DataBase Errors

[Eric Lyon]

Please bear with us, we have been getting hit hard with (possible) ddos attacks the last couple days on & off and still trying to block all the sources. Every time we seem to get it under control they switch to different ip ranges and start it again. It's very annoying I agree and we are working behind the scenes to try and eliminate this.

The first set of attacks appeared to be stemming from some of the chinese software bot spammers that were banned in the last 3 / 4 days. It was as if their software turned on at 10pm & ran till 1am pelting the servers trying to regain access automatically over & over sending hundreds of queries per second each.

Later, the incidents started happening at different times on & off with a few stable patches in between. So now we aren't sure if its chinese bot software's, a targeted malicious attack, or maybe something else.

Hopefully we'll be able to get all this resolved soon.

Sorry for the inconvenience and thanks for understanding.

Eric Lyon

 

[steelbangle]

Well most of the times these ddos attacks are followed by the sqli attacks so I just thought that a password change does not cost anyone anything right? Although there might be a very minute possibility of getting hacked but then again, the domains are the only assets for many of us so why not take the extra precautions

 

[NetOctave]

Any way you could serve a cached / static version of the site ? Agreed people cannot post, but something that will keep us engaged ...
Specially I miss the Godaddy coupons... I end up getting it from Google cache and its sometimes a day or 2 old..

 

[Ray]

Any way you could serve a cached / static version of the site ? Agreed people cannot post, but something that will keep us engaged ...
Specially I miss the Godaddy coupons... I end up getting it from Google cache and its sometimes a day or 2 old..

Great idea! I forgot to mention. Eric does NP make use of server or http caching? Maybe 1ce an hour cache is regenerated. It would save bandwidth, reduce process and over all make it a smoother experience. Users wouldn't notice as once they login or register it would turn to dynamic content again.

Wordpress as well as many commercial sites use this method

 

[Eric Lyon]

Thanks for the added suggestions everyone. So far it's looking like things are a little more under control for now (Knocks on wood).

Adding a cache might also hinder normal usage times unless there was a instant redirect only when an error occurs that sends people to a fully cached version. Not sure about this one, but it's something to keep in mind and research further. We should hopefully have a more permanent solution in place soon.

 

[twomoon]

I thought my multiple attempts to enter Namepros via dial-up connection caused all this situation, but good to know it's not me

Good luck to the NP staff and may the force be with you!

 

[hollywood]

That being said, unless namepros stores the passwords in plain text which I highly doubt under the worst circumstances our passwords are secure, even if using an older method.

Still one should always take precaution, regularly change passwords, and never link multiple accounts to one email address

Ray

Source: 5+ YR server and website administration.

Can you help people like me understand how our passwords are "secure" when in fact they are sent unencrypted to NP during login?

I'm not busting on you - you seem to have some good admin experience (5+ years). But when I re-read your post I scratch my head and I am left to wonder why other people use https for logins...you know, they say it's so that passwords are encrypted while in transit to the NP server.



---------- Post added at 11:05 AM ---------- Previous post was at 11:00 AM ----------

Great idea! I forgot to mention. Eric does NP make use of server or http caching? Maybe 1ce an hour cache is regenerated. It would save bandwidth, reduce process and over all make it a smoother experience. Users wouldn't notice as once they login or register it would turn to dynamic content again.

Wordpress as well as many commercial sites use this method

But I don't want to be bidding on a name where I'm working off of old information. even if it's from just one hour ago. If there is a current price....I deserve to see it if anyone expects me to put in a bid, but with caching it means I won't necessarily see what is current?

I like the idea though - perhaps applied differnetially so that non-auction and non-sales threads are cached, whereas auction and sales threads are not cached?

 

[Ray]

Hollywood I was referring to a SQL injection, and debunking the passwords from a database stand point. I agree that name pros should be using ssl given the nature of the market place. However, even ssl wouldn't prevent against other phishing and key logging attempts.

Our information will always be at risk, that's the choice we make
When we use the web !

 

[hollywood]

Ok thanks Ray - I feel better now about spending $ for SSL certs for past projects. Virtually every one of my past clients balked at it, saying it was unnecessary.

Our information will always be at risk, that's the choice we make
When we use the web !

Amen to that, those are words to the wise!

 

[Makis.TV]

Fail2Ban is a great tool that bans IP after n unsuccessful login attempts.

 

[mulligan]

Is there a problem with sending private messages?
I get a blank page when I hit send.

 

[Ray]

Ok thanks Ray - I feel better now about spending $ for SSL certs for past projects. Virtually every one of my past clients balked at it, saying it was unnecessary.

Do I sense sarcasm?

SSL CERIFICATES ARE A MUST, they encrypt information when being passed from browser to server and maintly protect against packet sniffing. They are an added layer of protection on the sever. A SSL tells a browser how to generate an encryption and a server how to process it sort of like a SALT.

SSLs are also used to provide a physcological security as well as most organizations have to go through verification methods to obtain one. (I'm talking about commercial grade, not the $20 ones). It provides the user with the warm set feeling that the person is who they say they are, and have implemented various levels of security and encryption on their end. ( most commercial require this )

See http://www.network solutions.com/SSL-certificates/how-ssl-works.jsp

There is always ways to bypass them such as monitoring a clients computer. To test my theory download a key logger and visit an ssl site.. SSL keys can also be brute forced.

Also If a hacker was able to gain access to a server, dont you think he would be able to disable the cert?

See http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ & http://www.techimo.com/forum/security-privacy-issues/116747-ssl-keyloggers.html


Nothing is ever secure!

 

[Eric Lyon]

Is there a problem with sending private messages?
I get a blank page when I hit send.

PM's seem to be working fine, I just sent a few test PM's. However, if you were attempting to pm at the same time the database was erroring, this could have resulted in a blank page.

 

[hollywood]

Do I sense sarcasm?

Ray, if there was a sarcastic vibe in my earlier post, it was directed at my clients who said "we don't need that" while I maintained "Yes, you do".

There was no sarcasm intended to you, let me apologize if it may have sounded that way.

You had shared good info, but also within that post stated that passwords were "secure" in the currnt NP implementation. That statement appeared incorrect to me since you overlooked the client-server transit and the need for SSL.

But since you have more experience than me, I asked.

When you answered, I did feel better. And I tried to further the good information:

People should use SSL on their websites when they are maintaining personal customer data.

Even if the client says "I don't need it" its the web developer or admin's responsibility to say "yes, you do". In my honest opinion.



P.S. I have not experienced a DB conn error in the past two days, so I think we all should take our hats off and thank Eric for his efforts to mitigate this serious availability issue. Eric, you are the man! :kickass:

P.P.S. And just to share, I actually made a small domain purchase here at NP yesterday - something I have not done for over two years If the system were still failing, if Eric were not working on it, if fellow NP'ers were not helping out...then I would not have felt confident enough to buy a name here yesterday.

 

[Ray]

Hollywood, I apologize the accusation of sarcasm and if I came off strong. It was not my intentions.

 

[hollywood]

Hollywood, I apologize the accusation of sarcasm and if I came off strong. It was not my intentions.

Thanks Ray, no worries here. May the force be with us...always %%-