AO Family,

Well it seems someone has finally decided that they need to go after us and attack our server. We had a flood of guests with spammed IP's that kept downloading the same posts over and over. Seems like it was perfectly timed to coincide with Splatt Attack.

All I can say is that if I catch you, you will not be going to jail, I most likely will though...

If AO catches you it could be even worse.....

We had to turn off guest logins and everyone now has to register.

AGD

Here is what it looked like from our end. This was after guest views were turned off. All the guests are just staring at nothing. Before we turned it off they were all downloading the same big thread with pics.

Guest Viewing Thread 05:24 PM bgm-66-24-200-172.stny.rr.com
Guest Viewing Attachment 05:23 PM c-67-168-75-143.client.comcast.net
Guest Viewing Thread 05:24 PM kin0389.n5.com.jm
Guest Viewing Thread 05:23 PM uhartford220053.hartford.edu
Guest Viewing Thread 05:24 PM BSN-77-18-236.dsl.siol.net
Guest Searching Forums 05:24 PM ns13.statefarm.com
Guest Viewing Thread 05:24 PM c-67-168-242-138.client.comcast.net
Guest Viewing Thread 05:23 PM a0h847tey2kh.bc.hsia.telus.net
Guest Viewing Thread 05:23 PM sdn-ar-005casfrMP230.dialsprint.net
Guest Viewing Thread 05:23 PM 82-39-17-13.cable.ubr03.gate.blueyonder.co.uk
Guest Viewing Attachment 05:25 PM cs6669206-164.austin.rr.com
Guest Viewing New Topics 05:23 PM ns26.statefarm.com
Guest Viewing Thread 05:23 PM adsl-208-190-133-205.dsl.eulstx.swbell.net
Guest Viewing Thread 05:23 PM pcp03527418pcs.pntiac01.mi.comcast.net
Guest Viewing Thread 05:24 PM blv-proxy-08.boeing.com
Guest Viewing Thread 05:24 PM ca-bldwnprk-cuda2-c6a-a-128.arcdca.adelphia.net
Guest Viewing Thread 05:25 PM cache-ntc-ac03.proxy.aol.com
Guest Viewing Forum General Discussion 05:23 PM host-65-121-132-129.jimclick.com
Guest Viewing Thread 05:25 PM a0h224iny49ok.bc.hsia.telus.net
Guest Viewing Attachment 05:23 PM d-199-247-44.bootp.Virginia.EDU
Guest Viewing Attachment 05:24 PM pcp04505243pcs.lewes01.de.comcast.net

AGD

That sucks, hopefully someone can catch the person/s who did this.

I have to say though, I did get a chuckle out of this line:

Originally posted by AGD
All I can say is that if I catch you, you will not be going to jail, I most likely will though...

Who the heck would want to do such a thing? :mad:

That's the problem with the internet. You don't know who you are dealing with. Isn't there a way to limit how many and how often guests can request information?

I take it this was a "denial of service" type of attack?

the strange thing is the wide range of IP addresses......all over the country. I guess some other owners group planned this event. At least tats all I can conclude

Yes it was a DOS attack. Good thing Delaware.net has such hot servers so we stayed up.

AGD

Originally posted by Kevmaster
the strange thing is the wide range of IP addresses......all over the country. I guess some other owners group planned this event. At least tats all I can conclude

...says the member of another owners group! Hmmmm! :eek: ;) :D

Wow Tom, I thought you were joking in the chatroom when you said we were under attack!

i was wondering why ao was so slow this weekend.. whoever did this will pay, and pay dearly... :mad: :mad:

GAH! so that is y i couldn't log on for my daily 10hrs of vitamin AO:D Hope this gets sorted out, i'm sorta pointin towards PBN's direction ;) i like having competition that doesn't have a chance like PBN

ps, i bet u i totally misread this thread :)

Jeez, can't believe someone would want to attack AO.

Good thing everything is still in working order.

gah! AO was attacked? *takes out shotgun* i weel be bock.

Spawn more Overlords.

u, take on all of them? i think not *CHA CHIK! goes the shotgun* yar, the sigpic says all!;)

I don't get what the big deal is? So, someone wanted to look at pics?

DOS attacks are generally difficult to defend against. I've always thought that limiting transactions was the best defense. In this case, if guests could be limited to some small number of transactions per minute it would still allow guest users but should defend against DOS attacks. Just my two cents worth from an internet non-expert. ;)

so that's why i couldn't post! i thought it was just my school's server slowing down since a lot of people were moving in today.

Nothing is more cowardly then attacking a person behind the back and anonymously.

You stinkin' pansies. You better hope Mr. Barret doesn't find your engine block!

are you still interested?

out of all the places to attack on the internet they chose a user forum. heck, if i was to hack it would be into the federal treasury and not get caught. that would be a hack to commend, but this action is really weak in computer geek-dom.

yar, tis tis, when i find out who does this, i'm gonna fly to their house and beat them with a rubber hose!:D

Originally posted by SHAZAM-AGD
are you still interested?

Of course, PM me and we'll work out the details.

Originally posted by AGD

Guest Viewing Thread 05:24 PM bgm-66-24-200-172.stny.rr.com
Guest Viewing Attachment 05:23 PM c-67-168-75-143.client.comcast.net
Guest Viewing Thread 05:24 PM kin0389.n5.com.jm
Guest Viewing Thread 05:23 PM uhartford220053.hartford.edu
Guest Viewing Thread 05:24 PM BSN-77-18-236.dsl.siol.net
Guest Searching Forums 05:24 PM ns13.statefarm.com
Guest Viewing Thread 05:24 PM c-67-168-242-138.client.comcast.net
Guest Viewing Thread 05:23 PM a0h847tey2kh.bc.hsia.telus.net
Guest Viewing Thread 05:23 PM sdn-ar-005casfrMP230.dialsprint.net
Guest Viewing Thread 05:23 PM 82-39-17-13.cable.ubr03.gate.blueyonder.co.uk
Guest Viewing Attachment 05:25 PM cs6669206-164.austin.rr.com
Guest Viewing New Topics 05:23 PM ns26.statefarm.com
Guest Viewing Thread 05:23 PM adsl-208-190-133-205.dsl.eulstx.swbell.net
Guest Viewing Thread 05:23 PM pcp03527418pcs.pntiac01.mi.comcast.net
Guest Viewing Thread 05:24 PM blv-proxy-08.boeing.com
Guest Viewing Thread 05:24 PM ca-bldwnprk-cuda2-c6a-a-128.arcdca.adelphia.net
Guest Viewing Thread 05:25 PM cache-ntc-ac03.proxy.aol.com
Guest Viewing Forum General Discussion 05:23 PM host-65-121-132-129.jimclick.com
Guest Viewing Thread 05:25 PM a0h224iny49ok.bc.hsia.telus.net
Guest Viewing Attachment 05:23 PM d-199-247-44.bootp.Virginia.EDU
Guest Viewing Attachment 05:24 PM pcp04505243pcs.lewes01.de.comcast.net

AGD

Can someone interpret this for me... Am I suppossed to look for a pattern or something? or are these the offender's ip?

More than likely, whoever it was should not be labeled as a hacker... script kiddie is more accurate. What was done was the Internet equivalent of throwing rocks at someone's window. It takes absolutely no skill to perform a basic DDOS... a sharp 8 year old can be taught how to do it. Heck, writing the tools from scratch is not entirely difficult either... just time consuming. It's too bad people don't spend their energies working on constructive things. Write some tools that are useful if you know how to... make some money or something.

i agree, its not like ur getting much out of this crap, ur just making a bunch of peeps ticked off:rolleyes:

Originally posted by Jack & Coke


Can someone interpret this for me... Am I suppossed to look for a pattern or something? or are these the offender's ip?

Jack, more than likely they are the source of a bunch of zombie machines with some form of trojan on them that allows outsiders to control their machines. Back in the day, you had to search for zombie machines to control and keep a list if you wanted to attack something. The new ones (well, not that new really) report to a central location... like to an IRC server and await orders.

There are other approaches as well, but this is popular.

You can thank all the computer dolts out there who allow their computers to be compromised.

This explains the AO problems this weekend. Kind of sucks, but no harm no foul. Why give the offender the satisfaction of thinking they got your attention.

Originally posted by ZAust
i was wondering why ao was so slow this weekend.. whoever did this will pay, and pay dearly... :mad: :mad:

I was wondering that too!

Sorry to be the antagonist, but hasn't AO "attacked" another well known PB Forum? Of course it wasn't a malicious attack, but it had the same net effect. I'm not sure if this was done by one person, but by the looks of things it was probably some group of people attacking AO in the same way AO attacked PBN.

Hate to say it, but what goes around comes around.

Originally posted by Miscue


Jack, more than likely they are the source of a bunch of zombie machines with some form of trojan on them that allows outsiders to control their machines. Back in the day, you had to search for zombie machines to control and keep a list if you wanted to attack something. The new ones (well, not that new really) report to a central location... like to an IRC server and await orders.

There are other approaches as well, but this is popular.

You can thank all the computer dolts out there who allow their computers to be compromised.

Miscue's pretty much correct. All those things you see there are different DNS's. You can resolve the DNS by reverse-looking up the IP address. Those are all individual computers--their users are probably trojaned and don't even know it. ;)

Originally posted by Jonneh
Spawn more Overlords.

hehe

Well somone had to say it, i salute you beaver.

I'm sorry.. but this is bs. Did we not crash someone else's server in some of those AO Chat Partys? Did we not invade forums and post for that purpose?

(If you had their permission.. that is one thing.. but.. Jeez.. calm down.. you act like your innocent)

:mad:

you can see on that list one was a school pc. either it was a trojan or they were using a massive proxy server list. alot of those ip's are not in the US but in the UK. the more proxy's they go threw before attacking the harder it is to back track them.

Originally posted by Beaver
Sorry to be the antagonist, but hasn't AO "attacked" another well known PB Forum? Of course it wasn't a malicious attack, but it had the same net effect. I'm not sure if this was done by one person, but by the looks of things it was probably some group of people attacking AO in the same way AO attacked PBN.

Hate to say it, but what goes around comes around.

No, this is different, AO made a full force organized post flood on pbn. This was just one script kiddie using a bunch of proxied zombie machines to take up bandwidth by viewing the same thread over and over.

Originally posted by Baron
you can see on that list one was a school pc. either it was a trojan or they were using a massive proxy server list. alot of those ip's are not in the US but in the UK. the more proxy's they go threw before attacking the harder it is to back track them.

I'm not sure what you mean by a lot from the UK... unless you're seeing something I don't. Also remember that there is going to be non-malicious traffic mixed in.

Another possibility is... we're completely wrong and it was an organized effort by a lot of people from perhaps some other forum... similar to the AO/PBN thing. :p

You guys are not getting this, it was not a 20 minute thing like we did to PBN, it has been going on for 4 days, 24 hours a day. Yes we attacked one other forum unannounced and stopped immediately once we learned what effect our masses had. Since then our other attacks have been prearranged and ok'd by the forums.

This is not the same thing.

AGD

What was the attack? So what if loads of people look at the forum. Why is that an "attack"?

AO attacked our forums once, but we invited them to. :D

And, yes, like Tom said, there's a difference between being on a site for a few minutes and continuously hitting a site 24 hours a day.

Chances are these were bots that were controlled by one person. Finding that person, however, will be the hard part.

And, I wouldnt equate them to hackers either. More like script kiddies. Hackers dont do stuff that they would consider trivial.

Originally posted by AGD
You guys are not getting this, it was not a 20 minute thing like we did to PBN, it has been going on for 4 days, 24 hours a day. Yes we attacked one other forum unannounced and stopped immediately once we learned what effect our masses had. Since then our other attacks have been prearranged and ok'd by the forums.

This is not the same thing.

AGD
LOL! thats pretty funny...but of course, whoever did this is getting the reaction he/she wants... :rolleyes:

Looks like our kiddies went over to PBN, they are crawling. Suddenly they are breaking attendance records too.

FYI this looks like a trojan attack where one person infects hundreds of unsuspecting innocent peoples computers with a virus. The virus program waits for commands from the script kiddie to do something like attack the forum. The computer owner never knows whats going on.

AGD

A DOS or Denial Of Service Attack is pretty much what Tom Explained.

A computer requests information from a website over and over again. The server gets bogged down and can process requests.

In addition to DOS there are Smurfs and different kinds of attacks.

Zombies or computers that are "owened" can be programed to do it remotely. SO you can have a network of servers attacking another system.

A computer is pretty dumb and it cant always think its being attacked in this way.

He gave a list of servers that are attacking. Some from universisties and some from AOL accounts. Typically they look for servers with alot of bandwidth like a university to use. The more bandwidth they have the more attacks they can make in a given amount of time.

So thats pretty much whats going on.

Someone that doesnt like AO is trying to shut down the forums because its a marketing tool for AGD and they dont like the fact that they sponsered SPplat II. They dont like the fact that pictures are up and people were enjoying themselves at Toms expense.

How can I protect my computer from this "trojan" type take over?

Should I buy a virus protection and firewall program like McAffe? (I almost bought it at Costco today...)

Or is the Windows XP firewall (internet security options) good enough?

thanks Miscue et al for explaining this stuff...

Well, routers/firewalls and anti-virus software should do it. Make sure you have all your Windows updates and stuff.

didn's AO's website get messed up a while back too:confused:

A really good way to protect your computer from a trojan virus, is to go in outlook express and turn off accept viruses which could be a virus.

You can get anti virus but really the best way I think to protect yourself is to not open email attachments.

Don't forget that viruses such as Lovsan/Blaster have shown that you don't have to open attachments or perform any voluntary action in order to catch a virus. Just being connected to the internet is enough to get infected if you don't have the patch for the RPC exploit. Luckily Blaster doesn't do anything particularly nasty in itself. The next one might.

I would recommend anti virus software to anyone with a PC and an internet connection.

I stumbled across this the other day and was horrified. I think its real POOPY for someone to do stuff like this. Makes me wonder if something like this was used?

http://www.design4online.com/blog/index.asp?page_type=viewFeature&feature_id=10

Don't Circumvent the Cuss Filters

Originally posted by Bolter
I stumbled across this the other day and was horrified. I think its real POOPY for someone to do stuff like this. Makes me wonder if something like this was used?

http://www.design4online.com/blog/index.asp?page_type=viewFeature&feature_id=10

I don't think so. If you read the text under the place to put the url 'the original file/site is not modified in any way.'

I think this is just a for fun script that doesn't do anything to anybody.

Hi folks - I just wanted to point that you may not have been under an attack. The thread about the hummer trying to jump a statue was linked in an offroad forum I frequent and I suspect it was probably linked in a lot of other places too. I've seen this happen before - something like this shoots around the Internet and all of a sudden you have 50 million people hitting your site to download the same topic. Just thought I'd mention it. I came back here today to see if there was an update on the story and found out the thread was gone and I had to register to get in.

Can somoene explain to me what exacl that means??

Originally posted by Bill Z
Hi folks - I just wanted to point that you may not have been under an attack. The thread about the hummer trying to jump a statue was linked in an offroad forum I frequent and I suspect it was probably linked in a lot of other places too. I've seen this happen before - something like this shoots around the Internet and all of a sudden you have 50 million people hitting your site to download the same topic. Just thought I'd mention it. I came back here today to see if there was an update on the story and found out the thread was gone and I had to register to get in.

that's true. i guess we'd need to know what thread was getting hit. kinda like getting slashdotted. hmmmmmm.

Our servers might catch SARS!! *GASP*!!1

It's Smart Parts.

Star good tips.

I think it should also be said that if your computer is sitting in the corner twidling its thumbs, turn the dam thing off.

I have a great frre online virus checker, pm me and I will send you the link after work tonight.

jb

I have a feeling it was exactly as, Bill Z said. That thread about the H2 trying to clear the statue was hilarious. It was linked all over the place. I myself received a link to it from IRC.

I logged back in to download the pictures but noticed that the thread was gone, and guests no longer had view access.

So I hope this puts your mind somewhat at ease. You weren't DOS'ed. You just happened to attract a huge crowd. :)

PS: If anyone has the pictures in their cache would you mind PM'ing me? That's a true classic.

I think TK and AO are pretty lucky. It could have been ninjas and we all know how deadly e-ninjas are.

I don't know if anyone thought this but this may have been orginazied. I don't much about servers or anything like that. But if a large forum community such as PBN got it going, it could have just been them pinging the same page over and over agianing. I don't know if that would have the same effect or not though but it is very possible and I could see were it would cause a distruibtion.

Seems though your answer is rite up there, were just that damn popular.

Easiest way to avoid the blaster worm was to have a firewall in place. You can get free software ones from www.zonelabs.com (you have to do a little looking but you can find the free one called zonealarm). Routers/NATs usually have firewalls built in as well.

zonealarm is good, but it has to be balanced between doing its job and annoying the crap out of you. People who commit these kind of acts need to know that they are often easier to solve than real crime, and that the punishment is the same. Just ask that fat white 18 year old who'll be doing time in a federal prison for the blaster worm.

"You best find somethin' to bite down on, boy. It's gonna be a loooong night."

I suggest turning features off in VB. You could also talk to the admins of genmay.com and check out their configs. Mr.2 is pretty helpful when he wants to be. They run their server off a 733MHz and handle thousands of page views a minute with no problem. I would also stop hosting pics and if not stopping at least take off hot linking. And limit the amount of size of pages so we aren't loading 40 replies a page. There are so many flaws in this board and if you fixed them it would load faster and things like this would be less of an issue.

-Tron

Originally posted by Tron


...I would also stop hosting pics...




Blasphemy!


Who let this guy in here!?? :mad: ;)


Originally posted by Tron


...at least take off hot linking...



Now, that makes more sense... :)

Per haps it was the williamshatner.com folks? Not as an attack, but I know I linked them to every Shatnerball thread.............

I came here to see the thread about the hummer, it was linked in a completely unrelated forum.

i think you will find you have a ****load more registrations just recently and that will be people creating accounts to see the hummer thread.

A dramatic increase in rego's for this forum will clearly show that it was the posting of links to the forum that caused the masses of traffic and not any type of attack on your server .. after all .. 'zombie' ddos machines can't exactly register an account by themselves.

p.s. i still haven't seen the hummer thread :P

anyone know of anywhere else where it may be duplicated?

someone just make a little free site and try that attack thing posted on the second or third page

From what the other guys have said, I was linked here from another forum trying to see the Hummer thread. Unfortunately it was already deleted and I created an account to find it. I am guessing that is what your problem was. Anyone know where I can get those pictures?

What Hummer thread?

DOS my arse... i saw and came back to see the Hummer thread.

oh well, it's gone. i registered to see it.

you guys were just slashdotted...

i caught the link from a friend who got it off of a BMW forum, who caught it off a an general auto forum, and i found it again on the forum i frequent often for other S2000 owners.

http://www.s2ki.com/forums/showthread.php?s=&threadid=146846

well if it's linked on that many forums and is being linked on irc then i guess it's confirmed. no attack. we just got slashdotted. haha.

What the hell is everyone talking about?!

Originally posted by WARPED1
What the hell is everyone talking about?!

:rolleyes: Read the thread and look at the link in the post two up from yours. All the answers are there.

I've read this thread since it's inception, and have asked numerous times "what attack?"
No one will answer me, so what if there were a ton of guest views.

i suggest not to to dowload any program from a website unless you knwo what to look for in teh files. most of the files on the net have trojans in them. so......why not just go by your stuff from best buy. i dunno if its just me or what but i rather be safe than sorry

that sux, i wasnt around this weekend to notice it, hope you nail the lil bastards

I dunno if somebody posted this, but it was most likely just a ping attack. I read that someone posted an 8-year old could do it, and yes, a 4 year old could. You just go into dos and ping an ip address and voila, as long as its not a government connection, you can get away scotch free. I learned this among other nifty tricks working at a computer store like a year ago, but never use it like a complete 455h013. I hope he gets caught, we should line em up and let him face the power of all the current X-MAGS! MUAHAHAHA. :D

people are asking alot about why someone would want to attack AO. It seems you all forgot about the little movement that started at the end on june when people on AO(including me) tryed to launch an attack on PBN. All it we wanted to do was resurect lots of old threads, but it still is a reason that they would attack AO.

so that's why my friends can't go to the thread i linked them to.

gosh darnit!

lets get one thing straight...is it PBN that did this? My friend is a mod there and i'm sure i can convince him with the help of you guys to screw things up there.

The latest thoughts on all this was that we had a particularly popular thread that ended up getting linked all over the net. Everyone linking here from another site automatically got guest status. The thing spread from one forum to another until we were over cooked. We no longer think it was a malicous attack just coincidence. We will allow guests again when the linking dies down.

AGD

awww... and the cult had their torches ready and everything.

For shame...

Originally posted by wobbles82
I dunno if somebody posted this, but it was most likely just a ping attack. I read that someone posted an 8-year old could do it, and yes, a 4 year old could. You just go into dos and ping an ip address and voila, as long as its not a government connection, you can get away scotch free. I learned this among other nifty tricks working at a computer store like a year ago, but never use it like a complete 455h013. I hope he gets caught, we should line em up and let him face the power of all the current X-MAGS! MUAHAHAHA. :D

Originally posted by Mag Master 04
that sux, i wasnt around this weekend to notice it, hope you nail the lil bastards

Originally posted by Big_Chops
i suggest not to to dowload any program from a website unless you knwo what to look for in teh files. most of the files on the net have trojans in them. so......why not just go by your stuff from best buy. i dunno if its just me or what but i rather be safe than sorry

Originally posted by Lopy-slopy
people are asking alot about why someone would want to attack AO. It seems you all forgot about the little movement that started at the end on june when people on AO(including me) tryed to launch an attack on PBN. All it we wanted to do was resurect lots of old threads, but it still is a reason that they would attack AO.

not to be intruding here -- but i visited this site again to turn of email notification for threads...

you dudes really need to read a thread before posting... it's rather silly all these responses when a perfectly good explanation exists above...

mod/admin dude -- you probably should edit/update your original post to contain the truth... all these knee jerk paranoid responses just look silly...

i'm actually a 'Cocker owner, but found this thread looking for the Hummer thread (as i said above).
sweet forum though all in all... i need to go look and see if the 'Cocker guys have a forum like this...

btw - don't bother to respond. laterism.

Originally posted by WARPED1
I've read this thread since it's inception, and have asked numerous times "what attack?"
No one will answer me, so what if there were a ton of guest views.

Warped, you might find this link interesting if you want to learn more about how DDOS attacks hit a web site. It's an extensive read though.

DDOS Attack (http://grc.com/dos/grcdos.htm)

Although by the sound of it there really wasn't an attack here, just something that appealled to a large number of people from all over the place.

So just where are these hummer/statue pictures? :D

will the person who started and linked all those threads get in trouble
i forget what the guy's AO s/n is

http://www.automags.org/forums/showthread.php?s=&threadid=100548&highlight=where+did+my+thread+go

here's the thread where soemthgin liek jbdgas is lookign for his original thread so that is the guy if any1 cares

He shouldn't get into trouble, all he did was start a popular thread! That's a good thing, not a bad thing :D

Slashdot and Fark take down sites on a daily basis when linked to hot articles. They don't mean to on purpose, its just they have thousands upon thousands of users and will 404 a server in minutes depending on the bandwith. The AO server basically passed the test and didn't go down. Thanks to AGD and Webby we have a great forum.

Originally posted by Nachos
awww... and the cult had their torches ready and everything.

For shame...

lol, so true

Originally posted by AGD
The latest thoughts on all this was that we had a particularly popular thread that ended up getting linked all over the net. Everyone linking here from another site automatically got guest status. The thing spread from one forum to another until we were over cooked. We no longer think it was a malicous attack just coincidence. We will allow guests again when the linking dies down.

AGD

Wow, all that chaos because of a Hummer??? I think I saw the thread when it was initially posted, is that the one where the lady said she wanted to jump over the statue because she saw it done on TV?

that's the one. :) apparently the utter stupidity of someone with money is an extremely popular topic.

Hey..maybe AGD will get a write up in Motor Trend or Autoweek..that would be SSSSWWWEEEEEEEEEEEEEETTTTTTT!!!!

wow how did i not see this thread until now?

Liar.

I bet it was the H2 thread. That was friggin great.

Forums open for guests again as ususal. We signed up 500 people in a week when we shut it down!!

Gotta love AO!!

AGD

Love AO, thats an understatement there. Its like an extended family that I wished I'd always had;) :D

For future things like this what you need to do is match your "Attackers" to your referer log. If they are infact malicious they will ether not have a referer... or .. that log will point back to the thread on whichever other forum that they are coming from.

So far as someone knocking AO over.... personaly I don't think they would use that method as most of the time its pretty ineficient.. it takes a boatload of work to get that many atackers up and running. Personaly I would... nevermind what I would do... ;) Then again ... most of those 15 year old script kiddys out there have pleanty of time... soo... <shrug>