sla.ckers.org is undergoing a pretty significant GET request DoS. Here's the guy who's doing it:

212.54.217.180 - - [02/Mar/2008:13:52:43 +0000] "GET /forum/search.php?10,search=bubbles,page=2,match_type=AUTHOR,match_dates=0,match_forum=ALL HTTP/1.1" 200 26 618 "http://www.google.com/search?hl=en&safe=off&q=www.au-p2p.info%2F%3Fp%3D67&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:13:52:44 +0000] "GET /css/style.css HTTP/1.1" 200 13240 "http://sla.ckers.org/forum/search.php?10,search=bubbles,page=2,match_type=AUTHOR,match_dates=0,match_forum=ALL" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:13:52:48 +0000] "GET /images/slack.png HTTP/1.1" 200 23816 "http://sla.ckers.org/forum/search.php?10,search=bubbles,page=2,match_type=AUTHOR,match_dates=0,match_forum=ALL" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:13:52:53 +0000] "GET /favicon.ico HTTP/1.1" 200 894 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/2008 0201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:13:53:07 +0000] "GET /forum/read.php?13,6615,6670 HTTP/1.1" 200 18243 "http://sla.ckers.org/forum/search.php?10,search=bubbles,page=2,match_type=AUTHOR,match_dates=0,match_forum=ALL" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:13:53:34 +0000] "GET /forum/read.php?13,6615,6670 HTTP/1.1" 200 18243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:13:53:46 +0000] "GET /forum/ HTTP/1.1" 200 14076 "http://sla.ckers.org/forum/read.php?13,6615,6670" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:13:54:14 +0000] "GET /forum/read.php?13,6615,6670 HTTP/1.1" 200 18243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:13:54:23 +0000] "GET /forum/read.php?13,6615,6670 HTTP/1.1" 200 18243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:12:04:33 -0600] "GET /forum/read.php?13,6615,6670 HTTP/1.1" 200 18243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:12:05:36 -0600] "GET /forum/read.php?13,6615,6670 HTTP/1.1" 200 18243 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:12:05:47 -0600] "GET /css/style.css HTTP/1.1" 304 - "http://sla.ckers.org/forum/read.php?13,6615,6670" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
212.54.217.180 - - [02/Mar/2008:12:05:47 -0600] "GET /images/slack.png HTTP/1.1" 304 - "http://sla.ckers.org/forum/read.php?13,6615,6670" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"


Then starting at 13:58:07 +0000 we've gotten more than 320,000 requests immediately after this from the following IPs (they also keep coming in fairly sporadically):

144.134.163.156
165.21.154.10
165.21.154.11
165.21.154.12
165.21.154.13
165.21.154.14
165.21.154.15
165.21.154.16
165.21.154.17
165.21.154.8
165.21.154.9
219.66.208.28
219.66.76.243
24.60.102.49
63.231.142.59
64.53.248.201
66.8.173.89
69.120.99.98
69.158.0.5
69.158.11.242
69.158.11.66
69.158.12.178
69.158.12.208
69.158.14.176
69.158.14.196
69.158.14.47
69.158.14.77
69.158.14.9
69.158.15.105
69.158.15.178
69.158.17.54
69.158.18.132
69.158.18.197
69.158.18.34
69.158.19.241
69.158.19.35
69.158.2.16
69.158.2.172
69.158.20.127
69.158.20.176
69.158.22.253
69.158.23.191
69.158.23.74
69.158.24.248
69.158.25.151
69.158.4.240
69.158.5.141
69.158.6.138
69.158.6.57
69.158.8.220
69.158.9.211
70.73.132.242
71.108.217.79
72.209.205.105
76.116.12.10
76.68.22.174
76.68.23.191
76.68.28.164
77.194.139.117
77.194.139.162


The original attacker's IP (212.54.217.180) resolves to:

Non-authoritative answer:
180.217.54.212.in-addr.arpa name = ppp18-180.adsl.forthnet.gr

Abuse contact: abuse@forthnet.gr

If you notice some periodic slowness or odd site behavior, that's what's going on. We appear to have got it mostly handled at this point, but we are doing some work to keep the idiot at bay.

- RSnake
Gotta love it. http://ha.ckers.org

Ya, I would have noticed it earlier but I was sleeping on a lazy sunday afternoon...

I'll update fu.ckers later today

-id

I've never been DoSed, so was wondering if someone is attacking say on an Apache/Linux box what measures can be taken to prevent or mitigate the attack?

It really depends on your architecture. We didn't stop it with Apache, we stopped it with a firewall and some crazy custom rules. But it will depend completely on the form of the attack, so unfortunately the answer is "it depends".

- RSnake
Gotta love it. http://ha.ckers.org

as RSnake said...depends.

This DoS was resource based, so they were trying to maximize the number of httpd threads (though they are probably too stupid to realize what they were trying to do...) and have the server load deny service to other clients. We've optimized the server to handle a lot of threads at once, so that partially helped, but given enough attacking hosts it doesn't matter what you've done on the optimization side.

It's not the first DoS we've had, and of course people attack the server every day in other ways, so we've built some pretty cool defenses. But during moves and upgrades we had dropped some of them, so it was simply a matter of tweaking rules and reimplementing some defenses.

and updated: http://fu.ckers.org/fuckers.txt

-id

as a weak anti-DDoS, i used to aggregate source IP, and if a subnet (ie : 69.158/16) was sending way too much request, pf started to drop him, until the req/s came back to acceptable level. that's using a whole panzer armee for a single student, but it has proven efficient

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

yeah I could make it slightly more efficient by aggregating subnets, but the firewall wouldn't have trouble with 100x what it's doing right now, so I'm just leaving it.

I also rarely expire shit, so that's another thing I need to work on, if someone finds themselves blocked after sending legit traffic pm or email and I'll remove your address.

-id

So after doing some more analysis here's how this whole thing shakes out. 22% of our IP traffic on sla.ckers.org was robotic and had bad intentions. That's not good. After re-implementing the security we should have had anyway, we are down to around 1%. Much better.

In other news the attacker in this particular DDoS has been removed by his ISP:

Quote

Dear Sir/Madam,

We thank you, for the briefing and for your help. We located the user and have taken all the necessary actions, in order to rectify the situation and terminate the problem.
If you continue to accept annoying correspondence , please inform us again.

Sincerely,
----------------------------------------------
FORTHnet SA. Abuse Group
abuse@forthnet.gr
----------------------------------------------

Way to go FORTHnet! I figure it's in their best interest to knock off DDoSers anyway. The last thing they want is their own bandwidth being used for illegitimate purposes too!

And lastly, if you guys just want another interesting Anti-DDoS methodology check out UltraDNS. It's a tad overkill for us given our size, but it's pretty cool technology. If anyone wants to contact them here's their rep's info (posted with permission): Samer M. Bazlamit, Senior Account Executive, Office (571)-434-6617 Fax (703)-563-6065

- RSnake
Gotta love it. http://ha.ckers.org



Edited 2 time(s). Last edit at 03/04/2008 10:38AM by rsnake.

@rsnake : \o/ ultradns. Gotta love it.

kudos to FORTHnet. that's the way every ISP should manage abuse. go teach *that* to Proxad now.

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

@rsnake

Nice1 glad to see some ISP's doing things right.

On a side note, have you checked the forum search facility for SQL characters such as "_" these can create DOS issues on a large dataset. I'd suggest limiting search to registered users or maybe limiting the date range or only allowing single forum searches.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth - yup, you're right. In this case he wasn't going after search, but just one page in particular, but you're still right. We'll look into it.

- RSnake
Gotta love it. http://ha.ckers.org

knowing the GET scheme the forum use, we could try to to display repeatedly a huuuuuge page to exhaust the bw. we could even try to bypass the cache by randomly adding, removing the number of displayed thread (if the cache is on HTML level, not object level of course)

hey, new contest ! bring a sla.ckers sandbox on its knees. that should harden the mainline a lot, and i am pretty sure we could find interesting protections scheme on the way :)

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

@Malkav

That's against the rules dude!

Oh sorry you said sandbox :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/04/2008 02:11PM by Gareth Heyes.

I wouldn't mind trying a resource dos on an isolated box, but it will generate a lot of traffic, and this server is still at a partner company's facility, so we're not going to do that right now. (we're moving it when I get back to TX)

Here's a graph of the last dos, you can see by the incoming (green) line where we shut it off. The outgoing traffic (blue) would be the real problem. Although the extra 500-600kb traffic isn't huge, the line isn't either, and they are running a business on it.



-id

i wasn't specific on ressource DoS, which we can obviously at best mitigate. but a legitimate request overflow will still grind a service to a halt (my uk coworkers discovered this when our new apps hosted on fat bunch of X4600-M2 started to punch request in their oracle db (which, of course, couldn't go down, 'cause it's AIX and oracle, and it's professional. linux can't consume all our resources, ha !) until the box raised white flag.

but what about a more generic free-for-all contest ? up a small server in a VM, regenerated every hour or so, with full logging of activity from outside ? maybe we'll find some creative stuff.

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Sounds like fun to me :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

The attack continues... Cyberhacker665 is again DoSing us. This time it was 350 IPs instead of the 70 or so we had last time... 350 and counting. The site appears to be stable for the moment, but we are keeping a close eye on it.

- RSnake
Gotta love it. http://ha.ckers.org

Happy hunting.. and before you have him taken off-line, how bout posting his source IP here.. ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Yeah I noticed service was down early this morning (aus time) at about 10-11 :\ thought it was another DoS >_<

IMO, DoS him IRL, break his arms. That'll fix him.

rsnake Wrote:
-------------------------------------------------------
> The attack continues... Cyberhacker665 is again
> DoSing us. This time it was 350 IPs instead of
> the 70 or so we had last time... 350 and
> counting. The site appears to be stable for the
> moment, but we are keeping a close eye on it.


You know if he is using some Botnet, has hacked 350 webservers or just XSSed some large website and you get hit by their users?

yeah i'd love details on this one. if this is a botnet, i'd love to have a few samples of the IP concerned.

you know, C&C are sooooo versatile.

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

I don't have time to figure out which guy it was, but I've updated fu.ckers, we parsed a lot of bad activity though and now there are almost 12k blocked hosts. This guy was only coming from ~500 hosts I would guess.

I'm headed back to TX today, and I'll try and move the site sometime this weekend or early next week, at that point I can put in some more reliable protection.

http://fu.ckers.org/fuckers.txt

-id

Just a question for my edification. How are you blocking IPs and not removing access from large ISPs. For example: AOL (I know don't go there) sends everyone through a set of static proxies. To help balance the load on these servers, the user's IP can change from request to request, all transparent to the user. How are you preventing blocking of the entire AOL community? Other ISPs do the same.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

I honestly don't care if we block all of aol. If this were a commercial site and we had to support revenue through it we would have to use another solution.

-id

This isn't AOL, trust me. Believe it or not it's far easier than that. He's just using a messload of proxies to hit us to distribute the load. It's one of the dumbest attacks I've ever seen, but it's almost effective because of the sheer volume. Thankfully we're blocking it so it's not that big of a deal. Here are the IP addresses used so far in the last two attacks (it's more difficult to separate them out):

12.165.252.224
12.202.198.130
121.218.114.87
121.220.162.103
122.148.129.11
124.203.193.204
130.13.188.6
130.74.88.2
130.88.172.212
141.150.92.150
144.134.163.156
147.31.184.131
151.203.82.109
151.205.212.193
165.21.154.10
165.21.154.11
165.21.154.12
165.21.154.13
165.21.154.14
165.21.154.15
165.21.154.16
165.21.154.17
165.21.154.8
165.21.154.9
172.188.154.224
172.203.130.232
189.14.205.26
189.46.69.162
190.43.166.181
194.144.217.3
195.134.61.85
200.44.211.222
200.7.49.211
200.76.103.98
201.210.231.176
201.248.219.103
203.101.184.10
203.206.2.132
204.193.212.137
205.144.218.234
205.209.254.10
207.118.137.225
207.243.120.35
207.255.136.87
208.120.75.185
208.38.124.79
208.58.19.248
208.82.225.60
209.30.203.233
212.175.150.116
212.39.108.191
213.65.7.148
216.176.139.133
216.84.70.20
217.136.105.237
218.215.21.94
218.215.3.30
219.66.208.28
219.66.76.243
221.132.118.174
222.35.147.1
222.35.159.24
24.10.95.125
24.118.179.163
24.119.145.91
24.12.233.163
24.122.70.182
24.126.170.109
24.127.181.6
24.128.118.131
24.138.193.16
24.139.1.157
24.139.220.61
24.151.172.192
24.163.67.59
24.168.21.77
24.171.220.237
24.175.206.231
24.175.234.98
24.18.115.179
24.184.189.43
24.184.227.10
24.185.22.37
24.191.200.61
24.192.40.172
24.193.145.196
24.193.245.229
24.196.12.176
24.211.233.176
24.213.108.124
24.229.45.241
24.247.4.193
24.253.229.34
24.254.14.207
24.26.97.170
24.44.134.121
24.44.75.139
24.45.126.189
24.56.55.196
24.60.102.49
24.72.64.238
24.88.87.51
24.9.232.255
24.90.160.226
24.92.133.146
24.96.12.168
41.234.8.189
58.110.66.216
60.50.59.110
60.51.48.123
62.107.230.52
62.51.58.36
63.231.142.59
64.135.246.19
64.147.213.163
64.148.172.53
64.17.66.200
64.252.101.129
64.252.72.65
64.53.248.201
65.10.174.138
65.164.107.6
65.35.100.119
65.65.56.91
65.94.28.65
66.130.93.79
66.140.35.67
66.161.208.141
66.176.248.132
66.214.157.51
66.214.159.63
66.245.112.152
66.32.229.124
66.69.199.170
66.74.163.90
66.8.173.89
67.102.28.105
67.163.146.152
67.168.155.199
67.175.194.154
67.176.161.28
67.204.8.66
67.77.129.157
67.77.94.15
67.8.170.198
67.8.63.244
67.81.17.30
67.82.0.243
67.83.16.162
67.83.208.236
67.86.187.99
67.87.213.182
67.87.91.35
68.11.41.64
68.13.93.93
68.163.49.123
68.173.229.121
68.174.26.121
68.192.208.52
68.199.200.9
68.206.74.127
68.226.8.50
68.227.192.166
68.229.18.168
68.230.162.187
68.238.205.226
68.238.208.60
68.239.76.48
68.253.183.202
68.33.162.231
68.36.130.68
68.42.154.209
68.47.179.103
68.55.53.232
68.58.138.189
68.58.32.193
68.63.64.55
68.78.136.15
68.8.157.63
68.84.37.27
68.93.89.252
68.95.82.14
68.99.200.135
69.113.166.169
69.113.225.24
69.116.110.119
69.118.186.73
69.120.99.98
69.121.254.20
69.121.59.159
69.125.71.108
69.149.49.37
69.153.9.114
69.158.0.5
69.158.1.122
69.158.10.245
69.158.11.242
69.158.11.66
69.158.12.178
69.158.12.208
69.158.13.124
69.158.14.176
69.158.14.196
69.158.14.47
69.158.14.77
69.158.14.9
69.158.15.105
69.158.15.178
69.158.16.253
69.158.17.54
69.158.18.132
69.158.18.197
69.158.18.34
69.158.18.60
69.158.19.241
69.158.19.35
69.158.2.16
69.158.2.172
69.158.20.127
69.158.20.176
69.158.22.175
69.158.22.253
69.158.22.74
69.158.23.147
69.158.23.191
69.158.23.74
69.158.24.248
69.158.25.124
69.158.25.151
69.158.25.98
69.158.4.240
69.158.4.84
69.158.5.141
69.158.6.138
69.158.6.57
69.158.8.220
69.158.9.194
69.158.9.211
69.158.9.57
69.181.50.228
69.202.88.143
69.205.238.45
69.207.179.244
69.208.88.184
69.213.242.155
69.226.42.123
69.231.135.34
69.231.206.19
69.233.255.88
69.238.89.98
69.47.47.142
69.73.33.177
70.0.201.209
70.110.152.163
70.124.0.95
70.139.150.206
70.142.154.129
70.146.232.217
70.154.132.183
70.16.173.32
70.162.222.37
70.164.34.21
70.169.114.170
70.173.5.68
70.173.72.185
70.185.225.64
70.190.135.130
70.20.193.46
70.20.212.46
70.238.70.44
70.242.117.251
70.243.66.14
70.244.21.189
70.248.254.175
70.251.147.111
70.252.135.66
70.255.3.154
70.54.94.60
70.56.61.231
70.73.132.242
70.82.198.178
71.1.148.147
71.100.183.5
71.102.72.59
71.108.100.211
71.108.217.79
71.114.30.150
71.115.216.2
71.125.82.234
71.126.186.147
71.127.21.13
71.163.3.192
71.166.132.29
71.171.14.197
71.171.32.103
71.183.135.97
71.185.152.246
71.190.233.51
71.190.24.113
71.190.24.210
71.190.25.77
71.192.126.86
71.194.187.45
71.195.189.219
71.199.129.206
71.210.141.249
71.237.101.23
71.239.151.175
71.247.108.58
71.255.79.185
71.37.243.117
71.56.133.249
71.60.27.107
71.66.116.134
71.67.113.59
71.7.247.168
71.83.221.33
71.87.184.44
72.128.59.233
72.154.115.186
72.161.159.131
72.187.68.89
72.189.203.39
72.198.205.91
72.207.103.147
72.209.205.105
72.225.193.203
72.64.31.63
72.64.32.145
72.64.60.234
72.67.88.7
72.68.123.185
72.68.123.227
72.68.147.143
72.68.56.201
72.71.2.159
72.78.236.241
72.80.242.41
72.82.166.185
72.90.178.86
72.92.81.229
72.94.245.248
74.12.44.13
74.12.52.251
74.129.64.181
74.129.64.185
74.138.149.187
74.140.232.164
74.163.176.92
74.163.177.37
74.163.178.50
74.163.179.63
74.163.190.16
74.166.226.164
74.170.240.69
74.181.42.215
74.186.63.90
74.192.204.87
74.194.148.168
74.196.68.204
74.218.214.234
74.226.135.51
74.33.31.187
74.56.106.159
74.57.124.109
74.59.82.134
74.78.82.159
75.11.191.238
75.12.168.228
75.120.91.125
75.14.31.168
75.14.5.231
75.152.22.26
75.161.101.30
75.161.103.95
75.161.104.72
75.161.105.110
75.161.106.142
75.161.110.32
75.161.110.6
75.161.116.108
75.161.117.65
75.161.117.95
75.161.119.239
75.161.119.68
75.161.122.81
75.161.123.157
75.161.99.10
75.161.99.151
75.166.132.115
75.166.227.168
75.173.11.16
75.173.13.13
75.173.15.77
75.173.9.191
75.180.49.231
75.19.179.53
75.190.141.212
75.214.185.24
75.34.62.81
75.38.81.11
75.38.91.122
75.42.83.121
75.61.245.178
75.63.12.214
75.64.115.170
75.84.85.52
75.87.106.110
75.92.210.150
76.1.1.30
76.106.75.47
76.106.85.102
76.114.1.141
76.114.244.127
76.116.12.10
76.117.141.51
76.160.224.148
76.168.218.114
76.171.6.252
76.173.164.123
76.174.18.49
76.175.191.189
76.181.200.54
76.188.12.195
76.189.190.158
76.192.138.163
76.2.67.230
76.200.112.185
76.201.2.198
76.202.0.55
76.205.24.86
76.205.56.105
76.208.34.238
76.22.187.254
76.223.80.149
76.229.93.229
76.230.109.20
76.235.194.68
76.236.71.133
76.243.214.236
76.244.157.110
76.247.133.230
76.252.211.8
76.5.26.127
76.66.6.185
76.68.152.156
76.68.155.158
76.68.22.174
76.68.23.191
76.68.28.144
76.68.28.164
76.87.170.9
77.194.139.117
77.194.139.162
77.239.65.59
77.46.190.115
77.69.162.49
77.99.184.151
79.77.252.189
80.195.136.43
80.2.44.184
81.105.0.3
81.106.188.217
81.109.251.8
81.249.231.252
82.0.189.69
82.12.119.67
82.22.192.234
82.230.231.192
82.252.224.141
82.35.150.166
82.40.62.13
82.64.73.60
82.84.255.116
82.9.245.182
83.130.31.185
84.135.184.86
85.107.15.213
85.165.209.122
85.181.73.10
85.74.159.48
85.74.182.7
86.0.115.215
86.139.127.210
86.142.11.186
86.147.30.154
86.148.147.102
86.153.100.119
86.160.195.63
86.22.123.77
86.27.8.12
86.31.104.210
87.15.101.12
87.19.193.84
88.169.47.72
89.1.19.185
89.181.69.167
89.181.87.156
89.216.204.29
90.199.28.52
90.207.163.197
91.187.109.66
92.12.171.180
92.80.147.46
96.227.165.146
96.239.38.34
96.24.153.77
96.24.224.167
97.84.152.235
98.164.91.14
98.194.135.233
98.197.237.59
98.198.26.239
98.20.171.166
98.200.3.45
98.204.86.47
98.213.133.93
98.214.11.125
98.214.63.139
98.220.103.216
98.226.247.169
99.130.219.102
99.141.121.145
99.141.65.175
99.160.59.73
99.164.37.181
99.226.145.194
99.226.207.113
99.228.171.98
99.228.206.83
99.234.228.201
99.235.32.80
99.237.0.139
99.237.198.102
99.237.249.170
99.247.8.95

- RSnake
Gotta love it. http://ha.ckers.org

Oh, and FYI, it appears to have stopped as of an hour and a half ago. I'm fully expecting it to start again though, as I have no reason to believe he thinks he's beaten. I have no reason to think he's capable of simple cognitive skills at this point.

- RSnake
Gotta love it. http://ha.ckers.org

Thanks for the answers. I figured they would be close to what you wrote, but thought I should ask anyway just in case you were exercising some ancient form of firewall ninjitsu. Keep up the good work.

whats with:

Out of memory (Needed 2236960 bytes): create temporary table
phorum_search_f5bdb67ba6b6deaf0afa21cda5023d71 (key (forum_id, status, datestamp))
ENGINE=HEAP select phorum_messages.message_id, phorum_messages.datestamp, status,
forum_id from phorum_messages inner join
phorum_search_auth_0ee41c59c908a34fa25a54295f2004e3 using (message_id) where
status=2 and forum_id in (1,13,21,10,17,15,7,16,14,4,3,12,6,8,9,5,2,11,0)

and


create temporary table phorum_search_c7cc521a3214ffe9ca8f7e89b2c1a345 (key (forum_id, status, datestamp)) ENGINE=HEAP select phorum_messages.message_id, phorum_messages.datestamp, status, forum_id from phorum_messages inner join phorum_search_auth_dfaef7c9fe9f872169ae2cda0afe76af using (message_id) where status=2 and forum_id in (1,13,21,10,17,15,7,16,14,4,3,12,6,8,9,5,2,11,0) and datestamp>=1177937019

all search queries are craping out today...



Edited 1 time(s). Last edit at 04/29/2008 07:46AM by rohanpinto.

yup, I see it too: http://sla.ckers.org/forum/search.php?13,search=yahoo,page=1,match_type=ALL,match_dates=365,match_forum=ALL

-tx @ lowtech-labs.org

fixed it, sorry been busy all day.

-id