School DDoS and whether to be afraid of him

The modern Internet offers four hundred relatively fair ways to make money. Unfortunately, not all greedy characters are limited to them. Fortunately, only a few of them are qualified to cause serious harm. Nevertheless, their actions for untrained people can be quite destructive. Under the cut, you will find a sentimental story with threats, blackmail, a perfidious attack, and traditional cinema happyness.

One of our customers has an online store selling computer equipment. On the morning of Friday, November 25th, he received a threatening letter:

Hello!

You need to pay $ 200 (equivalent in Ukrainian hryvnia - 1600 UAH). You need to go to the terminal (you can find them in any super market) and choose WebMoney payment. We draw your attention to the fact that it is necessary not to transfer funds to the cashier directly, but to buy vouchers (WM cards) for the required amount. In the terminal, choose WebMoney payment and buy vouchers, then on the check there will be numbers and voucher codes that you must send in the letter. Please note that not all terminals allow you to buy vouchers vm, but most. Payment must be made within 24 hours. Otherwise, your site will be attacked by a powerful DDoS attack, due to which your site will no longer be available for a long time, up to several weeks or even more. Attack will not stop.

- spelling and punctuation saved.
')
The attackers did not bother to send a separate letter to each victim, so the addresses of several unrelated online stores were listed in the recipient's field.

His natural reaction was not quite polite refusal. Having considered the incident settled, he safely forgot it ... Until the evening.

In the evening, at 17:09, a DDoS attack began, small but sufficient to cause interruptions in the work of the site. Within a quarter of an hour, your humble servant was informed that something was happening.

A quick glance at the Apache logs immediately revealed a pattern in the actions of the intruders:

XXXX - - [25/Nov/2011:17:19:17 +0200] "GET //user-agreement.html HTTP/1.1" 200 32283 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" YYYY - - [25/Nov/2011:17:19:18 +0200] "GET //user-agreement.html HTTP/1.1" 200 32283 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" ZZZZ - - [25/Nov/2011:17:19:17 +0200] "GET //user-agreement.html HTTP/1.1" 200 32283 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.6.30 Version/10.63" 

I think people familiar with setting up a web server already know what will happen next. But I will take it upon myself to continue, suddenly a ready-made recipe will come in handy for someone.

It is immediately evident that despite the fact that the attack was carried out from several IP addresses, the attacked URL and the browser's User-Agent were used the same. It is self-evident that this data will be used to eliminate pests. Since we want to protect ordinary users from our small conflict as much as possible, we will use only the User-Agent, since it is copied from the rather old version of the opera.

In order to amuse the attackers' pride, a stub out-of-order.html file was created at the root of the site with simple content:

 <h1>Our site is temporarily unavailable</h1> 

And in .htaccess five lines are added:

 RewriteEngine On RewriteBase / RewriteCond %{HTTP_USER_AGENT} ^Opera/9.80\s\(Windows\sNT\s5\.1\;\sU\;\sru\)\sPresto/2\.6\.30\sVersion/10\.63$ RewriteRule ^(.*)$ out-of-order.html 

After that, a small static file began to be sent to all requests with the specified User-Agent. Since then, the attack has ceased to have any significant impact on the server.

But our struggle is not over yet! One of the attacker's IP addresses was selected and his provider was identified using whois. The administrator who answered the call kindly agreed to check whether the attack from this address is actually being carried out. Having ascertained, he called the subscriber and informed him about the outrages taking place. According to the administrator, the subscriber denied his guilt in every possible way but promised to change the password to his Wi-Fi, “which, probably, the villains broke.” After a couple of minutes, the attack stopped not only from this IP, but from all the others, including other cities. (We still remember that the subscriber has nothing to do with it!)

In high spirits, we sent out a recipe for protection to everyone who received a letter threatening, and the contented went home.