[Imc-tech] imc tech notes 7-31-02

[Paul Riismandel]

imc tech 7-31-02

present: brian, mike l., dan l., paul r.

Big item -- attack on our website still ongoing.

Dan has some logs from the Active webcast database. Between 10:30 AM and
12:08 PM (less than two hours) today the same article was posted 70 times.
Mike says that the same guy seems to have done this on other IMCs, Jerusalem
in particular.  The webserver logs show this came from five different IPs.
Zach blocked the first IP he was using, Dan has blocked the subsequent 4.
It appears to slow him down for about an hour or more, but it doesn't stop
him.  Records show that the blocks have actually blocked attempts to post
data to our website.

Dan also has a log of when blocked IPs have tried to use our site within any
given minute.  In some cases our spammer tried to hit our site as many as 12
to 19 times in just one minute.

Brian hypothesizes that he's probably written a script to post.  Dan has
found websites listing open web proxies, so it's likely he'll just move to
the next one.

A web proxy forwards web traffic.  Dan says that we cannot find out where
the forwarded traffic originated, though we could find out from the sysadmin
operating the proxy.  Given that some of the proxies we're blocking were a
school system in NJ and someone's personal machine on a cable modem, these
system owners likely don't even realize that they're operating an open
proxy.

Paul asks if Dan would be willing to e-mail some of the sysadmins whose
systems are being exploited. Dan says in some cases this is useless, since
some are huge Asian ISPs. But contacting the school might be useful.

Dan says there is one techique that will filter out most machines/proxies
that are exploited or used for nefarious purposes, but it may also block
some small amount of legitimate traffic.  It is a method that the U of I
uses to protect its student/staff e-mail/web cluster.  It won't block
traffic coming from ISPs and machines configured by a competent sysadmin.

Paul thinks that this decision is bigger than Tech alone, since it could
result in blocking some legitimate traffic, and so we should send a
recommendation to Steering.  Dan will check our logs to see approximately
how much legitimate traffic we might potentially block.  Pending that
information, there is consensus that we use this blocking technique,
provided it doesn't block too much legitimate traffic.

This block would stay in place until we get new IMC software Dada up and
running (two weeks or so), or until we see that blocked IPs aren't barraging
us with hits.

Another idea is to make all posts auto-hidden, so that Tech has to unhide
the good ones. This would make it easier on us, since we're chasing this guy
to keep the newswire useable in the face of 70+ posts in a couple of hours.

Consensus that we go ahead and do autohide right now, since we otherwise
only get 6 stories a day and the time any one legitimate story will remain
hidden will be relatively short.  Dan will put it into autohide mode this
evening, and Paul and Mike will monitor the hidden stories to move
legitimate ones to the Newswire. Paul and Mike will move to the Newswire any
story that can't be quickly confirmed as our spammer, regardless of content.

We will do this until we move to Dada or we stop receiving this spam for a
week.

Paul thinks it's obvious that this spammer is not interested in shutting
down our site -- with his ability to hide his IP one would think he'd be
able to hack or do a DoS attack.  It seems more obvious that he's simply
fucking with us and trying to piss us off.

Though we can't quite figure out how this guy is posting so many times so
quickly, because it's gone on at other sites our belief is that he's
probably exploiting a weakness in our website software, Active, and so we
think that changing website software should fix the problem, and allow us to
stop blocking and logging.

Tech will revisit this next week.
Adjourned 6:49