DDoS Attack Last Night---Please Read

Steve Williams

Steve Williams

Site Founder, Site Co-Owner, Administrator
Mar 31, 2010
48,956
23,247
7,605
Coto De Caza, California, south golf course
www.whatsbestforum.com
An update as to the outage last night for about an hour on 2 separate occasions.......

Our WebMaster was able to trace the attack to 3 distinct IP addresses which showed spikes at the time of the attacks. Two of these IP addresses were from Arizona area and two others coming from Texas.

When I traced our data base the 2 out of California were not members of WBF. The IP address out of Texas is indeed being used by one of our well known members

Here is where I find the problems. We work diligently to keep spammers off the site as you can see with all the recent TEMU discount this is fraud posts.

Many members either use a VPN, or use Apple Relay, Microsoft , Amazon asmost large ISP providers provide this service where the user can hide his geographical area. We have countless members who have 30-40 registered IP addresses from allover the country and the EU. I understand the need for privacy but VPN servers and Proxy servers are not allowed on WBF as stipulated in our TOS for such reasons. We understand that a significant number of our members use a VPN and we never enforce that rule but we do with Proxy Servers

The member out of Texas was called by me to understand if he was on the site last night and at the time of the attack he was out for dinner with his parents. He told me that he always uses Apple Relay and uses whatever IP address he is assigned . I know this member very well and have talked to him many times and I know that he was not the perpetrator but rather someone else who took this IP address and used it in the assault last night on the site.

I suggested that he change his passwords and search out different IP addresses for his own security

The bottom line is this created enormous work for me , Julian and our Webhost last night as we have lately become a target a we are so noticeable by spammers. I attribute this to our Google Analytics which over the past 4-6 weeks show WBF as the number one audio site on the internet. We are very proud of this achievement and strive to maintain our ranking which we could not do without all of you members who are part of this community. For this we thank you immensely

The take away is that in this present day and age nothing is fool proof on the internet, I know that most users of the forum are using means to hide their geophysical location. I would suggest that if you do and you use the SAME IP address all the time that you go back and change this periodically to protect yourselves from becoming a victim

The downside of using these services such as Apple Relay is that from time to time we get messages from well known members asking why they have been banned. When we do a search at our end it is not a ban direct from our mods but rather fbecause a new member (spammer)who tries to register and his IP address is rejected and banned by the SpamGuard provided by our Xenforo Platform . Such instances have happened twice in the past month which the member can easily fix by using a different IP address. The toxic IP addresses are registered on www.stopforumspam.com

In summary this took many hours of work. aggravation and hair pulling until the site could be restored. Thank you all again for understanding and helping to make WBF the best high end audio forum on the internet. We couldn't do it without all of you here .
 
  • Like
  • Love
Reactions: hongkongfoufou, Johan K, treitz3 and 10 others
Thank you, Steve, Julian and the webhost for all the hard work, and congratulations on the status of WBF!
 
  • Like
Reactions: iain, Kingsrule and Steve Williams
Sorry to hear you had so much trouble!
 
Sorry to say but site still slow
 
We know. We’ve had enormous numbers on the site this morning. Presently there are 2500-3200 over the past several hours. I’m beginning to think we’ve outgrown the fancy server we bought last year and might need yet another bigger one
 
Like you I see a slowing and report it and shortly thereafter it is normal speed again.
 
I am not a IT person but how do you know who is a member and not someone ghosting members ?
I don't use any VPN or Apple or anything I'm aware of. I've done things in the past and to me it was more expensive and more aggravations.
I can't say the site is slow or fast but I can say auto correct and posting from one of my phones is odd at times .
I am happy for you guys having soo many members that's great.
 
Steve, I am not an IT expert much less an IT Security expert. I know just enough to be dangerous.

There is a gentleman, Brian Krebs, who posts about security issues and has for years. His website is krebs on security [.] com. (Spread out, in case that helps with any of this.)

A few years back his server suffered what was at the time, and perhaps still is today, the largest DDoS attack ever. People - bad actors - were "swatting" him, and he wrote about it. (Google "swatting" if you don't know, but for brevity it's the false reporting of a potentially lethal situation at someone's home, attempting to deploy SWAT to the address, potentially having people killed by the SWAT team due to the confusion.). DDoS was an alternate method to shut him down.

I write that all to say: he consulted with CloudFlare to coordinate some anti-DDoS services. Your tech team / host may want to explore something like that too. They successfully had him back up and running quickly and safely, I think within a day.
 

Thanks for that..I am aware of swatting, As for the attack, I was impressed that our host had us up and running in a few hours. It seemed as I said earlier that 3 IP addresses showed a big spike in that time frame and although we cannot say for sure as to the origin, these 3 were out of Arizona and Texas. One of these IP addresses was also used by a member here who posts daily and he was out for dinner with his parents during the assault. These public IP addresses offered by Apple, Microsoft, Amazon, and Comcast are commonly involved with spam
 
well the site has been down again for another hour as we had another major assault this time arising out of Singapore where we had to ban an two entire blocks of IP addresses. As soon as I did the site was restored. This is really getting bothersome. To all reading, if you find the site begins to get slower and slower please post immediately in this thread so that we can open a ticket and look into it. Again I appreciate everyone's understanding and help in this matter
 
  • Like
Reactions: the sound of Tao and Al M.
Hi Steve, looks like the site is working fine now. It wasn’t till about 10 min ago. I was struggling to invoke it.
 
it is fine here as well sujay. It was not totally down but would take 5-6 minutes to ping and load a page. Our web host gave me the two blocks of IP addresses that were hitting us tonight from Singapore . As soon as I banned both entire blocks the site instantly awakened. My webhost showed me the list of IP addresses and there were literally hundreds so I banned 2 entire blocks and site was instantly restored
 
  • Like
Reactions: sujay
Maybe it is time to enforce the “no VPN or proxy server” rule. I don’t know if that was part of the attack but it can’t help the situation.
 
  • Like
Reactions: Alrainbow
  • Like
Reactions: katolino, orange55 and Steve Williams
Backpacker said:
As mentioned in the post about Brian Krebs, Clouflare would probably help. Seems they have algorithms that detect attacks and respond without human intervention.

See https://developers.cloudflare.com/ddos-protection/frequently-asked-questions/

I work in IT and my employer uses Cloudfllare

Blocking VPN clients is not going to be popular. Because VPNs are so popular……
Click to expand...
Cloud flare was indeed recommended by our webhost last night. We are looking into it as we speak Thank you for confirmation
 
I can’t tell you the number of membership use VON and Proxy servers. They are not allowed per TOS.

The big problem is Apple relay and similar services provided by large ISP’s which hide the users geophysical location Perfect example is a new member who joined today used Apple Relay and when he was vetted that IP address is used by 9 other bona fide WBF members

We are going to incorporate Cloudflare to prevent the attacks but it is Apple Relay and similar services that bring the spammers
 
Can you detect and not allow connections via Apple Relay?
 
Steve williams said:
We are going to incorporate Cloudflare to prevent the attacks but it is Apple Relay and similar services that bring the spammers
Click to expand...

So what exactly is the attack? Looks like Cloudflare is one of the end providers for the Apple Relay service. Is this merely a case of your hosting solution not being able to handle excessive connections?
 
You must log in or register to reply here.

Similar threads

admin1959
  • Locked
  • Article
PROBLEMS JOINING THE FORUM / BANNED FROM THE FORUM
Replies
0
Views
2K
PROBLEMS JOINING THE FORUM / BANNED FROM THE FORUM
admin1959
admin1959
songeraudio
Special Pricing for WBF Members
Replies
3
Views
3K
Songer Audio
songeraudio
songeraudio
Bloomie
Toronto @Boutique Audio Gallery
Replies
5
Views
665
General Audio Forum
B.A.G.
B
K
  • Locked
Is Lampizator a serious company? Mafia practices.
Replies
36
Views
4K
Digital Audio Forum: DAC, Transports, Digital Processing Forum
WBF Team
WBF Team
gleeds
Breaking the High-Dollar Statement DAC Price/Performance Barrier - Rockna Wavedream Reference Signature DAC
Replies
93
Views
18K
Digital Audio Forum: DAC, Transports, Digital Processing Forum
gleeds
gleeds

About us

  • What’s Best Forum is THE forum for high end audio, product reviews, advice and sharing experiences on the best of everything else. This is THE place where audiophiles and audio companies discuss vintage, contemporary and new audio products, music servers, music streamers, computer audio, digital-to-analog converters, turntables, phono stages, cartridges, reel-to-reel tape machines, speakers, headphones and tube and solid-state amplification. Founded in 2010 What’s Best Forum invites intelligent and courteous people of all interests and backgrounds to describe and discuss the best of everything. From beginners to life-long hobbyists to industry professionals, we enjoy learning about new things and meeting new people, and participating in spirited debates.

Quick Navigation

Home Forums

User Menu

Login
Steve Williams
Site Founder | Site Owner | Administrator
Ron Resnick
Site Owner | Administrator
Julian (The Fixer)
Website Build | Marketing Managersing
Top Bottom