I tried to read the wiki article and my head hurts.
All I got is that someone set up computers to keep sending requests to the SDMB and it crashed or something?
So, the SDMB server is set up to send various kinds of responses to various kinds of request. The simplest is what’s called a “ping” request, to which the response is “pong”: Basically, it’s just checking to see if the server is there, and how long it takes to respond. But of course, there are many other kinds of responses possible: For instance, you can send a request “Give me thread number 24601”, and the response is the HTML file which codes for that thread. Or, as appears to have been the case with this attack, the request can be “Log in user XXXXX with password YYYYY”, to which the response is either “Welcome, XXXXX”, or “Username/password incorrect”.
But of course, there’s only so much traffic any server can handle. Try to make it do too much, and it gets bogged down and crashes. So if you really don’t like some particular site, you can bring it down just by sending a whole bunch of requests really quickly. This is a denial of service attack (DoS).
There is, of course, a difficulty here: If you’re sending enough requests to bog down the target server, then you’re probably also bogging down whatever computer you’re using to send the requests. So the usual tactic is what’s called a distributed denial of service attack (DDoS): First you get thousands of PCs that you’ve turned into zombies under your control (how you do this varies, but it usually involves finding victims who are gullible enough not to use good security). Then, you put denial of service programs on all of your zombies, and tell them all to attack the site you don’t like. Now, each attacking computer is only handing a manageable amount of traffic, but the target server is handling all of it, and poof.
Yes, it’s usually a distributed denial of service attack - groups have massive armies of PCs scattered around the Internet that take commands from some central location. These PCs were infected with malware previously and the owners are not aware. In a DDOS attack, many many PCs all send connection requests to the same site, so the real users can’t get in.
It’s like sending ten million robots to the mom & pop shop down the street - the real customers can’t get in.
Chronos’ excellent reply notwithstanding, we don’t know at this time what the problem was.
This was specialized kind of DDoS attack.
Normally, the goal is to prevent any legitimate traffic from getting to the site. So, the attackers recruit lots of computers to all send traffic to the victim, overwhelming their network link. Sometimes they use bugs and other tricks to achieve an additional amplification factor.
In this case, the attacker apparently harvested the member names from the forum and continuously attempted to log in with those names. Since the passwords were invalid, they quickly hit the incorrect login limit. No one could log in, since the attacker would try again before the normal 15-minute limit expired.
One weird aspect is that the source IP addresses were apparently in the 10.x.x.x range, which is reserved for internal networks. It seems like the forum software should have realized that these couldn’t be legitimate logins and denied them.
While your explanation is reasonable, and the likely cause, do you have any firm evidence of it, or are you just speculating from knowledge and experience?
Everyone was getting a message that they had too many failed login attempts on the first try. So that’s an indication that user names were taken from content and logins were repeatedly attempted.
And what would be the point of doing that to this kind of board–sport?
Thank you all. That is much clearer than the wiki article.
I think only a current or former Doper would bother to do it. It could be random, but there are much bigger targets for thrill attacks.
I’m not an administrator so I don’t have any direct evidence, but as TriPolar said, everyone got messages about having too many login attempts. Some people also got emails about too many logins from an address in the 10.x.x.x range.
Since the site didn’t actually go down, it seems this wasn’t a traffic-based attack. What I’m curious about now is whether the attack was just meant to harm the site, or if the intent was to harvest passwords. Although each login only has so many allowed tries, there are so many users that the attacker could almost certainly glean dozens or hundreds of legitimate passwords. Of course these passwords would just be tied to their board username, but some people are known to use the same username/password combo at their bank, etc. In some cases these could be tied to an email address, too.
I haven’t yet seen a request for everyone to change their password, so I think the latter scenario is less likely, but I really couldn’t say for sure.
Ed Zotti recommends it in the thread in ATMB.
A test, before an atack on something more thrilling?
It could be totally random, but it’s not a particularly busy site. Not a lot of reason to pick it as a test for something else. And we do have disgruntled former and maybe current Dopers. One guy was suspended yesterday. But maybe not so much a Doper as someone who read something here and was extremely insulted by it. I don’t look at this area of computer security much, it is a simple kind of attack and nothing to stop people from directing one at random IP addresses and network names, but what I have heard of are almost always deliberate targeting, often to expose security holes to exploit and not just to deny service.
Ahh, I see the message now. But he also says:
This could mean a lot of things, but I personally would only say that if I could verify from the logs that the login requests all used the same dummy password (only intending to trigger the login counter), and didn’t try to cover a range of passwords.
Regardless, changing your password is hardly ever a bad idea.
I wouldn’t be surprised if it was an ex-Doper. Slightly different situation, but an ex-coworker of mine launched a DDoS attack against the company that fired him (not who I work for). That little stunt earned him a felony.
Ah, yes 10.* is internal ONLY. No ISP routes it to another ISP…
That says that straightdope.com exists behind a proxy, and the software is unable to work off ip addresses to block it.
What Marley did … I strongly suspect he blocked that 10.* address (range…)
on the web server … It has to be blocked at the proxy or firewall…
DDoS ? The intention may be to steal accounts or steal passwords, but the result is that no one could log in since all the accounts were locked… The trick is that ip address blocking fails because its distributed.
For the same reason, many bulletin board systems don’t allow the use of the screen name for login… prevents the blackhat getting a list of valid usernames to disable…
This doesn’t appear to have been the case. I got the same message no matter what username I tried to log in with. I tried “Mickey Mouse”, “ABCDEFG”, etc. and got the exact same response as with my own actual username. I only received an email from the SDMB that someone tried to log in to my specific account after I did so myself too many times, but I was already receiving that error message with my or any other username from the first try.
The error message was triggered because every login request to the SDMB server appears to have been coming from the same IP address, 10.24.35.2. It was a block on any login attempts coming from that IP address regardless of the username. That address is an internal-network-only address, probably used by some router or proxy on the network at the place that hosts the SDMB.
A google search indicates this scenario has played out on many other vBulletin systems and in at least several cases it happened because their web host tried to do some kind of load balancing internally and caused all requests to the boards to come from a lone, internal IP address instead of the actual client’s address.
I would assume TPTB here have some reasons we don’t know that indicate to them it was a DDoS attack, but from the outside it looks a lot more like the host who serves the SDMB just made some internal change to a proxy or load balancing system and accidentally caused all requests to the SDMB to come from the same internal IP address.
Interesting info. Of course vBulletin screwing up was high on everyone’s list until the DoS attack reports were made. As you likely know, every time a computer breaks it’s because of hacking and not because anyone made a mistake.
Yeah, that is interesting. I’d been taking the reports of a DDoS at face value, but this sounds more plausible. There are still some unexplained bits–why were people able to create sock accounts? But in general, I consider incompetence more likely than malice…
Another thing that really doesn’t support DDoS being the cause is that the site was responding normally other than refusing logins. The error messages were coming up quickly and pages here and at the main site were loading fast and snappy. I could browse the boards normally except for not being logged in.
Under a DDoS attack the first and really only symptom to the outside world is that pages take forever to load if they load at all.