hopefully this will only be short term and I can once again increase the number of simultaneous connections in the near future.

Other things to watch out for:
Back towards the beginning of the month, I noticed a very large number of requests for invalid pages on the site. Most of these were attempts to download files in a directory which did not exist. The nature of the requests appeared as if they were coming from a script which was trying to download random (possibly all) files on the site.

If you know of any scripts out there or anyone who is trying to use an automated program to download files from my site, please let me know! Programs such as this (especially when they are improperly written and cause masses of errors) are considered attacks on the server.

Thanks for your patience in this matter.

 

[DaveS]

Any idea from where the attacks are originating? Both DanSteph and Tex recently banned a guy from the Philipines recently so he could be out on a revenge quest and for some reason has decided to target OH.

 

[Tex]

hackers, get a life already and stop jacking with other peoples stuff! :compbash:

This sucks Vash and I will help anyway I can. My knowledge with server side operations and scripts is extreamly limited. Since I've never run a dedicated server I really don't understand how all this works or how someone could attack the site in such a way, but if you suspect anyone in particular or need an ip address I'll be happy to provide it. I'm sure it's not anyone on this forum who would do something this ****ed up, but as Dave mentioned we did have to do a permanent ip ban on one user some time ago who has been attacking me since, though not this site. Shoot me a PM if you'd like to discuss it further.

I hope this guy gets busted for the scum he is. Let's show em how the Orbiter community fights back like Buzz did with the moon hoaxers!! :axehead:

 

[Vash]

Unfortunately, like I said, the attacks are coming from IP addresses at completely different locations and don't remain the same from day to day, so it's not a simple matter of finding out who's behind it and blocking them.

There were a couple of people who kept registering accounts on my site a while back and posting rude reviews. I removed their means of registering accounts on my site, so they could still be upset about that. Although I don't think anyone who was doing that or the people who were banned from this site could be directly responsible for this... they just didn't seem capable. The only other explanation that I can think of is if someone might have put out a request to have the site attacked.

 

[V8Li]

I can help too, I'm a web developer and know a thing or two about this stuff.

Limiting the simultaneous connections per IP might be the best solution dough. It could be a script, like a web page built in a language like PHP since it has socket functions that can open files (like web pages) and refresh the requests from time to time to eat up resources. Such scripts are easy to build too. Or it just could be any program like news readers that refresh pages automaticly and he simply has multiple windows opened and runing. I hope you see my point.

My guess is that he is using multiple web pages (that run scripts) hosted on multiple Web servers (thus the multiple IP addresses) that simply request over and over the orbithangar pages at predefined (larger to not rise suspicions) intervals. So you could check out if those IPs are from Web servers to see what kind of attack it is.

If you have any other technical questions and don't want to make them public you may PM me and I'll do my best to help. I'll check out for any download scripts, but such a scripts is relatively doable too depending on how your website was built or on wheter the files are stored in folders or in a database.

Again, unfortunately limiting the simultaneous connections per IP might be the best thing you can do.

I'll PM a link to a PHP script that downloads files at predefined intervals so that you can make an idea about how it works and how easy it is. I'll leave it up to you to post it here or not. Some of us might use it to learn usefull things. Other jerks might use it in other ways. Either way guys, Vash might have done his best and we have to make some sacrifices. That's life.

 

[Urwumpe]

I don't know how different the IPs really are (I recommend analysing them automatically, and find out how large the network is), but such a simple attack does not sound like a professional attack toolkit. I would expect more sophisticated stuff instead of just randomly attempting to download files.

A professional DDOS attack for one night costs not really much, but such a long period of time would be very expensive. Especially since such a long time means the bot network is exposed.

How high is the attack traffic? Can the traffic be generated by feeding a Onion router network?

And could you make the download script maybe a bit smarter, allowing only downloads with a correct referrer? This will not stop the attacks but can maybe buy you more breath.

 

[V8Li]

And could you make the download script maybe a bit smarter, allowing only downloads with a correct referrer? This will not stop the attacks but can maybe buy you more breath.

Here's how a download remote script (PHP) can send a download header:

[COLOR=#0000cc]header [/COLOR][COLOR=#006600]= [/COLOR][COLOR=#cc0000]"GET  HTTP/1.0"[/COLOR][COLOR=#006600]; [/COLOR]
[COLOR=#0000cc]header [/COLOR][COLOR=#006600].= [/COLOR][COLOR=#cc0000]"Host: "[/COLOR][COLOR=#006600]; [/COLOR]
[COLOR=#0000cc]header [/COLOR][COLOR=#006600].= [/COLOR][COLOR=#cc0000]"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"[/COLOR][COLOR=#006600]; [/COLOR]
[COLOR=#0000cc]header [/COLOR][COLOR=#006600].= [/COLOR][COLOR=#cc0000]"Accept: */*"[/COLOR][COLOR=#006600]; [/COLOR]
[COLOR=#0000cc]header [/COLOR][COLOR=#006600].= [/COLOR][COLOR=#cc0000]"Accept-Language: en-us,en;q=0.5"[/COLOR][COLOR=#006600]; [/COLOR]
[COLOR=#0000cc]header [/COLOR][COLOR=#006600].= [/COLOR][COLOR=#cc0000]"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7"[/COLOR][COLOR=#006600]; [/COLOR]
[COLOR=#0000cc]header [/COLOR][COLOR=#006600].= [/COLOR][COLOR=#cc0000]"Keep-Alive: 300"[/COLOR][COLOR=#006600]; [/COLOR]
[COLOR=#0000cc]header [/COLOR][COLOR=#006600].= [/COLOR][COLOR=#cc0000]"Connection: keep-alive"[/COLOR][COLOR=#006600]; [/COLOR]
[COLOR=#0000cc]header [/COLOR][COLOR=#006600].= [/COLOR][COLOR=#cc0000]"Referer: http: // a-referer.ref";[/COLOR]

As you can see, the last line adds the "Referer" to the header. Pruity much anything can be emulated. So there's not much he can do to improve the script of the website.

A bit off-topic: A guy was asking other programers on a forum how he can hide his JavaScript from users accessing his website. The problem is that JavaScript is a client-side script and is loaded and interpreted by the web browser, so the first thing the browser does is save it to disck. A smart answer soon came: if you don't want to share it don't post it on the Internet. Is the same in our case: Vash wants to give us freedom and in the same time limit the attacker's options, which tend to be unlimited. Again, we should not complain about the fact that we can't browse orbithangar with multiple Web browsers or download multiple files in the same time. These are normal limitations used to avoid such attacks. We were lucky to be isolated of such events, but as a website or comunity grows, some idiot will be satisfied to drop the server, database or post messages like "hacked by the greates hacker" on the pages.

 

[dansteph]

It's really a pitty, I will never understand peoples that attack a free community as Orbiter. It's even worse than for a lot of shareware website...

When I think that 4 years ago my forum was free to write without registering and that things degraded at the point were I had to close and secure everything.

When only a simple frustrated moron can have such power as doing DDOS attack I wonder if freedom and privacy will still mean something within 10 years. (will we still have the choice beetween a full secured internet without privacy or a "wild" internet where even script kiddies can destroy what they want ?)

One solution would be to allow only download from registered peoples ? (so you can block automatically one "user" that is doing a lot of simultaneous download) This would solve the multiple IP request.

Best

Dan

 

[Urwumpe]

Here's how a download remote script (PHP) can send a download header:

As you can see, the last line adds the "Referer" to the header. Pruity much anything can be emulated. So there's not much he can do to improve the script of the website.

I thought more about adding a random extra directory (as symbolic link in the web server) to the file path, which stays unknown to the attackers for a while. Vash could in theory write a maintainance script, which creates a new link every day at 4 AM, and deletes the older links in the process, so that the downloads can continue for a day before the path is invalid.

For example "www.orbithangar.com/Butterbrot/File.zip" and on the next day "www.orbithangar.com/Korolev/File.zip".

But a 30-60 Minute ban to each IP which uses a invalid filename would already be helpful.

When only a simple frustrated moron can have such power as doing DDOS attack I wonder if freedom and privacy will still mean something within 10 years. (will we still have the choice beetween a full secured internet without privacy or a "wild" internet where even script kiddies can destroy what they want ?)

I think a fully secured Internet is impossible by the structure of it and all Internet II attempts will have the problem of working in the same environment as the Internet.

The main problem I see is, that the Internet is not capable of purging itself of criminal ISPs. Without such companies and service providers, the internet would be much more secure, but if you only apply financial ethics to the internet, you won't get rid of them.

 

[James.Denholm]

It's sad someone would do this...

What Doug did on his site (you know, the guy who made/hosts the XR1 & 5) is make the links go to php scripts, and obviously these scripts downloaded the files. Ask him, I don't know much about the web. I'm more of a gamer nerd

Anyway, the only problem is that this will seriously annoy those with Download Managers... such as me. But I can do without... I think.

[Courageous music starts, with flapping American flag in background]

Whatever you do, we will back you 110%. What you've done, Vash, for the community, is truly inspirational. All without a single add... You should be proud. Give 'em hell.

"We shall go on to the end, we shall fight in cyberspace,
we shall fighton the seas and oceans,
we shall fightwith growing confidence and growing strength in the air, we shall defend our Community, whatever the cost may be,
we shall fight on the beaches,
we shall fighton the landing grounds,
we shall fightin the fields and in the streets,
we shall fight in the hills;
we shall never surrender, and even if, which I do not for a moment believe, this Community or a large part of it were subjugated and starving, then our other Flight Sim Buddies beyond the seas, armed and guarded by better php knowledge, would carry on the struggle, until, in God's good time, the New Forums and Hangar, with all its power and might, steps forth to the rescue and the liberation of the old."

[Music fades]

Winston Churchill, eat your heart out.

 

[chudsosoft]

It's not really that hard to assemble a zombie horde to run one of these attacks. It's probably some angst-ey teenager with little else to do.

Are all of the attacks in the form of page requests? You're not getting any other kinds of packets? You should talk to your web host and see if they're willing to take a look at the problem and maybe do a little traffic shaping at their end.

 

[computerex]

Probably a botnet, or could be as simple as proxies.

 

[Urwumpe]

Probably a botnet, or could be as simple as proxies.

I would suspect more something of the latter, until I have more information. While making a bot is not really something hard, most AV software already notices botlike behaviour and catches it.

 

[chudsosoft]

I would suspect more something of the latter, until I have more information. While making a bot is not really something hard, most AV software already notices botlike behaviour and catches it.

Yes, but that assumes that most people actually run AV software. It only takes a few compromised machines to take down a web site.

 

[Urwumpe]

Yes, but that assumes that most people actually run AV software. It only takes a few compromised machines to take down a web site.

Orbithangar is no simple website, it was quite robust in the past. And not running AV software is stupid enough. I don't know anybody among my friends, who still does it.

 

[Whatu]

Bad news... I never thought something like this could happen. Attacking orbithangar? but why?...
Anyways I just hope the problem can be solved so we can fully enjoy your exceptional website Vash.

 

[James.Denholm]

Why? Because the prick has nothing else to do. Or he holds a grudge.

Might be a male, though...

 

[Zatnikitelman]

Vash, are these attacks occuring over a period of time less than 24 hours? Or is each attacking occurring after a 24 hour period? The reason I'm asking is because someone could be attacking from someplace with a dynamic IP address that is reassigned after one day which in my experience is the usual amount of time for ISPs.

 

[markl316]

Maybe the guy has 8 different internet connections (and therefore 8 different IP addresses) and just cycles them.

 

[mrspacely]

amazing. why not attack american idol's website or something useful?? geez, orbiter of all things... probably someone who can figure out code, but cant figure out spaceflight and is intimidated by the wonderful minds that have gathered in the orbiter community! i wish there was something i could do to help..