I don’t know if anyone else noticed this (I do a lot of proofreading and editing), but the “you’ve used up your login attempts” message that everyone was getting during the outage was formatted differently from the regular, legitimate “you’ve used up, etc.” message. I got the real one today when I accidentally entered my password wrong.
The bogus message had bolded text in it. The legitimate message does not.
Which suggests that the login attempts did not trigger the legitimate warning message, but one composed by the hackers.
That’s certainly true for the typical DoS attack, but it doesn’t have to be true. Traffic floods just happen to be the easiest and most common way to achieve a DoS. Repeated bad logins also deny service to the users, but wouldn’t necessarily make the site impossible to contact. There are lots of ways to interfere with the operation of a service.
As I said I assume there is good evidence that indicates it was a DDoS that we just don’t know about - but not in a way, at least I don’t think, that someone tried to log us all in repeatedly using our actual login names. It appears we were all being routed to the SDMB under the same IP address, and that is what triggered the login refusals.
The error message we got is just kind of misleading and poorly worded. I think it was really saying that too many login attempts had come from the IP address 10.24.35.2, and to wait 15 minutes, and it had nothing to do with the actual username attempted.
Except that the entire board was down. There was a span of time there where any attempt to do anything on the board, even read the forum list, just timed out. It was only after that resolved itself that I was able to even attempt to log in.
Maybe everybody was getting that too-many-fails message, even all the mods and admins and even Ed. What happens if nobody, not even TPTB, can log in? Then how do they fix that? Time to dig up the old back-up tapes?
An unresponsive site would also be consistent with an issue with the load balancing or internal routing. A screwup in that does sound like a plausible scenario.
Annoyingly the board won’t keep me logged in at the moment making it rather painful to use.
Not everyone was getting the failed-login messages: A few folks were managing to post, using their established accounts, while the rest of us were shut out. I believe, though, that all of the mods and admins were among the shut-outs. If true, this lends some credence to the deliberate-attack hypothesis: An accident would presumably shut out accounts at random, while an attacker would certainly make sure that the board leadership was among those shut out.
I’m not sure what the proportion was of people who were able to stay on, though, nor if there were any other patterns such as in amount of activity (moderators tend to be from the more active segment of users). So even if all of the mods were shut out, it’s unclear just how strong evidence that was.
Who (other than new sock accounts) managed to post? I don’t recall any such posts, or at least they didn’t show on the main page as new posts after about (IIRC) 8:36PM Thursday Chicago time.
Unless you are talking about the pre-main-outage time frame. It looks like the board was flaky; up and down for a few hours before it went down totally.
[ul]
[li]My guess[/li][li]I’m not really certain.[/li][li]Nobody currently knows who is responsible[/li][li]Knows for sure, at least,[/li][li]Lot’s of guesses.[/li][li]Everyone has ideas.[/li][li]Rule out some, plenty more pop up .[/li][/ul]
And then, once Ed and Engineer_Comp_geek realised that Giles was inside, they sent him a PM with the secret code to turn off the SDMB shields.
After Giles heroically managed to fight his way to the internal controls, enter the secret code, and turn off the shields, Asimovian, Ivory Tower Denizen and RickJay led the assault and defeated the DDoS Storm Troopers.
Once inside, acting on instructions from Admiral Colibri, they re-installed the proper hologramic codes, and the SDMB was restored to action!
At least, I think that’s a better explanation for what happened than all that technical computer stuff you guys are talking about.
It’s all speculation anyway, we don’t have all the details to diagnose this. Root cause analyses are generally a waste of time anyway because the admin that screwed things up won’t admit to what they did.
-Locking all the accounts is a denial of service attack - it’s just a different one that what is usually meant by a DDoS (which is the flood of traffic scenario).
-Surely if they changed to a proxy and the board system saw only the proxy address - some administrator would have noticed fairly soon? I assume “same IP address” is one flag that a person is creating multiple sock puppets would trigger. If everyone is the same address… either the software automagically blocks everyone not long after the switch to proxy (hmmm) falsely identifying them as the same person wearing multiple guises, or the mods did not notice. (Does the error look different if your userid has been blocked than if your password count is exceeded?)
-oddly, both my computers “forgot” my login over the last days and I’ve had to re-enter my credentials. I had initially blamed this on Windows 10 updates, I was not aware of a DDoS; Windows 10 browsing is messed up, so I am rarely surprised when odd things happen. I think my W10 install was deleting cookies each night with browsing history, or something “secure” like that until I told it to stop.
That only works if such a function exists and is enabled. vB has many functions that can be turned on or off by admins. Some useful ones might have been turned off due to unwanted side effects.
vB has several “flood detector” functions but it’s been a while since I admined a vB board, and I don’t know if this one is included.
Another example might explain Denial of Service attacks.
The happened even before PC’s. On landline telephones.
I remember an incident in the 1970’s with a high school team that felt they had been treated unfairly by a business – they had everyone on the team & their friends dial that businesses phone during a specific hour. The flood of phone calls promptly overwhelmed the incoming lines on the switchboard, and began rolling over to other incoming phone lines, to other employees & salesmen. Soon every phone line was busy with a student ranting to an employee about the unfair conduct of their company, and any customer trying to call in got a busy signal.
That was an older technology ‘denial of phone service’ to that company. The newer version is similar, using many PC’s to overwhelm a server so it’s too busy to answer legitimate requests for web pages.
As a former sysadmin, I think you might have nailed it. It is trivial to get internet info on SDMBs’ web host, IP address, et al. The 10.x.x.x block sort of points to that.
Thanks to all that got the SDMB back up. I was going through some serious withdrawals there.
