THR is down right now...again

[geojap]

I'm not sure how they have their router at THR set up, but if it's a UNIX or Linux box, you just have to add some sanity rules and it will stop DOS attacks. I'm already an IT developer but I'm going to take a class in IT security forensics soon to learn about this sort of thing.

Quote:

Are any of you computer savy enough to tell the rest of us what the problem might be?

A Denial of Service attack overloads the hardware with thousands of times more requests (and workload) than normal. All the bogus requests will either deny resources to legitimate users' requests of the server, or else it will crash the hardware. It looks like this attack has crashed many of the servers that run the network at the data center that THR uses.

Quote:

Find the person(s) responsable, and press charges. Is that possible in this case?

Unless you are an extremely skilled server admin who has correctly configured your server and network, then the answer is no. You have to set up your network/server correctly to even be able to track what happened. You have to configure the network topology correctly, and log everything, and not many sysadmins are that good.

To explain a little more, two things happened here. Some server somewhere in Chicago got compromised. Meaning that a hacker broke in and put a zombie program on the server in Chicago to launch a DOS attack. The sys admin in Chicago did not do his job and made a situation that allowed this to happen. His server had poor security that allowed it to be hacked. That was mistake number one.

Mistake number two happened at the data center where THR's server is housed. They were the recipient of a DOS attack and did not have an adequate response to handle it. The firewall should have recognized immediately that a DOS attack was occurring and at the very least shut down the firewall if it was going to crash their network. A more intelligent approach would have been to recognize and filter DOS traffic from that source IP range, which still lets in most or all legitimate traffic to THR's server. The data center that THR uses isn't prepared to respond to DOS attacks, it seems. So two mistakes were made here that allowed this to happen.

I hope that helps.

[dasmi]

Sigh. I don't mind THR being down so much, but I'm having APS withdrawls.

[RNB65]

Quote:

I'm not sure how they have their router at THR set up, but if it's a UNIX or Linux box, you just have to add some sanity rules and it will stop DOS attacks.

I don't know how many of Derek's earlier comments you've read, but one of his comments was that the ISP that THR's host facility uses is basically incompetent. The are either unable or unwilling to deal with a DOS attack. When Derek notifies them that THR is under attack, they just turn off the network link to THR and turn it back on when the attack is over.

[Oleg Volk]

THR is in the process of finding a host that we can afford and that also has ability to handle such attacks. It turned out to be a hard search.

[GoRon]

Quote:

THR is in the process of finding a host that we can afford and that also has ability to handle such attacks. It turned out to be a hard search.

Without a doubt I speak for many when I say thanks for the time, work and money put into THR/APS.

How successful was the fund raiser that we had a while back? Is it something that might need to be revisited?

I know an email address was given for Derek if anyone wanted to chip in, I have to think another fund drive would have better results.

Ron

[Mot45acp]

I am another one who came over due to the outages. I see that another member has posted Derek's donation stations. For those who havent, please see that THR is in need of help. Even a few dollars will help.

I may be taking this a lil bit personal, but, I cut my teeth on THR.
Thanks
Mot

[tyme]

Quote:

Originally Posted by geojap

I'm not sure how they have their router at THR set up, but if it's a UNIX or Linux box, you just have to add some sanity rules and it will stop DOS attacks.

If only it were that easy.

[foob]

Quote:

Originally Posted by geojap
I'm not sure how they have their router at THR set up, but if it's a UNIX or Linux box, you just have to add some sanity rules and it will stop DOS attacks.

That doesn't work here.

1. The attack still takes up bandwidth, so either the THR router/firewall is overwhelmed or legitimate packets get dropped by the ISP because bandwidth is maxed out.

2. THR is still paying for all the bandwidth used by the attack. So shutting down the site is preferred.

[kd7nqb]

Well with THR down, I came over here. Hello all.

[Working Man]

Quote:

I'm a long-time member of THR, but I just joined The Firing Line a few days ago since I can never get on THR anymore it seems...

Me too (today). I thought I had joined before but my name was not registered.

This is nutz. I hope they get things fixed soon. Good to know whats going on at least.

[Werewolf13]

I am totally amazed from what I've read here that there seems to be no recourse but take it.

Can't find those responsible and prosecute.
Can't stop the DOS attacks.
Can't filter the attacks reducing their impact.

One would think that with all the expertise in internet technology out there that some way of making DOS attacks no threat would have been devised by now.

If it's so easy and almost risk free why aren't the a'holes doing this attacking banks or big businesses that rely on the internet and collecting protection money?

The mafia ran the same scheme for years only face to face. This DOS thing seems to be almost risk free from what the local guys who seem to know what they're talking about say.

Why screw with THR?

[Seancass]

guys, i'm not going to make it, the site has been down for what seems like days. TFL is good, but i need my high road. i've got nervous convulsions, cold sweats, the urge to go fondle my own guns, or to even surf the net looking for gunp0rn. i'm glad you guys are here to keep me from losing it.

[Cosmoline]

Quote:

THR is in the process of finding a host that we can afford and that also has ability to handle such attacks. It turned out to be a hard search.

Is it a matter of money?

[ArfinGreebly]

I daresay there are several of us (and I would be one) who would be willing to make a dollar commitment monthly to see THR up and running reliably.

A few bucks from a hundred of us (or two) would, I'm sure go a long way.

Of course, there are hosts out there that charge 5-digit sums for the kind of reliability we'd really like.

It seems to me, however, that isolating the offending servers should not be that difficult. It doesn't matter that they're zombies, the provider at that level should be able to simply kill packets from those boxes before they ever get to the backbone. It might require blue envelope treatment, but the compromised boxes (if they're centralized) should be subject to summary isolation. If the zombies are spread out, then it's harder.

[tydephan]

Oleg,

How about the host that TFL uses?

We haven't seen them drop off the map but maybe once (that I'm aware of.)

I've sent Derek some coin. I'm sure there are many more members that are willing to do the same. Just point us in a direction.

[tyme]

Arfin, if the attack's coming from the same place it was last time, the colo in question is notorious for not handling abuse issues.

[ArfinGreebly]

Perhaps a blue envelope would wake them up.

[RNB65]

Quote:

One would think that with all the expertise in internet technology out there that some way of making DOS attacks no threat would have been devised by now.

The problem is that the basic protocols upon which the Internet is built are flawed and very vulnerable to abuse. A little Internet history --

What we know now as the Internet began as a government research project back in the 1960's when the Advanced Research Projects Agency (ARPA) was given the task of developing a decentralized, packet switched computer network which could survive efforts at sabotage. Major universities were eventually invited to participate in developing the new network and eventually the universities took the lead as ARPA eventually moved on to other things. Most of the communications protocols that underly the Internet were developed in an academic setting with no real thought given to security or preventing rogue behavior. The original developers just saw the experimental network as an academic project that universities used to talk to each other. No one ever imagined that the 'net would ever become a commercial entity. Eventually, the rest of the world discovered the Internet and it became one of the biggest success stories in the history of modern technology. But, unfortunately, we're still hamstrung with the short sighted thinking of the early developers who failed to build proper security controls into the basic protocols. And changing those protocols at this point in the game to remedy some of those old problems is very, very difficult.

The reason that DOS attacks are so hard to stop is because it's very difficult to tell where the packets are coming from. The source addresses on IP packets can be easily forged (one of the weaknesses in the IP protocols) and when the packet arrives at your router, there's no way to tell where it came from if the source address is fake. If you try to filter the packets based on source address, the attacker just changes the source address in the packets and they go right past your filter rules.

There is no easy way to stop a determined DOS attack without spending BIG $$$.

[RNB65]

Quote:

Perhaps a blue envelope would wake them up.

There's at least a couple of us who have suggested to Derek and Oleg that they contact the FBI to see if they'll help put an end to these attacks. The FBI does take internet attacks seriously. But since THR is a noncommercial site, I'm not sure if the FBI will be willing to help. But it can't hurt to ask.

[Avenger29]

But, but- I thought Al Gore invented the internet
At least, that is who I blame for THR going down.

Seriously, this has got to stop. I can't live w/o my THR fix!

But, TFL will substitute for now...

[thrgunsmith]

to see if some one is bragging about it.

I have encountered hackers before when starting up internet groups
to protest illegal immigration, I believe it was supporters of "southern poverty law center" that attacked me.
I had to shut down my groups because I am neither savvy enough and don't have the time.

[Plink]

The THR outages brought me here too. Well, I've been a lurker at TFL for years, but never signed up. 'Bout time I participate here anyway.

[Mike U.]

I really think THR was attacked as payback for all the left wing polls we swept after the VT tragedy. If you'll recall, we really made Second Amendment freedom ring in those polls. Remember where at least one liberal news agency made their anti-gun poll completely disappear after they didn't get the results they wanted? I firmly believe we ruined a lot of their polls, making them look like their lefty-leaning readers suddenly had an epiphany concerning Second Amendment Rights.

I believe a hacker was brought in by someone from one of those agencies for a little payback. Either with the approval of the front office or an angry individual bringing in a cyber-hitman.

I keep loosening my tin foil hat, but, I can't shake this feeling that this is the case. Maybe I need another layer of foil?


Also, you all just signing up will really enjoy this forum.
These folks are every bit as "High Road" as the folks over at the home forum.
It's a great place to talk guns.

[txgho1911]

Not only to enjoy this board. This is what THR was modeled after originally.

I do not think this is a professional hit on THR. If it is still out of one DC in Chicago then it may only be an individual that has some support roll in that DC. After all they have not shut us down for 2 whole weeks solid. Someone hired for this nasty could use resources from all over the internet through different sets of compromised systems.
So far this has mostly been over weekends.

[lawnrevenge]

I needed my gun forum fix-hopefully THR will be up again, but now I have an alternative.