DDOS victims - an investigation

edit
This has gone more from me trying to understand where these attacks are coming from, to open thinking solutioning (Lean Six Sigma problem solving for those in business). Which was not my intention, but still kind of intresting
end edit

I’ve seen a lot of people recently getting blocked for suddenly reaching the hits limit (myself included). I’m trying to gather some information to help all of us better understand what’s happened and see if we can take steps to avoid this happening in the future?

Anyone who’s willing to share, can you please let me know the following:

Are you using an infinity free domain or a custom domain (such as a .eu.org or .pp.ua)
Is your domain protected with Cloudflare?
did you share your site on the forum here?
did you share your site elswhere online?

I’m just trying to see if there are any common patterns. I’ll start with mine:

I was using a .pp.ua domain
My domain is protected with Cloudflare, but I had not activated any strict protection
I had shared my page about 12 hours before the attack
I had not shared my site elswhere, other than with a couple of potential employers

Thanks
Dan

There have been signs before of someone targeting websites that were shared on this forum.

I suspect someone is angry with InfinityFree and taking revenge using logic like “I think InfinityFree is bad and everyone should think InfinityFree is bad, so I will attack people’s website hosted on InfinityFree and get them suspended, so they will blame InfinityFree and also think InfinityFree is bad”.

This is of course very twisted reasoning. No matter what harm we may have caused this person is no justification to cause harm to other people. We don’t want your website to go down, but they are attacking your website and forcing our hand. That doesn’t make us the bad guy, the only one to blame is the attacker.

If the attacker were to announce themselves and talk to us, then we could look for a mutually satisfactory solution. Or at the very least discuss what went wrong so we can try to improve. I’ll even take a bad review about our service in case they want to share their dissatisfaction with others and are not looking for discussion.

But alas, that never happens. They would rather keep hurting others, for no other reason than to feed their hunger for revenge as far as I can tell…

Asking for help shouldn’t require people to paint a target on their back, and I wish there was a way for people to get help that wouldn’t require them to show their website to these attackers. But I don’t see how that’s possible, while still enabling anyone to participate in topics.

My sites use a .rf.gd subdomain
My sites aren’t able to be registered by Cloudflare
I have shared my sites multiple times on this forum, but nowhere else.
eu.org is taking forever and pp.ua asks for things I don’t like giving away, so I don’t have custom domains.
Also, I don’t purchase custom domains.

Account Affected:
if0_37772173
IP: 185.27.134.226
Volume: vol11_3

Domains resting in peace:

100% on side with you here. I’m asking about this mostly to learn to see if anything I can suggest comes up. (hence I’ve put it in theinformal topic)

But I’ve also been talking with the cyber security people at work who have given me a couple of thoughts. The ultimate solution to the forum issue would be to be able to set up a sandbox or temporary domain system, allowing users to set up a temporary domain to share on the forum. But that adds another step that might cause people trouble getting help (Plus I can’t even begin to imagin the cost\work required)

I do feel like the attacks are at least semi targeted, given that I got 2.8K hits in a few minutes, and then none as soon as my site went down. and I’m 1/2 expecting another spike tomorrow morning when my site is back up… I’m just hoping cloudflare can block it this time (i’ve got “I’m under attack” active now)

I can pretty much guarantee you that 99% of people won’t go through the process of getting a temp domain to ask a question here on the forum.

Also, the temp domain would still have to point to IF servers (And would actually be worse if the user had a custom domain on Cloudflare or a similar service as protection would go down), and would still have to point to the users account so hits would still be counted (You can’t have this temp domain bypass the limits either, or that is just asking for someone to abuse the service).

Also, one of the most popular things people host here is WordPress, and WordPress does not support multiple domains (So getting a temp domain would just result everyone who visits it getting redirected to the real domain, making the entire idea of a temp domain useless).

Additional note for anyone reading this and thinking it would be a good idea, you can link a custom domain to your account as a temp domain of sorts by adding it as a “Parked Domain” in the control panel (No, you cannot do this with a free subdomain).

I know. That’s not quite what I meant I realise I didn’t explain myself very well.

At Experian when we’re sharing demo environments with clients we create a sandboxed domain automatically that has a limited life and hits (on outbound emails)

Like I said the administration to get something like that in place would be a nightmare.

And I don’t know if it would even be possible with discourse or the backend system… This is more pie in the sky thinking as loud than anything

Ok I didn’t know that … That’s a pia limitation

I have an idea and a proposal, @Admin.

Summary

1. We need to limit the scope of access for every link in the forum. Only those who can meet the requirements can access a specific link.
2. We need to track the users who request information from others, once the scope of the access has been limited.

Visitors of the forum (aka “guests”) should not possess any ability to view any link inside the forum at all. They should be censored in public. The links will be “decrypted” somehow once the requirements are met.

Requirements (in the order of precedence)

1. fully-registered account
2. appropriate trust level
3. moderator’s approval
4. permissions from the author of the post or topic

The 4th requirement requires major changes to the forum to handle some sort of approval system (to be explained later). Users greater than T3 should have an ability to see the links without the censor, including @Admin.

Other requirements were brainstormed primarily due to the fact that hackers could create dummy accounts easily which could bypass the 1st requirement.

The system should automatically identify the links and censor them. In any case that a user accidentally leaks the link using techniques which bypasses the link detection algorithm, he/she should suffer the consequences of his/her own action. Admin and moderators shouldn’t help him/her in tracking which users had access to the links.

I. Changes to the System

The links are only available for users who requested it and has an approval from the author or the original poster. The author of the post or topic decides whether the request needs to be accepted or not. But before it happens, the request will be handled by moderators for further review.

Method 1. Implement “request sensitive information” button for every post and topic.
Method 2. Implement “request” button for every link.

Variants

For 1st method

A. Information selection from author (sender)

The one who requests information on a particular post or topic clicks the button. The requester needs to specify the reason in doing so.

Clicking the button triggers a request that is sent to the author/OP of the post/topic. The OP receives notification about the data request. The author can reject/deny the request.
The author has the authority – he can pick what information/data needs to be sent to the requester.

B. Information selection from requester

Similar to variant (A) except that the requester explicitly specifies the type of data needed. The only difference is that the requester can pick from the set of options.

For 2nd method

The requester clicks the button which sends an approval request to the OP. The OP receives the notification about the data request. He/she can approve or deny the request. Nothing is unusual.

Effectivity

Since each forum account is connected to an Infinityfree account, then that means that for every access of any link is going to be monitored and tracked. Private messages should be disabled somehow to avoid any workaround and bypass attempts except for higher tier users (greater than T4).

Limitations

The problem of this approach is that it requires complex changes. And I am not certain if it’s possible to implement the changes in a Discourse-powered forum at all. The solution only works if the link has not been leaked in other places yet. It requires stricter user validation measures to ensure that no one can bypass the approach using a dummy account.

That sounds like something that would take months if not years to develop on your own (No way you are going to get the Discourse devs to do it for you).

And if you set on attacking free hosting websites, there are probably hundreds of ways to get the domains used on the platform (I have come up with 5 easy ways to get a very long list of domains on free hosting in under 10 minutes in just the time it has taken me to type this post).

I’m sorry, but that would only stop the attacks on new domains for a few hours at least, would take months (if not years) to develop, and would create a bunch more annoyances for users, admins, and mods alike.are

Isn’t possible through Discourse plugin API?

Javes, I wish you were on my team. My TL would love your thought proccess. (we have a culture that no idea is a bad idea, just not always viable)

you’ve got me wondering now. I’m going to take a look at the API.
It’s still only a limited scope though

I’ve just seen something on the service where I host my freelance website (I pay for a premium account there) where I can limit the number of hits on a page per hour\day\week\ever

Is that the sort of thing that might be implimentable? or is it the level of complexity that would require it to be a premium feature?

Maybe, but I would doubt that it would let you control the HTML of the post that is shown to specific users. And even if it did, you would have to build link detection (Not all valid URLs are detected as URLs automatically, especially since most people omit the protocol), a new moderator interface/options, extending the permissions system, pop-ups, etc…

I’m not saying it’s not possible (It probably is), I’m saying it would be nowhere near worth the time and frustration it would take to create.

That’s rate limiting, and it is possible. However those requests are still being received by the server, and processing is still done on them (Determining the owner, current hit number, is limit reached, return the error page), so an attack on a domain is still taking up a bunch of server resources and potentially causing longer-lasting issues the same way that returning the websites contents would.Depending on the contents of the website, it may take a bit longer for that “this is actually a big issue” threshold to be crossed, but a powerful attack would still have the same effects with or without a ratelimit.

Ok that makes sense. It wasn’t something I’d really looked into so wasn’t sure how it worked.

I know that ddos can be a problem, especially with free accounts. The best choice is to upgrade to a paid plan or take attention where you share your links to your site. Ddos-as-a-service is cheap, starting as low as $20.

Cloudflare also provides DDoS protection, its free, and if you set it up correctly is actually works quite well. That is the recommended solution here, it just does not work on free subdomains which is where this discussion was created I believe.

I don’t want to be the bad guy here, Cloudflare offers free hosting too.

Giving only high trust level people access to shared URLs removes the ability for newer users to participate in support topics, which may make it much harder to achieve a high trust level in the first place.

And considering that the attacks are not instant, it’s possible that the attacker is a forum member with a higher trust level already and is manually grabbing the URLs to be attacked.

Spit balling an idea here: how about being able to generate a “support info URL” from the client area? People could post that in the forum instead of their website URL. This info URL could then be:

• Accessible for a limited time only.
• Require client area login, and include logging of who accessed it.

This would make it impossible for the attacker to anonymously grab the website URLs.

And as a bonus: people don’t need to worry anymore about this forum showing up in search results when people search for their website.

And all of this can be done in the client area, without requiring any integration in Discourse.

The only question remains is what information should be shared on it? Only a domain name or other non-sensitive account information too (like usernames).

It seems that the attacker has decided that I had a good point about hurting others… and decided to DDoS the forum instead. Hence the brief outage and “Under attack” mode now being enabled.

If you’re reading this, my offer to talk still stands. Just drop an email at [email protected] and we can discuss this.

This sounds like a working solution. Not everyone would use it but it would mitigate a lot the problems (hopefully)

If it’s something you need help with reach out

Somebody is DDoS’ing the platform. There is no way to stop it or control it. iFastNet doesn’t give a s*** once you’ve been attacked, and I don’t think @Admin can override iFastNet’s decisions.

We are just here for the ride, stuck in this scenario. We can’t get out, we’re stuck in it. I pray that this situation resolves itself, but so far it only got worse.

It’s not just us, our competitor-but-same-in-host aeonfree is being attacked too. Both their hosted sites and their forum.

Unfortunately it is a risk of hosting all told.

If your site or service gets popular enough, people will attack it/your users.

We just have to do our best to get in with it

I know it feels like that. When I worked in customer service and complaints I’m sure I made more than my fair share of customers feel the same. And as a business, there care is limited to the bottom line ($$). But generally speaking the individuals want to help, but they are limited by the rules imposed on them

What about a support pin instead? I feel that is more familiar to users, then you can add a comment in the template like:

<!--   We recommend providing a support pin instead of your domain name to help protect your website. You can request a support pin from https://dash.../supportpin -->

<!-- Please enter your username, domain name, or support pin below -->

**Username, Domain, or Support Pin:**

Allowing the user to revoke/rotate the support pin would be nice as well (But still allow admins/mods to view the information with the old support pin if needed).