Blog for hpHosts, and whatever else I feel like writing about ....

Monday 1 June 2009

it-mate.co.uk/Avant Browser servers down

Just an FYI folks, both of the Avant Browser servers are currently down, and I can't get hold of Anderson (there's a number for him in China, but costs a bleedin fortune to call over there, so only gonna do that if I absolutely have to).

I've been on the phone to HopOne, who provide the dedicated servers for Avant, and they're going to reboot the main avantbrowser.com server as it is showing as unreachable, however, they can't do anything about the forum.avantbrowser.com server, which also houses the it-mate.co.uk sites, without Andersons approval, so they're going to send him an e-mail with a reboot request.

If I've not heard from Anderson by 21:00 GMT, I'll give him a call.

I'll update this post when I know more.

Affected servers

209.160.32.64
66.235.180.132

Affected sites

it-mate.co.uk
support.it-mate.co.uk
guestbook.it-mate.co.uk
surl.co.uk
avantbrowser.com
avantforce.com
forum.avantbrowser.com
forum.avantbrowser.cn
wiki.avantbrowser.com
blog.avantforce.com
orcabrowser.com

Apologies for any inconvenience.

/edit 02-06-2009 02:45

I am happy to report, all servers are now back online.

Initial investigations show the downtime was caused by an HTTP flooding attack against the Avant Browser website. Talking to Anderson revealed an attacker from China, incidentally the same country as Anderson, was flooding the server and had contacted Anderson via QQ (apparently the same as WLM) informing him he would not stop the attack until Anderson had paid him the amount asked for. Anderson informed me the attacker only asked for $300, which is the smallest amount I've ever heard of being demanded by an attacker.

At the present time, I don't have very much information on the attacker himself at present (I'll be getting more within the next day or two). However, analysis did show one thing in common - the user agent for all of the IP's he had attacking the servers, was identical;

Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0;+MyIE+3.01)Cache-Control:+no-store,+must-revalidate

Unfortunately for our attacker this made it extremely simple to identify and filter out the flooding, both at the server level, and once we'd given this information to the hosting company, at the hosting co level aswell. No doubt this won't stop him for long as the UA is obviously faked anyway, and can quite easily be changed, but we've also taken the step of adding extra security and filtering to the servers themselves, and have blacklisted the IP ranges of those identified.

The IP's we identified were;

110.6.68.226        Resolution failed
113.87.123.207        Resolution failed
115.102.107.75        Resolution failed
115.102.122.215        Resolution failed
115.102.122.77        Resolution failed
115.102.122.90        Resolution failed
115.51.103.131        Resolution failed
116.113.100.67        Resolution failed
116.117.201.243        Resolution failed
116.30.237.161        Resolution failed
116.7.4.225        Resolution failed
117.136.9.73        Resolution failed
117.22.80.38        Resolution failed
117.69.217.29        29.217.69.117.broad.dynamic.hf.ah.cndata.com
117.8.79.197        Resolution failed
118.78.120.206        Resolution failed
118.78.223.5        Resolution failed
120.0.155.178        Resolution failed
120.142.44.79        Resolution failed
120.7.38.192        Resolution failed
121.201.3.40        Resolution failed
121.229.56.191        Resolution failed
121.230.57.93        Resolution failed
121.34.58.29        Resolution failed
121.42.198.75        Resolution failed
121.8.98.33        Resolution failed
123.118.0.99        Resolution failed
123.12.152.111        Resolution failed
123.14.196.156        Resolution failed
123.152.70.90        Resolution failed
123.17.171.186        Resolution failed
123.18.193.155        Resolution failed
123.19.91.81        Resolution failed
123.234.191.156        Resolution failed
124.131.162.37        Resolution failed
124.164.250.79        Resolution failed
124.64.10.233        Resolution failed
125.110.186.249        Resolution failed
125.121.223.38        Resolution failed
125.75.93.59        59.93.125.75.gs.dynamic.163data.com.cn
194.8.74.11        Resolution failed
210.21.81.133        Resolution failed
211.137.63.183        Resolution failed
211.81.53.58        Resolution failed
218.108.18.108        Resolution failed
218.66.14.152        Resolution failed
218.75.74.50        Resolution failed
218.85.120.61        Resolution failed
218.93.245.56        56.245.93.218.broad.sq.js.dynamic.163data.com.cn
219.140.230.36        Resolution failed
219.147.36.226        Resolution failed
220.165.71.195        195.71.165.220.broad.lj.yn.dynamic.163data.com.cn
220.181.61.220        Resolution failed
220.181.61.230        Resolution failed
221.213.45.244        Resolution failed
221.218.170.104        Resolution failed
221.220.224.242        Resolution failed
221.225.178.197        Resolution failed
221.3.101.143        Resolution failed
222.244.230.111        Resolution failed
58.215.65.183        Resolution failed
58.241.173.233        Resolution failed
58.249.40.255        Resolution failed
58.252.182.163        Resolution failed
58.255.128.187        Resolution failed
58.42.152.174        Resolution failed
58.55.96.159        Resolution failed
60.209.10.192        Resolution failed
60.233.156.208        Resolution failed
61.167.105.6        Resolution failed
76.161.2.106        static-76-161-2-106.dsl.cavtel.net
76.66.22.251        bas2-toronto48-1279399675.dsl.bell.ca


I'll post more in due course.

No comments: