April 24, 2008
Starting 18:00 CET (23.04.2008) someone started with a distributed denial of service attack against my blog. The UDP Flood attack was carried out, as showed my investigation by hacked servers and not zombie windows clients. At the time of writing the attack is still underway but got weaker after the first 24h.
The traffic accounting reports so far >750gb incoming traffic, but in reality it will be even higher as not every packet was counted in the beginning of the attack as it consumed large amounts of network resources. The data center my server is located at removed the route for the sub network from the border gateways, so the operation of the whole data cents was not affected. After I guess some network admins detected that some of their machines got misused for a DDOS and did shut them down, the traffic went down. After this happened the subnetwork has been reactivated again, and the blog is online again.
But why should someone attack my little blog in the first place? I didn’t post in the last 14 days. The only idea I’ve is that the hacker I found at the server of a friend and wrote about it wanted to get even. What counts for this theory is that it is carried out by hacked servers from and to random UDP ports â€“ a feature the found bot also has.
I’ll investigate further and report in my blog about it.
Update: Following IP are still attacking me after >30h … it seems to be time to try to contact the admins.
126.96.36.199 (Pakistan) - informed - not active anymore after 48h
188.8.131.52 (Korea) - informed - not active anymore after 48h
184.108.40.206 (USA) - informed - reacted within 12h
220.127.116.11 (Germany) - informed - reacted within 12h
18.104.22.168 (Hungary) - informed - still active after 3 days
22.214.171.124 (Spain) - informed - reacted within 24h
126.96.36.199 (Korea) - informed - still active after 3 days
Update2: 3 days after the start of the attack it still continues. ok only with lonely 2 systems, whose admins don’t seem to care about the attack and my mail. whats the reason for this? did the hacker lose control over them? what does he gain with it – the side is online without any problems for the users. Has anyone an idea?