[Imc-web] thwarted DoS

Zachary C. Miller zach at chambana.net
Mon Jul 4 23:48:06 CDT 2005 

(Sarah, I'm Cc'ing you on this because our website just got hit by a
flood of traffic from an IP address that may have once been associated
with your computer. This is probably a coincidence or else just a
glitch with your computer or our website but I put a few questions for
you at the bottom of this email just to see what is up so I can unbann
the IP address. Don't worry, I have absolutely NO suspicion that you
meant to do anything bad to the server and you probably weren't even
involved....you're just a clue. Let me know if this is confusing.)

We just got hit by a flood of hits from 12.223.133.242 that drove our
load average way up. The hits were to such articles as:

/newswire/display/62151/index.php
/newswire/display/58110/index.php
/newswire/display/52687/index.php
/newswire/display/59544/index.php
/newswire/display/49493/index.php

As well as numerous hits to our front page. 

12.223.133.242 is a local C-U area Insight cable modem user.

That IP address is temporarily banned while I sort out what happened.

It seems that MAYBE mysarah at insightbb.com subscribed to the cprb email
list earlier today from this IP address. That person is a known
community member and active participant in IMC groups and I don't
think she would purposely DoS our site. I can think of one of three
things that happened:

1) Since that is a dynamic address the person who had that IP address
at noon today and the person who had it for the DoS just now are two
different people.

2) The person who DoSed us randomly chose mysarah at insightbb.com as an
email address to stick into a subscription form as part of probing our
network.

3) The Denial of Service was due to a legitimate malfunction of
Sarah's computer (or perhaps a virus) rather than a directed targetted
attack. 

I think (3) is most likely. I'm Cc'ing this message to
mysarah at insightbb.com to see if she has any insight into what
happened.

Sarah, 

* Were you accessing the ucimc website around 11pm on July 4th? Did
you notice any malfunction with your webrowser? Were you accessing a
whole bunch of IMC articles all at once?

* Did you sign up for the cprb mailing list around noon today? (if
so...cool! cprb definitely needs more folks involved!)

* Can you access the UCIMC website right now? If you can then it is
not your IP address that I blocked and (1) above is what happened.

Thanks for helping us get to the bottom of this! We know it absolutely
wasn't any bad intent on your part, either a glitch or a total
coincidence that the dynamic IP address was once held by your
computer. I'm just trying to get a feel for what happened.

-- 
Zachary C. Miller - @= - http://zach.chambana.net/
IMSA 1995 - UIUC 2000 - Just Another Leftist Muppet - Ya Basta!
 Social Justice, Community, Nonviolence, Decentralization, Feminism,
 Sustainability, Responsibility, Diversity, Democracy, Ecology

More information about the IMC-Web mailing list