« Sorry for the outage | Main | SMS Scam: Read the Weekend Mail »

Screenshots under DDoS attacks

INCIDENT 1: Screenshots came down from 10:00hr to 15:00hr June 22 as a result of Denial of Service (DoS) attempt via a zombie parked at IP address 202.186.86.222 (Kuala Lumpur), which was hosted in relation to a cross-border gaming site.

INCIDENT 2: Soon after, Screenshots became the target of Distributed Denial of Service (DDoS) attacks, making this blog inaccessible from 19:30hr June 22 to 00:30hr June 23. The main launchpads for the DDoS cyber attackers were traced to two zombies in Russia which were parked at IP addresses 89.169.181.137 (Yubileynyy, Moscow) and 89.163.36.11 (St Petersburg), respectively.

As expected of most DoS and DDoS attacks, the vulnerability of Internet architecture and web servers via port 80 -- the open port -- was exploited to the max.

Both DoS and DDoS attackers smack of the modus operandi of SMS Scammers who fake Mobile Originated (MO) requests to scam unassuming targets, albeit in a manner they used anonymous networks to create massive, simultaneous -- but unwarranted -- traffic to Screenshots server in order to paralyse and ultimately crash it, thus denying bona fide readers from reading this weblog.

ACTIONS TAKEN. When Incident 1 happened, Screenshots' web-admin was alerted and immediately activated virtual surveillance of the server activities, and visual inspection of the hardware at the data centre. The web admin laid out a bait -- by attributing it to a problematic network card as the red herring -- in anticipation of potential DoS and DDoS attacks that might follow soon.

When Incident 2 happened, the zombies were identified and the web admin repelled the attacks systematically at the firewall level.

There was no evidence of damaging server intrusion, and all databases of Screenshots remain intact.

MOTIVE. In the event that the two rounds of cyber attacks were triggered by content and issues recently published in Screenshots, timing is the essence.

In this case, one particular issue stood up like a sore-thumb: the detailed exposé of SMS Scams and the ineffectiveness of MCMC in mitigating the scandal and protecting the telco-related consumers, especially prepaid users who are denied their monthly itemised billings, and for years since 2004, MCMC condoned it.

WHAT'S NEXT. We expect the rogues to resort to mode evasive to sustain the DDoS attacks on Screenshots in the days to come.

Digital trails of the DoS attacks via zombie parked at 202.186.86.222 (Kuala Lumpur, Malaysia):

The following hops were tracerouted:

1 ) 62.216.144.5 (United Kingdom)
2 ) 62.216.128.49 (New York, NY, USA)
3 ) 62.216.128.134 (United Kingdom)
4 ) 62.216.128.165 (United Kingdom)
5 ) 62.216.128.33 (United Kingdom)
6 ) 62.216.137.25 (Hong Kong, Hong Kong SAR)
7 ) 62.216.128.182 (Hong Kong, Hong Kong SAR)
8 ) 62.216.128.6 (United Kingdom)
9 ) 62.216.145.66 (United Kingdom)
10 ) 61.6.13.157 (Kuala Lumpur, Malaysia)
11 ) 61.6.162.10 (Kuala Lumpur, Malaysia)
12 ) 161.142.25.85 (Malaysia - imported inetnum object for MIMOS)
13) 61.6.162.10 (Kuala Lumpur, Malaysia)
14 ) Hidden
15 ) 202.186.86.222 (Kuala Lumpur, Malaysia)

Digital trails of the DDoS attacks via zombie parked at 89.163.36.11 (St Petersburg, Russia):

The following hops were tracerouted:

1 ) 130.117.2.106 (London, UK)
2 ) 130.117.1.62 (London, UK)
3 ) 195.66.226.90 (London, UK)
4 ) 217.106.0.162 (Russia)
5 ) 195.161.4.246 (Russia)
6 ) 195.131.253.53 (Russia)
7 ) Hidden
8 ) 89.163.36.11 (Saint Petersburg, Russia

Digital trails of the DDoS attacks via zombie parked at 89.169.181.137 (Yubileynyy, Moscow, Russia):

The following hops were tracerouted:

1 ) 89.149.186.34 (Germany)
2 ) 213.200.72.38 (Germany)
3 ) 81.222.0.99 (Russia)
4 ) 81.222.0.113 (Russia)
5 ) 81.222.0.90 (Russia)
6 ) 83.217.192.135 (Russia)
7 ) 83.217.192.78 (Russia)
8 ) 89.169.181.137 (Yubileynyy, Moscow, Russia)

Posted by Jeff Ooi on June 23, 2007 09:45 AM |

TrackBack

TrackBack URL for this entry:
http://www.jeffooi.com/mt32/mt-tb.cgi/1722

Comments

Looks like my prediction of their "snipers" and "ninjas" are true. Just hope they do not have real rempit hitmen to do their dirty job.

Again, who is "they" ?

Posted by: Life Feel [TypeKey Profile Page] | June 23, 2007 01:29 PM

This DDOS is really a mild one, perhaps as a caution to what you are doing. And being smug, you gave them heads-up on how you dodged them. They most likely knew about that. And you know about them knowing it too. Cat and mouse story.

Let's hope this is a isolated case and not JO vs AJO.

Wonder if you can raise a police report for this.

Posted by: balow [TypeKey Profile Page] | June 23, 2007 03:23 PM

Hahaha, I read that and I thought, 'The Matrix has Screenshots!!'

But of course these DDOS attacks are quite easily traceble (for the web/net/IT savvy). It is very obvious that the 'scammers' are sending a message to you Jeff that you should back off.

But being the 'berani kerana benar' individual that you are, Walk On~!! :D :D

Posted by: FayeChan [TypeKey Profile Page] | June 24, 2007 12:02 AM

Actually I feel a little sorry for these scammers who spam and scam hope to get away with taking a few cents here and a few dollars there so that their turnover figures can improve by a few million RM a month. You see, over the last several years we let goons in Transmile, Megan Media and even Southern Bank to an extent, to get away with cooking their books. It all only translated into a few hundred millions whereas these guys may have not even reached that and we got ghost busters like JO busting their arses.

But one thing you can see, all these crooks are being reported on and in some cases police reports have also been made. But I don't see the Police jumping to act. On the other hand all you need is an UMNO goon making a protest and the whole government machinery move.

Posted by: Observer [TypeKey Profile Page] | June 24, 2007 06:32 PM

hi jeff, if i didnt recall wrong this is not the first time your server was under attack... with all this hands-on experience, your team could prob set up a local IT Security Task force Consultancy Firm soon - to mitigate , prevent, fortified cyber attack.! :-)

JEFF OOI says: With you and Mel assisting us, of course! ;-)

Posted by: Brian Fong [TypeKey Profile Page] | June 25, 2007 10:06 AM

INTERNET does not operate in a legal vacuum.
Read this before you post a comment in this blog!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)