Moar Cooties
-
@topspin said in Moar Cooties:
I don't know at what point exactly the handshake happens. So I'm not sure if you can make a GET request with a spoofed IP if that gets through
In the classic model, you can't because the server doesn't accept the content of the TCP stream until the socket is properly established (which is after the TCP setup handshake completes). That's why opening a socket takes a bit before you can send anything on it. But I wouldn't be surprised if web stacks have been tweaked to the point where they assume that traffic is going to be valid (all just pipelining trickery) and allow it through in order to cut the cost of connections, but making this sort of attack a lot more possible.
HTTPS (as with any SSL/TLS stream) cannot pass ordinary data — including HTTP request headers — along in either direction until the cryptographic handshake completes. That's a critical security feature. (The requested host does get sent early in some operation modes, but that's all. The HTTP request path doesn't unless you're doing tunnelling with CONNECT…)
-
@boomzilla said in Moar Cooties:
@HardwareGeek said in Moar Cooties:
@loopback0 said in Moar Cooties:
route: 95.85.70.0/24
descr: QualityNetwork OU
origin: AS57172"Quality" Cooties.
Postal code appears to be in Prague, east-central area.
According to cleantalk.org, some specific addresses in the /24 are known to have spam activity on 200+ websites.Also:
person: QUALITY NETWORK CORP
address: Office 14, Trinity House, Victoria, Mahe, Seychelles. SC-12Saw that address a lot.
Cool! Now @Polygeekery has useful targeting info
-
@topspin I would assume IP spoofing is only possible within intranet these days if IPv6 is not enabled. These are measured developed to counteract these. Say, you can enable RPF on routers to verify upstream routers really have access to those IP addresses.
-
Hey, the website works again!
-
@M_Adams said in Moar Cooties:
Cool! Now @Polygeekery has useful targeting info
It's a damn long flight though...
-
But why does the site still take like 1-2 seconds to respond? Is that what nodebb does to forum software?
-
@_P_ It's always done that. Nobody believes me.
-
@topspin said in Moar Cooties:
@boomzilla said in Moar Cooties:
@lolwhat I wonder if the Chicoms noticed a post about HK around here somewhere.
I assume they'd just blackhole the whole site, right? The only thing they care about is not letting any information get into China.
Nope, since that still leaves the sites accessible to anyone on VPN. In China, that's everyone. (Well, everyone that needs external access.)
Instead, they DDoS via expats (and VPN users), by including malicious resource-references (image tags pointing to WTDWTF, for example) on sites owned by the chinese government, like Baidu (Chinese search engine - and they all use it too). When the expats then open Baidu, which is the home page on most of their phones, they also unwittingly take part in the DDoS network.
Worse, the IP blocks sound to me like end-points to cheap VPNs. Such as the Chinese would use. So, @boomzilla just effectively blocked the Chinese from this site. Except Hong Kong, since they were propably not behind the Great Firewall anyway.
-
@boomzilla said in Moar Cooties:
@acrow said in Moar Cooties:
@boomzilla Could still be regulars browsing through Tor. Does the log say whether they were logged-in to an account?
I suppose a few of those could be. It seems highly unlikely. The charts show that the surge is from guests. Would your apparent IP (i.e., the Tor exit point) jump around when browsing using Tor?
Tor exit nodes don't jump around like that. Tor proxies TCP, so normal HTTP connection management would happen, as well as the fact that it's computationally expensive to establish a circuit (four different computers are involved) so circuits are generally only regenerated if the user explicitly asks for them to be.
Also, the Tor project has this nice little tool: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=158.69.225.103&port=443
(There aren't nearly as many addresses on that list as were attacking today.)
-
By the way, I'm still getting intermittently slow page loads on WTDWTF. Other U.S.:ian pages work fine.
-
@ben_lubar said in Moar Cooties:
@boomzilla said in Moar Cooties:
@acrow said in Moar Cooties:
@boomzilla Could still be regulars browsing through Tor. Does the log say whether they were logged-in to an account?
I suppose a few of those could be. It seems highly unlikely. The charts show that the surge is from guests. Would your apparent IP (i.e., the Tor exit point) jump around when browsing using Tor?
Tor exit nodes don't jump around like that. Tor proxies TCP, so normal HTTP connection management would happen, as well as the fact that it's computationally expensive to establish a circuit (four different computers are involved) so circuits are generally only regenerated if the user explicitly asks for them to be.
Also, the Tor project has this nice little tool: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=158.69.225.103&port=443
(There aren't nearly as many addresses on that list as were attacking today.)
You wouldn't happen to also have a list of known VPN exit points, would you? Would validate my theory on Chinese VPNs.
-
@pie_flavor said in Moar Cooties:
@_P_ It's always done that. Nobody believes me.
That's what happens when your reality doesn't match everyone else's.
-
@acrow said in Moar Cooties:
You wouldn't happen to also have a list of known VPN exit points, would you? Would validate my theory on Chinese VPNs.
I think since the 1st of April, Chinese residents can only use Chinese government approved VPN for access external sites (still subject to the Great Firewall) unless with written approval by their telecom department (say, enterprise may apply for approval to use VPN to connect with their other offices). .
-
@cheong said in Moar Cooties:
@acrow said in Moar Cooties:
You wouldn't happen to also have a list of known VPN exit points, would you? Would validate my theory on Chinese VPNs.
I think since the 1st of this month, Chinese residents can only use Chinese government approved VPN for access external sites (still subject to the Great Firewall) unless with written approval by their telecom department (say, enterprise may apply for approval to use VPN to connect with their other offices). .
All right. So, do you happen to know where those approved VPNs come out?
Also, kinda defeats the whole idea of VPN, doesn't it?
-
@acrow said in Moar Cooties:
Also, kinda defeats the whole idea of VPN, doesn't it?
I believe that is the point.
-
@boomzilla said in Moar Cooties:
@acrow said in Moar Cooties:
Also, kinda defeats the whole idea of VPN, doesn't it?
I believe that is the point.
Just a really roundabout way of doing it, is all. A bit like offering a free speed-up plug-in that adds a useless toolbar but does nothing. Or handing a literal card that says "Carry this around, and you're safe" to a man that tried to buy a gun (and paid for it already).
Only a politician could think up something like that. "You wanted a VPN? Well, here's a software that says VPN on it."
-
@acrow Why, it's a perfectly reasonable approach to ban VPNs while keeping the outward appearance of not banning VPNs.
So now not only does everything go through their Big Firewall, anybody who tries to circumvent it is committing a felony.Filed under: from the department of lawful evil
-
@acrow said in Moar Cooties:
@boomzilla said in Moar Cooties:
@acrow said in Moar Cooties:
Also, kinda defeats the whole idea of VPN, doesn't it?
I believe that is the point.
Just a really roundabout way of doing it, is all. A bit like offering a free speed-up plug-in that adds a useless toolbar but does nothing. Or handing a literal card that says "Carry this around, and you're safe" to a man that tried to buy a gun (and paid for it already).
Only a politician could think up something like that. "You wanted a VPN? Well, here's a software that says VPN on it."
As the tin says, your network is virtually private now.
-
@topspin Anyone circumventing it was already committing folony. The only reason it wasn't strictly enforced was that tech people still needed access to western tech. Case in point, Apple SDK.
Also, the Chinese government already flogs a browser, payment app, chat app, etc.. Installing any one of these kinda guarantees full web activity history availability to all government agencies. So why bother with an obvious trap?
-
@cheong Can you test or ask someone to test whether WTDWTF is still reachable through the official Chinese VPN? And if it's not, then what's the HTTP response?
-
@acrow said in Moar Cooties:
All right. So, do you happen to know where those approved VPNs come out?
I don't know their IP address, just know they have law that they only can use government approved VPNs, or apply for permit to setup your own if you're multinational organization and declare the VPN will only be used for anything forbidden by the law. My company have need to setup VPN to factories in China.
Also, kinda defeats the whole idea of VPN, doesn't it?
AFAIK, the only requirement is to use China based DNS server, and block all other DNS queries. These VPN providers are not required (at least they said in public announcement) to censor / monitor usage of their users.
-
@acrow said in Moar Cooties:
@cheong Can you test or ask someone to test whether WTDWTF is still reachable through the official Chinese VPN? And if it's not, then what's the HTTP response?
Emmm... we don't have need to. Hong Kong can access the internet freely (at least before our CEO uses the Emergency law to restrict it), and our colleagues in China can access by pointing the DNS to our domain server (which, of course, uses Hong Kong DNS to resolve domain names) or even setup to use our default gateway as their default gateway.
-
@cheong said in Moar Cooties:
@acrow said in Moar Cooties:
@cheong Can you test or ask someone to test whether WTDWTF is still reachable through the official Chinese VPN? And if it's not, then what's the HTTP response?
Emmm... we don't have need to. Hong Kong can access the internet freely (at least before our CEO uses the Emergency law to restrict it), and our colleagues in China can access by pointing the DNS to our domain server (which, of course, uses Hong Kong DNS to resolve domain names) or even setup to use our default gateway as their default gateway.
I just wanted to test if the earlier traffic had possibly come from China via VPN. If WTDWTF would return HTTP 403 when browsed through the official VPN, then that'd prove it.
-
@acrow Everything I see says that you're only allowed to use a government approved VPN. I can't easily find any references to which VPNs have been approved, though.
-
@acrow said in Moar Cooties:
I just wanted to test if the earlier traffic had possibly come from China via VPN. If WTDWTF would return HTTP 403 when browsed through the official VPN, then that'd prove it.
In fact I've tried searching for the approved VPN provider list in MIIT website for a while and cannot find it.
All I know is any VPN providers on Apple Store (China region) or Huawei Store are approved ones.
-
@boomzilla @cheong Just knowing the specific VPN software(s) doesn't yield much, since it'd only work in the same way if used from within China.
Of course, this is speculation. But it would make sense to do that, if they want to keep up appearances.
-
@acrow I figured it would be the first step in figuring out the end points, if that's even possible.
In any case, I suspect that either someone had compromised these ISPs' infrastructure or (more likely) had paid for the DDoS service. But I admit to not being up on how this works these days.
-
@boomzilla said in Moar Cooties:
I suspect that either someone had compromised these ISPs' infrastructure
If you mean infecting the custom firmware in OEM modems, then I do think that's still the way to make a quick botnet, yes. There's a reason why I put mine in bridge-mode before ever connecting them to the cable.
But crappy modems with enough in common to infect en masse are a finite resource, so there's competition. And regional custom firmwares are, well, so varied propably that it'd make sense to buy from local crooks.
Then again, most modems are Made in China, so if you want to go full conspiracy theory...
-
@acrow said in Moar Cooties:
@boomzilla said in Moar Cooties:
I suspect that either someone had compromised these ISPs' infrastructure
If you mean infecting the custom firmware in OEM modems, then I do think that's still the way to make a quick botnet, yes.
No, I meant getting hooks into someone's data center or whatever the ISP uses to assign IP addresses, at which point you're not spoofing an IP address per se, but you're playing around with where those go, maybe.
-
@boomzilla said in Moar Cooties:
@acrow said in Moar Cooties:
@boomzilla said in Moar Cooties:
I suspect that either someone had compromised these ISPs' infrastructure
If you mean infecting the custom firmware in OEM modems, then I do think that's still the way to make a quick botnet, yes.
No, I meant getting hooks into someone's data center or whatever the ISP uses to assign IP addresses, at which point you're not spoofing an IP address per se, but you're playing around with where those go, maybe.
OK. But can you eplain for what purpose? You said yourself that the DDoS traffic was basically valid HTTP GET queries, to valid pages, right? Why would someone bother to break into an ISP, just to have their own server(s) handle the traffic anyway. Did I miss some crucial detail?
At the same time, there are ample programmable DDoS bots that don't have a disk to log onto, so there'd be no trace to backtrack. And you can use the same botnet to attack multiple targets, since it's not exactly bandwidth-limited.
Not that I'm an expert, but you got me lost. Sorry.
-
@acrow As I have said, I'm just talking out my ass as I wonder what was going on. I have as much knowledge about this modem firmware stuff as anything else we've been discussing.
I don't know what you mean by "no trace to backtrack," or the bit about "handling the traffic." I don't know what those other botnets do, but this was an attack that didn't rely on overloading the network, but the database.
-
@boomzilla said in Moar Cooties:
don't know what those other botnets do, but this was an attack that didn't rely on overloading the network, but the database.
I insist we use scare quotes when calling NoSQL a "database."
-
@error said in Moar Cooties:
@boomzilla said in Moar Cooties:
don't know what those other botnets do, but this was an attack that didn't rely on overloading the network, but the database.
I insist we use scare quotes when calling NoSQL a "database."
That's a funny way to spell Postgre.
-
@boomzilla said in Moar Cooties:
@error said in Moar Cooties:
@boomzilla said in Moar Cooties:
don't know what those other botnets do, but this was an attack that didn't rely on overloading the network, but the database.
I insist we use scare quotes when calling NoSQL a "database."
That's a funny way to spell Postgre.
Really? Then how the fuck did the API end up like a statebag?
-
@boomzilla said in Moar Cooties:
As I have said, I'm just talking out my ass as I wonder what was going on. I have as much knowledge about this modem firmware stuff as anything else we've been discussing.
Oh. OK.
don't know what you mean by "no trace to backtrack,"
If you poke an ISP's setup, that should leave a log. And how you changed it could tell volumes about who poked it. Whereas a crappy modem does not log anything, since it doesn't really have a disk to log to. And this attacker wants at least plausible deniability.
or the bit about "handling the traffic." I don't know what those other botnets do, but this was an attack that didn't rely on overloading the network, but the database.
A slightly smarter DDoS than average, yes. But you're missing a detail here: if the cause of the DDoS was the discussion on Hong Kong, then we're not the only ones to be attacked. If the source, let's assume it was hacked modems, were to saturate their WAN link, then they'd get rebooted by the user and/or shut down by the ISP. So you'd want to load the botnet's participants as little as possible, so they can keep pestering a whole bunch of sites.
Plus, this site is a low-priority target. And among other sites of similar size (in userbase), one of few with the technical competence to recognize and block the attack.
Does this make sense?
-
@boomzilla said in Moar Cooties:
That's a funny way to spell Postgre.
That's a funny way to spell Postgres.
-
@error said in Moar Cooties:
@boomzilla said in Moar Cooties:
@error said in Moar Cooties:
@boomzilla said in Moar Cooties:
don't know what those other botnets do, but this was an attack that didn't rely on overloading the network, but the database.
I insist we use scare quotes when calling NoSQL a "database."
That's a funny way to spell Postgre.
Really? Then how the fuck did the API end up like a statebag?
https://what.thedailywtf.com/topic/25362/so-about-that-postgresql-thing
-
@acrow said in Moar Cooties:
A slightly smarter DDoS than average, yes. But you're missing a detail here: if the cause of the DDoS was the discussion on Hong Kong, then we're not the only ones to be attacked. If the source, let's assume it was hacked modems, were to saturate their WAN link, then they'd get rebooted by the user and/or shut down by the ISP. So you'd want to load the botnet's participants as little as possible, so they can keep pestering a whole bunch of sites.
This whole modem thing just doesn't sound much like what we saw, though. To me.
-
All this time I assumed that the disconsistent data model was a side-effect of poor discipline and having no schema in the persistence layer. But no, there's a proper RDBMS back there, which seems even worse, because it means that someone designed it that way.
-
@error said in Moar Cooties:
All this time I assumed that the disconsistent data model was a side-effect of poor discipline and having no schema in the persistence layer. But no, there's a proper RDBMS back there, which seems even worse, because it means that someone designed it that way.
It was noSQL. The current thing is a bug-for-bug-compatible port by Lubar into a real RDBMS, with the hope of eventually cleaning it up to something sane.
-
@Benjamin-Hall said in Moar Cooties:
@error said in Moar Cooties:
All this time I assumed that the disconsistent data model was a side-effect of poor discipline and having no schema in the persistence layer. But no, there's a proper RDBMS back there, which seems even worse, because it means that someone designed it that way.
It was noSQL. The current thing is a bug-for-bug-compatible port by Lubar into a real RDBMS, with the hope of eventually cleaning it up to something sane.
OK that makes sense. 99% of
s at WTFCorp can only be understood with a history lesson.
-
@error said in Moar Cooties:
@Benjamin-Hall said in Moar Cooties:
@error said in Moar Cooties:
All this time I assumed that the disconsistent data model was a side-effect of poor discipline and having no schema in the persistence layer. But no, there's a proper RDBMS back there, which seems even worse, because it means that someone designed it that way.
It was noSQL. The current thing is a bug-for-bug-compatible port by Lubar into a real RDBMS, with the hope of eventually cleaning it up to something sane.
99% of
s at WTFCorpeverywhere can only be understood with a history lesson.FTFY
-
@boomzilla said in Moar Cooties:
@acrow said in Moar Cooties:
A slightly smarter DDoS than average, yes. But you're missing a detail here: if the cause of the DDoS was the discussion on Hong Kong, then we're not the only ones to be attacked. If the source, let's assume it was hacked modems, were to saturate their WAN link, then they'd get rebooted by the user and/or shut down by the ISP. So you'd want to load the botnet's participants as little as possible, so they can keep pestering a whole bunch of sites.
This whole modem thing just doesn't sound much like what we saw, though. To me.
How so? I'm sorry to keep pestering, but I'm curious.
25k IP addresses in a few geographical locations sounds like specific ISPs, which conclusion you arrived to as well. Consumer modem/routers are basically Linux boxes. Load to each of them a list of known-good but randomly ordered URLs and bash-script them to wget each URL on the list, hoping to overload the database backend. Sounds like a plan to me.
...Say, what's the oldest forum thread that was requested by the DDoS? Might give a clue as to when the list was compiled.
-
@acrow I dunno, my scenario just seems a lot more likely to me.
-
@boomzilla Just to clarify, this is the scenario where the attack is performed from one source that hides itself by subverting a couple of local ISPs to spoof the originating IP address?
Well, technically it would work. But I'm still claiming that using consumer routers as HTTP proxies is more likely that hacking the ISP directly.
-
@acrow said in Moar Cooties:
@boomzilla Just to clarify, this is the scenario where the attack is performed from one source that hides itself by subverting a couple of local ISPs to spoof the originating IP address?
That's one scenario. They might also have attacked the infrastructure of a datacenter.
Well, technically it would work. But I'm still claiming that using consumer routers as HTTP proxies is more likely that hacking the ISP directly.
I know.
-
@acrow said in Moar Cooties:
@boomzilla @cheong Just knowing the specific VPN software(s) doesn't yield much, since it'd only work in the same way if used from within China.
Of course, this is speculation. But it would make sense to do that, if they want to keep up appearances.The endpoints ought to be in IP range of multiple countries.
I think they would have endpoint in Japan at least, because most people who need VPN service are young people who want to play Japanese game, since lots of Japanese games are blocking IP range of China.
In some sense I think they don't really care the encryption aspect of VPN services.
-
@cheong They will start to care soon. I hear the Chinese government will start deducting the "citizen points" score for playing too much. (Then again, young people may not care enough anyway.)
-
@acrow said in Moar Cooties:
@cheong They will start to care soon. I hear the Chinese government will start deducting the "citizen points" score for playing too much. (Then again, young people may not care enough anyway.)
That's something I have problem to understand.
In China there're game players make their living by joining computer games contests, there are also people who stream their game play to platforms such as Twitch to collect advertising revenue. If I happen to be living on these ways, am I working or playing when playing these games? Will my marks be deducted?
-
@cheong said in Moar Cooties:
am I working or playing when playing these games
Playfully working, obviously!
