DataBase Errors

[Eric Lyon]

Please bear with us, we have been getting hit hard with (possible) ddos attacks the last couple days on & off and still trying to block all the sources. Every time we seem to get it under control they switch to different ip ranges and start it again. It's very annoying I agree and we are working behind the scenes to try and eliminate this.

The first set of attacks appeared to be stemming from some of the chinese software bot spammers that were banned in the last 3 / 4 days. It was as if their software turned on at 10pm & ran till 1am pelting the servers trying to regain access automatically over & over sending hundreds of queries per second each.

Later, the incidents started happening at different times on & off with a few stable patches in between. So now we aren't sure if its chinese bot software's, a targeted malicious attack, or maybe something else.

Hopefully we'll be able to get all this resolved soon.

Sorry for the inconvenience and thanks for understanding.

Eric Lyon

 

[south]

configserver:

http://www.configserver.com/cp/csf.html

 

[steelbangle]

Well they must be after your database so you could ask users to change their passwords in case they have the same ones on their registrar accounts. And also secure the database if it is not already.

 

[Eric Lyon]

Well they must be after your database so you could ask users to change their passwords in case they have the same ones on their registrar accounts. And also secure the database if it is not already.

It's not that kind of attack at all. It's a botnet attack from spam bots trying to crash our servers.

Note: At NO TIME has ANYONE'S personal information been compromised!!!!

 

[Ray]

Well they must be after your database so you could ask users to change their passwords in case they have the same ones on their registrar accounts. And also secure the database if it is not already.

The type of attack you are referring to Is a SQL injection where a hacker exploits an unsecure database in order to harvest information. This attack could also be used to bring down a particular web site by destroying data and tables, but since members have access at times and others don't and the database is completely intact, I do not believe it is that method.

What namepros is experiencing is a DoS attack, or Denial of Service. Which generally happens is a hacker uses a trojan to generate a gruesome amount of request from average household computers without the owners knowing. Generally, it is successful as the server is unable to process the large packet size and rate and will eventually time out or hang.

DoS attacks have been used against many reputable Fortune 500 companies to include google. There is no one way to prevent it with completely denoting access to the average joe.

In this case, which is generally common with forums, a spam bot is submitting hundreds of requests to create accounts and posts over and over and is simply not able to make it past the human validation.

To mitigate this issue, I recommend instating a load balancer with a dedicated SQL server. Increase the number of maximum connections in correlation with the processor, and use HTACCESS and iptables to block the current known block of ips. Install and update network tools such as APF and DoS deflate as previously mentioned. DoS Deflate will automatically detect DoS attacks and deflect them at the system level by adding them into the Iptables and not allowing the processor to accept requests. Also make sure the Linux kernel is up to date . A hardware firewall or NAT would be extemely helpful aswell.

I also suggest blocking namepros from the particular country of origin for a short time as the request will return back empty and eventually stop. I understand that this may create issues but it is the for the betterment of the community and would only be a short time. A member could access NP from an established VPN or proxy during this time.

Use this command in the kernel to find ip ranges with abnormal connections

#netstat -anp|grep tcp|awk ‘{print $5}’| cut -d : -f1|sort|uniq -c|sort -n

To address the issue that was brought up regarding passwords, I'm pretty sure that vbulletin uses bcrypt (blowfish encrypt) with a salt and a time deflect. For those that don't know bcrypt it is one of the strongest commercial grade encryption methods as it prevents the use of rainbow tables by using a salt and is time generated (key is generated at a certain rate in the salt which prevents Bruteforce) It's way more secure than md5, mcrypt, and the standard MySQL encrypting function.

That being said, unless namepros stores the passwords in plain text which I highly doubt under the worst circumstances our passwords are secure, even if using an older method.

Still one should always take precaution, regularly change passwords, and never link multiple accounts to one email address

Ray

Source: 5+ YR server and website administration.

 

[liquidcherry]

just sue DNF for the attacks lol

cheers

liquid

disclaimer: in no way did i assume that DNF started those attacks, i just tried to be funny!!!!!!!!!!

 

[steelbangle]

Well most of the times these ddos attacks are followed by the sqli attacks so I just thought that a password change does not cost anyone anything right? Although there might be a very minute possibility of getting hacked but then again, the domains are the only assets for many of us so why not take the extra precautions

 

[NetOctave]

Any way you could serve a cached / static version of the site ? Agreed people cannot post, but something that will keep us engaged ...
Specially I miss the Godaddy coupons... I end up getting it from Google cache and its sometimes a day or 2 old..

 

[Ray]

Any way you could serve a cached / static version of the site ? Agreed people cannot post, but something that will keep us engaged ...
Specially I miss the Godaddy coupons... I end up getting it from Google cache and its sometimes a day or 2 old..

Great idea! I forgot to mention. Eric does NP make use of server or http caching? Maybe 1ce an hour cache is regenerated. It would save bandwidth, reduce process and over all make it a smoother experience. Users wouldn't notice as once they login or register it would turn to dynamic content again.

Wordpress as well as many commercial sites use this method

 

[Eric Lyon]

Thanks for the added suggestions everyone. So far it's looking like things are a little more under control for now (Knocks on wood).

Adding a cache might also hinder normal usage times unless there was a instant redirect only when an error occurs that sends people to a fully cached version. Not sure about this one, but it's something to keep in mind and research further. We should hopefully have a more permanent solution in place soon.

 

[twomoon]

I thought my multiple attempts to enter Namepros via dial-up connection caused all this situation, but good to know it's not me

Good luck to the NP staff and may the force be with you!

 

[hollywood]

That being said, unless namepros stores the passwords in plain text which I highly doubt under the worst circumstances our passwords are secure, even if using an older method.

Still one should always take precaution, regularly change passwords, and never link multiple accounts to one email address

Ray

Source: 5+ YR server and website administration.

Can you help people like me understand how our passwords are "secure" when in fact they are sent unencrypted to NP during login?

I'm not busting on you - you seem to have some good admin experience (5+ years). But when I re-read your post I scratch my head and I am left to wonder why other people use https for logins...you know, they say it's so that passwords are encrypted while in transit to the NP server.



---------- Post added at 11:05 AM ---------- Previous post was at 11:00 AM ----------

Great idea! I forgot to mention. Eric does NP make use of server or http caching? Maybe 1ce an hour cache is regenerated. It would save bandwidth, reduce process and over all make it a smoother experience. Users wouldn't notice as once they login or register it would turn to dynamic content again.

Wordpress as well as many commercial sites use this method

But I don't want to be bidding on a name where I'm working off of old information. even if it's from just one hour ago. If there is a current price....I deserve to see it if anyone expects me to put in a bid, but with caching it means I won't necessarily see what is current?

I like the idea though - perhaps applied differnetially so that non-auction and non-sales threads are cached, whereas auction and sales threads are not cached?

 

[Ray]

Hollywood I was referring to a SQL injection, and debunking the passwords from a database stand point. I agree that name pros should be using ssl given the nature of the market place. However, even ssl wouldn't prevent against other phishing and key logging attempts.

Our information will always be at risk, that's the choice we make
When we use the web !

 

[hollywood]

Ok thanks Ray - I feel better now about spending $ for SSL certs for past projects. Virtually every one of my past clients balked at it, saying it was unnecessary.

Our information will always be at risk, that's the choice we make
When we use the web !

Amen to that, those are words to the wise!

 

[Makis.TV]

Fail2Ban is a great tool that bans IP after n unsuccessful login attempts.

 

[mulligan]

Is there a problem with sending private messages?
I get a blank page when I hit send.

 

[Ray]

Ok thanks Ray - I feel better now about spending $ for SSL certs for past projects. Virtually every one of my past clients balked at it, saying it was unnecessary.

Do I sense sarcasm?

SSL CERIFICATES ARE A MUST, they encrypt information when being passed from browser to server and maintly protect against packet sniffing. They are an added layer of protection on the sever. A SSL tells a browser how to generate an encryption and a server how to process it sort of like a SALT.

SSLs are also used to provide a physcological security as well as most organizations have to go through verification methods to obtain one. (I'm talking about commercial grade, not the $20 ones). It provides the user with the warm set feeling that the person is who they say they are, and have implemented various levels of security and encryption on their end. ( most commercial require this )

See http://www.network solutions.com/SSL-certificates/how-ssl-works.jsp

There is always ways to bypass them such as monitoring a clients computer. To test my theory download a key logger and visit an ssl site.. SSL keys can also be brute forced.

Also If a hacker was able to gain access to a server, dont you think he would be able to disable the cert?

See http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ & http://www.techimo.com/forum/security-privacy-issues/116747-ssl-keyloggers.html


Nothing is ever secure!

 

[Eric Lyon]

Is there a problem with sending private messages?
I get a blank page when I hit send.

PM's seem to be working fine, I just sent a few test PM's. However, if you were attempting to pm at the same time the database was erroring, this could have resulted in a blank page.

 

[hollywood]

Do I sense sarcasm?

Ray, if there was a sarcastic vibe in my earlier post, it was directed at my clients who said "we don't need that" while I maintained "Yes, you do".

There was no sarcasm intended to you, let me apologize if it may have sounded that way.

You had shared good info, but also within that post stated that passwords were "secure" in the currnt NP implementation. That statement appeared incorrect to me since you overlooked the client-server transit and the need for SSL.

But since you have more experience than me, I asked.

When you answered, I did feel better. And I tried to further the good information:

People should use SSL on their websites when they are maintaining personal customer data.

Even if the client says "I don't need it" its the web developer or admin's responsibility to say "yes, you do". In my honest opinion.



P.S. I have not experienced a DB conn error in the past two days, so I think we all should take our hats off and thank Eric for his efforts to mitigate this serious availability issue. Eric, you are the man! :kickass:

P.P.S. And just to share, I actually made a small domain purchase here at NP yesterday - something I have not done for over two years If the system were still failing, if Eric were not working on it, if fellow NP'ers were not helping out...then I would not have felt confident enough to buy a name here yesterday.

 

[Ray]

Hollywood, I apologize the accusation of sarcasm and if I came off strong. It was not my intentions.

 

[hollywood]

Hollywood, I apologize the accusation of sarcasm and if I came off strong. It was not my intentions.

Thanks Ray, no worries here. May the force be with us...always %%-