I have just recovered from a DDOS/Brute force attack on my server from a botnet running on Amazon EC2 instances. (Technical)

Gromett · Jan 26, 2022

Just checked the logs. They are now sending ICMP packets from every single IP they own... they are pinging my server to see if it is up

Gromett · Jan 26, 2022

They have ceased all attacks on port 443 (https) and now just seem to be pinging my server from all their IP addresses.
They are cycling through the servers they own trying to find one that can get through I think.

I suspect they don't realise that Amazon publishes a full list of all their IP addresses and that I have blocked them using this list. Funny

Realist · Jan 26, 2022

most probs someone tying out a new toy they had for Christmas.

Diabalo · Jan 28, 2022

What was the outcome?

Gromett · Jan 28, 2022

Diabalo said:
What was the outcome?

Amazon were not clear on their procedures. They asked for a log file showing the frequency of the attack. So I gave them a one second sample to show the intensity. I then gave them a list of IP's taking part in the attack.
They have only dealt with the IPs in the 1 second sample.

Then they came back to me asking for what DNS requests were being made and the time stamp of each one. This is even after I have told them I have firewall their entire IP address range. I do not have that information.

The attackers have given up (for now) and I needed to release the firewall blocks, so I am just going to let this go. Amazon are frustrating in the extreme to say the least.

If they were clear up front. Or provided a full description in detail of what they required I would have been able to give them all this up front. Oh well...

Attack over (for now) and things are back to the normal levels of attacks.

Gromett · Jan 28, 2022

PS: If it kicks off again. They are going to get a detailed report for each and EVERY IP individually with full data.
If the attack reaches anything like the previous level they are going to get 8,000 odd individual reports. Shame this is necessary

Diabalo · Jan 28, 2022

It must be really frustrating for you after giving Amazon all the info, Still a big up for the way you dealt with it and looking after your clients.

Gromett · Jan 28, 2022

Diabalo said:
It must be really frustrating for you after giving Amazon all the info, Still a big up for the way you dealt with it and looking after your clients.

I just feel sorry for the next target. Because Amazon haven't dealt with this, someone else is now suffering and it may be a small single one man band who can't afford a server admin. A small business now may either get hacked or put out of business by what is in effect a DDOS if not technically a DDOS.

Diabalo · Jan 28, 2022

My niece's husband has his own estate agency and paid £40,000 ransom to get his hacking attack sorted. It's a massive problem.

Gromett · Jan 28, 2022

Diabalo said:
My niece's husband has his own estate agency and paid £40,000 ransom to get his hacking attack sorted. It's a massive problem.

Oh crap...

That just encourages the hackers unfortunately. Until people stop paying them they will continue to do it. Sadly in the cases of small companies it may be the only choice

I have a custom backup system that works by pulling data from the system to be backed up.

Most people backup using either network attached storage device, a USB device plugged in or some software that backs up to the cloud.

The problem with those methods is the second the backup system gets connected to the infected system the backups get corrupted as well.

My method is I have a totally independent server that runs absolutely no services and is totally firewalled from the internet.
This server connects (one way) to the computer to be backed up and pulls the data remotely. The computer being backed up has no way of connecting directly to the backup server.

This prevents crypto ransomware being installed on the computers. I also do a backup similar to how the Apple Mac does the time machine. I am able to step back daily (for 7 days) weekly (for 5 weeks) and monthly for 6 months to see how and when the ransomware got installed.
I run this service for quite a few clients.

Fortunately it has never been needed in anger as I keep servers quite secure. However, it has been used due to client error. Ooops I deleted the wrong database HELP! type things.

Diabalo · Jan 28, 2022

Yep no choice or the businesses going pear shaped.

Gromett · Jan 28, 2022

Diabalo said:
Yep no choice or the businesses going pear shaped.

Gromett · Jan 29, 2022

In case anyone is interested. This is what a true DDOS attack looks like and how amplification attacks take place.
One point missed by the article is that the amplification attack makes it look like the attack is coming from a different source and means it is very hard to identify the attackers.

Microsoft fends off record-breaking 3.47Tbps DDoS attack

While a crude brute-force attack, DDoSes are growing ever more potent.

arstechnica.com

I have just recovered from a DDOS/Brute force attack on my server from a botnet running on Amazon EC2 instances. (Technical)

Gromett

Gromett

Realist

Diabalo

Gromett

^{_{Subscribers do not see these advertisements}}

Gromett

Diabalo

Gromett

Diabalo

Gromett

^{_{Subscribers do not see these advertisements}}

Diabalo

Gromett

Gromett

Microsoft fends off record-breaking 3.47Tbps DDoS attack

Latest journal entries

Belgium (previous)

Italy Sept 2023

West coast France, Dordogne and back