Silvercash updates

[ThePornGuy]

Any news?

[reynold]

No.

[Stallion]

Getting pretty sad. 3+ days of constant downtimes.

[extreme]

Could be really hard to fight of a big DDOS attack.

[ThePornGuy]

Who are they being attacked by and why?

[lil2rich4u2]

I have switched all my traffic to another sponsor, no time for this.

When they are back up for a while i will consider them again.

[web4x]

Fuck they are down again. Seems like they can't fight the DOS attacks.

I redirected my traffic to another sponsor.

[ThePornGuy]

I'd like to stick it out with them. It would be a major pain in the ass to switch but some info would be nice.

[sexxx]

LA Mike posted on the Silver board earlier today, they were attacked from hundreds of servers to their secure joinforms. They have bought and installed new firewalls yesterday.

It was up and running 7-8 hours ago, but it seems like they are attacked again today.......

[Rick Latona]

I can tell you from my experience in the hosting business that these attacks are very difficult to defend. I wish them the best of luck.

[jimmyf]

what the heck is going on all these attacks, GFY, AWI, SpamCop, SilverCash, and some in Europe. AWI is still down

[DrGuile]

Quote:

Originally posted by lil2rich4u2
I have switched all my traffic to another sponsor, no time for this.

When they are back up for a while i will consider them again.

Oh no! What will silvercash do without all those hits!

[El Pres]

SpamCop's down.

Hmmmmm. where did I put that 8 million emails cd I bought for $19.99.

[jimmyf]

Quote:

Originally posted by El Pres
SpamCop's down.

Hmmmmm. where did I put that 8 million emails cd I bought for $19.99.

nope they are not down now they were though off and on for a few days. At times running very SLOW. The last going on three days they were back to normal most of the time. I just save all spam with notepad and send later.

[jimmyf]

Quote:

Originally posted by sexxx
LA Mike posted on the Silver board earlier today, they were attacked from hundreds of servers to their secure joinforms. They have bought and installed new firewalls yesterday.

It was up and running 7-8 hours ago, but it seems like they are attacked again today.......

Looks like I can't get to there board even.

http://www.silvercash.com/affiliate/members/home/

The page cannot be displayed
The page you are looking for is currently unavailable.
The Web site might be experiencing technical difficulties,
or you may need to adjust your browser settings.

[El Pres]

Quote:

Originally posted by jimmyf
nope they are not down now they were though off and on for a few days. At times running very SLOW. The last going on three days they were back to normal most of the time. I just save all spam with notepad and send later.

I was joking.

[extreme]

works now

edit: very slow though :].

[basschick]

still down for me

[LA Mike]

We are continually working on it guys. I dont know what else to say but sorry. We havent slept in days and we have put up some of the best firewalls and routers and continue to battle.

I will keep you updated.

[rastakit]

Perhaps this is the beginning of the DOS Hacker Olympics they keep talking about?

Good luck with this Mike...have you guys thought about dumping some of the domains onto a CDN for a bit? Might be able to deflect some of the load for a while and/or tell you more about the origin of the attack...sorry if that's repetitive info...

hope you guys are up soon...

[fantasyman]

Quote:

Originally posted by LAMike
We are continually working on it guys. I dont know what else to say but sorry. We havent slept in days and we have put up some of the best firewalls and routers and continue to battle.

I will keep you updated.

Mike - if our techs can be of any assistance just lmk and we'll help you out if we can. Terrible how some folks want to mess with successful programs and be a nuisance......

[BradShaw]

Best of luck Mike. Back in the day, we had constant attacks from the password community, taking shit down left and right. There is no easy answer. Our silvercash links are still up as always, this is just a slight bump in the road.

[smack]

Quote:

Originally posted by rastakit
Perhaps this is the beginning of the DOS Hacker Olympics they keep talking about?

Good luck with this Mike...have you guys thought about dumping some of the domains onto a CDN for a bit? Might be able to deflect some of the load for a while and/or tell you more about the origin of the attack...sorry if that's repetitive info...

hope you guys are up soon...

this has nothing to do with hackers. this is some stupid douchebag bag that thinks he is some great hacker, but all he can do is press start on his gay ass DOS attatck program what the fuck logical purpose......like...grrrr....i dunno i just don't understand it. LAMike, good luck man.

[vending_machine]

Quote:

Originally posted by LAMike
We are continually working on it guys. I dont know what else to say but sorry. We havent slept in days and we have put up some of the best firewalls and routers and continue to battle.

I will keep you updated.

Often times with attacks like this, simple scripting and IP blocking (putting IPs up on lo0) is both cheaper and better than expensive firewalls.

That's been my experience in the past at least.

[Johnnyv]

We are staying with you Mike.

Silvercash has been an honest and lucrative partner of ours for years, and it would take more than a little down time to get us to move anything anywhere else.

Johnny V.

[wdsguy]

hey Mike is your upstream provider helping at all?

[docjohnson]

Mike, are all of your paysites going down along with silvercash.com? I have PPC traffic I'm sending, and I'ma have to stop the campaigns if so.

[docjohnson]

Nevermind, I answered my own question. I just checked and of the paysites are down as well....not good bro.

[Mr.Fiction]

Here is another thread about this issue, for those that haven't read it:
http://www.gofuckyourself.com/showth...hreadid=149406

Also, we plan to stick with Silvercash through the problems. Good luck guys.

[LA Mike]

Things should be normal soon... Keeping my fingers crosses. Some stuff going on that I think is going to end this thing soon.


Stay tuned

[WiredGuy]

Quote:

Originally posted by Mr.Fiction
Also, we plan to stick with Silvercash through the problems. Good luck guys.

Same here, SC is a great company to work with and my traffic isn't leaving them.

WG

[Madball]

I know this may be inappropaite to ask, but can some of the guys here with experience protecting their programs outline some BASIC "must have" protection against these kind of attacks together with a price tag?

This sounds very scary and I hope Silvercash can resolve this issue as soon as possible.

[Terenzo]

Quote:

Originally posted by LAMike
Things should be normal soon... Keeping my fingers crosses. Some stuff going on that I think is going to end this thing soon.


Stay tuned

please keep us informed here at gfy - i am still sending 7k hits a day to nowhere at the moment, i hope you guys will manage this.

[sexxx]

It has been running nicely for a couple of hours from europe.
The servers are very fast right now :-)

[XM]

only couple of hours. Down again.
XM

[Terenzo]

do you know from what servers the attacks come from? why not take them down? should not be a problem. i normally fight back with 1000hits/sec but sometimes i have to turn up to 10k. if you are afraid of legal actions against you just publish a list of host where the attacks are coming from - i am sure many pissed affiliates will fight back.

[Petr]

yeah, taking down thousands of computers, that makes sense

[SR]

Quote:

Originally posted by Terenzo
do you know from what servers the attacks come from? why not take them down? should not be a problem. i normally fight back with 1000hits/sec but sometimes i have to turn up to 10k. if you are afraid of legal actions against you just publish a list of host where the attacks are coming from - i am sure many pissed affiliates will fight back.

That's insane.

It's very hard to stop them.
A firewall doesn't help too much.
You need to block them before they come that far.

What I've heard is that a good traffic filter is the best solution.
There are some companies that are specialized in making systems to detect and stop heavy ddos attacks.
They cost alot but will be worth it for things like this.
Your host should know about this or call a security expert.

[ServerGenius]

What SC is facing is known as a DDoS which means a Distributed
Denial of Service Attack. Anyone who thinks this is simple script
kiddies work is wrong.

I will try to outline in a simple way how a DDoS works and why it
is so hard to stop it.

First of all the attacker needs to hack 100's or 1000's of servers
in many different networks. Usually he picks servers that are
connected to large amounts of bandwidth. On each of the
machines he installs a server kind of program that listens to
commands from 1 central place and can launch any type of attack
on command. This can be simple webhits, or large packet streams
using multiple protocols, like ICMP, UDP or TCP/IP. For best effect
the attacker uses huge amounts of tiny packets as this causes
the maximum load possible on routers and servers.

Especially Cisco routers are known to have difficulties with HUGE
amounts of small non TCP packets. TCP/IP requires a handshake
protocol for communication whereas ICMP and UDP don't. So most
likely UDP or ICMP packet protocols are being used.

Once the attacker has a huge amount of these server type scripts
installed he can trigger all the nodes with 1 central script which will launch his attack simultaniously over all nodes. Since there are
so many nodes it's next to impossible to start blocking traffic with
a firewall. The nodes are all in different networks and use 10.000's of different IP's so it's virtually impossible to start
blocking IP's simply because there are too many. By blocking full
C-classes you will end up blocking half the internet so that's no
option either.

Using access-list filters on core routers is a bad idea because it
would create such a load that the routers will run out of memory
within seconds. Core routers switch gigabytes of traffic per
second so filtering it there is very bad idea. The router should
read each packet and compare it to a ruleset to see if it can be
forwarded or dropped.

The attack can be simple webpage hits, so it's very hard to
determine which packets are fraudulant and which not. With a
huge number of servers you can flood almost any server quite
easily.

The best way to handle DDoS attacks is with your upstream provider. Look at the traffic and write down from which core
networks the attacks are coming. Call those carriers and give
them the IP nets from which the attacks are coming. They can
either stop advertising those IP networks or contact RIPE/ARIN/SARIN to take action.

The solution in stopping the attack is not so much technical.
Understanding what's going on and determing where it comes
from and then getting up to the carrier that controls those IP nets
is where you can do something.

Mike I have a lot of experience with this stuff. I'm sure you have
really good people around you. In case you can use extra help
feel free to hit me up. As I tried to explain determing source nets
is the key to your problem.

DynaMite
UIN# 370820

[Shog]

The attacks can vary, you can't have complete protection against this type of attack.

Distributed denial of service attacks, are very powerful, and much more widespread these days, because windows computers can now participate in them, which wasn't always the case.

Windows now has 'raw sockets' support which makes IP spoofing possible, so if a 2,000 windows botnet is all pumping garbage packets to a single server with fake source IPs, you pretty much are out of options for tracing, the only way of tracing is by tracking a single stream of data to the router they are coming from, 1 hop at a time, which is virtually impossible to get that kind of cooperation with every hop unless your the FBI.

The attack a while back that went against ebay and yahoo was the same type of attack, using a unix variant, called trinoo, which is the same type of attack, except required rooted unix boxes to orcestrate since unix has had raw socket support forever, though required less servers because unix servers tend to be well connected.

The tools available to create these types of attacks now days are much easier to get into windows boxes then unix boxes.

http://grc.com/dos/grcdos.htm is a very good resource for info.

I have been receiving distributed denial of service attacks for about 9 months to a small site of my own off and on. After getting the server to be able to detect and cope with the volume of traffic to survive the hit, I still had a extreme volume of traffic coming into the server, which costs in bandwidth, so what I have done is setup round-robin DNS for my site, and when a attack comes in, block my own IP that is getting hit at the ISP, and legitimate traffic will flow to the other IPs. With a low DNS TTL this has been very effective. I also remove the attacked IP out of round-robin DNS when an attack is detected to minimize round-robin connect failures until the TTL's expire.

Routers at ISPs have a setting they can set that would prohibit a spoofed packet to leave the ISP, packets could only be spoofed within the subnets they are routing for, many many many ISPs don't have this 'egress filtering' turned on. If a attack could be traced back to a real IP, the victim can get ahold of a botnet client on a infected computer, disassemble it to find out what central resource it's connecting to, then go to the provider of that central resource and get it shut down. Many botnets are coded with hostnames hosted off free web based DNS services so the botnets can be administrated easier, giving the attacker the ability to move the bots to different IRC servers. Getting that central hostname out of a single attack bot will disable a botnet assuming they don't have a alternative way into the drone computers.

Josh

[Mr.Fiction]

Quote:

Originally posted by Shog
The attacks can vary, you can't have complete protection against this type of attack.

Distributed denial of service attacks, are very powerful, and much more widespread these days, because windows computers can now participate in them, which wasn't always the case.

Windows now has 'raw sockets' support which makes IP spoofing possible, so if a 2,000 windows botnet is all pumping garbage packets to a single server with fake source IPs, you pretty much are out of options for tracing, the only way of tracing is by tracking a single stream of data to the router they are coming from, 1 hop at a time, which is virtually impossible to get that kind of cooperation with every hop unless your the FBI.

The attack a while back that went against ebay and yahoo was the same type of attack, using a unix variant, called trinoo, which is the same type of attack, except required rooted unix boxes to orcestrate since unix has had raw socket support forever, though required less servers because unix servers tend to be well connected.

The tools available to create these types of attacks now days are much easier to get into windows boxes then unix boxes.

http://grc.com/dos/grcdos.htm is a very good resource for info.

I have been receiving distributed denial of service attacks for about 9 months to a small site of my own off and on. After getting the server to be able to detect and cope with the volume of traffic to survive the hit, I still had a extreme volume of traffic coming into the server, which costs in bandwidth, so what I have done is setup round-robin DNS for my site, and when a attack comes in, block my own IP that is getting hit at the ISP, and legitimate traffic will flow to the other IPs. With a low DNS TTL this has been very effective. I also remove the attacked IP out of round-robin DNS when an attack is detected to minimize round-robin connect failures until the TTL's expire.

Routers at ISPs have a setting they can set that would prohibit a spoofed packet to leave the ISP, packets could only be spoofed within the subnets they are routing for, many many many ISPs don't have this 'egress filtering' turned on. If a attack could be traced back to a real IP, the victim can get ahold of a botnet client on a infected computer, disassemble it to find out what central resource it's connecting to, then go to the provider of that central resource and get it shut down. Many botnets are coded with hostnames hosted off free web based DNS services so the botnets can be administrated easier, giving the attacker the ability to move the bots to different IRC servers. Getting that central hostname out of a single attack bot will disable a botnet assuming they don't have a alternative way into the drone computers.

Josh

Damn, that's a serious first post.

[ServerGenius]

Quote:

Originally posted by Mr.Fiction


Damn, that's a serious first post.

Yup it is and it's spot on. The egress filter is a good option if the
packets are really spoofed. If the attacker is in control of many
different servers then it gets harder as the packets are real
packets and are not being forged.

There are so many bad secured servers on the internet that it's
quite easy to root boxes and gain control while being completely
stealth. LRK, Adore Kernel Plugin, Known exploits make it easy to
install stuff on servers and be completely hidden. Many times the
administrators never notice that their box has been compromised.

They upload new versions of popular system programs like:
ls, netstat, ps, pstree, slocate, traceroute, w, who, cp, mv,
kill, killall, ping, etc, etc which won't list any connections/scripts
that are being used by the hacker. These modified system
programs have the exact same filesize and timestamp as the
original ones that were installed on the server so they are quite
hard to find.

DynaMite

[Carrie]

Mike, I know you guys will spare no expense in getting this taken care of - might I suggest that you contact Steve Gibson and bring him on board as a consultant during this attack?
He commonly deals with DDOS attacks and pulls them apart and finds a way to stop or deflect them.
The closest associated emails I can find [email protected] and [email protected] and a phone number of 714-362-8800.
Also definitely take a look at the IPs that the attacks are coming from (you should be able to take apart the attacks and determine if they're spoofed and what the true addy is) and start contacting the owners of those IPs. IE, if any of these attacks are coming from servers on the Rackshack network, send a captured sample of the attack to [email protected] and these emails:
Patrick [email protected] Sen. Sys. Admin
Mario [email protected] Customer Service Manager
Greg [email protected] Support Team Manager
Robert [email protected] Rackshack CEO

and give them a call. Rackshack will be happy to investigate it on their end and start unplugging boxen (although I must say, if they notice any of their servers sending out abnormal amounts of packets like this, they'll unplug them on their own).


I'd like to add to the discussion that it doesn't take a genius or a serious cracker to do this. One patient person with the right script and a list of IPs from a cable provider (like RoadRunner or Cox) can rack up insecure windows boxes left and right. Then the boxes open a connection to an irc chat room where they wait for their marching orders.
Once the orders come in, the boxes all start sending traffic to the victim... and the owners of these computers on cable connections aren't even aware of it. Full-time "always on" connections with nice fat pipes and thousands of insecure boxen blindly following orders - ugh.
The guys can also employ true servers in the attack, and it's the same for that, just running a script that searches for insecure boxen and then goes in and buries itself to await orders.

I assume that this attack is from that Deepsy guy?