Enemies in High Places?

Earlier today, for the period between twelve and five hours ago, this website and blog may have been difficult (or impossible) for you to access. I’ve been discussing it with my tech friend, and it appears that somebody with an address locating them at Oxford University (i.e. ending with ox.ac.uk) has been engaging in malicious activity against the site, at one time hitting the blog 1599 times over four hours until the server was unable to cope. They were not alone, but this particular user/system was the main offender.

Of course it’s nice to attract attention from that particular part of the world, but this isn’t quite the sort I’m after! Some upgrades have been made to the server so this is less likely to have the same effect in the future should similar actions be taken. The IP address in question has been blocked.

Whenever security measures are upgraded, some innocent parties are affected. If you know of anyone who is having difficulty accessing the site, please let me know (or ask them to let me know). Email me: peoples dot glenn at gmail dot com.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail

18 thoughts on “Enemies in High Places?

  1. That’s truly freaky.

    I was wondering why I couldn’t get through, but never dreamed the cause was so malicious!

  2. Well I suppose it’s theoretically possible that for some reason everyone at Oxford suddenly decided that they just had to visit the site all at once… but they were all sharing one computer and… they were taking turns.

  3. This last decade DDOS (Dynamic Denial of Service) attacks has been on the rise and is usually directed against someone to extort money or because they made someone mad. The problem is some of the IP’s used could just be zombies and the owners of it may not even know they computer is being used for such a thing. It could be someone in NZ who didn’t like Glenn activated a bot and it told the Oxford computer to pound on Glenn’s server. If the ISP has good filtering and has a good size server farm, they should be able to fend off most attacks.

  4. 1599 times over four hours is not a DDOS attack. Any simple server should be able to handle much more than that. I’ve noticed that ever since you moved to the new server this site’s performance has been flaky at best. I think the best starting place would be to look at your host. You are probably on a shared server with a shared database with many others. All it takes is for *someone else* on that server to be attacked or have a particularly busy day or get a virus and your site will stagger.

  5. @Anon; it was possibly a number of users, but the chances of someone hacking a server at Oxford.. remotish. I guess it could have been a users PC within their network. Will never really know, all we can know is who owns the IP range.

    @Damian: The 1599 times was 4 page loads every second (the same page). This was not the only IP responsible, just an example of one of those responsible (the most interesting one). The whole attack lasted 4 hours. This IP attacked for 6 mins and 45 secs, approx.

  6. Glenn, when I do a net trace on your site each page is making 85(!) requests totalling 716KB. About 50 of those requests are directly to your site. Each ‘page refresh’ constitutes about 50 requests to your server.

    I’m assuming you are in a shared environment. You’ve recently changed hosts. It appears that your new host is CleverInternet. CleverInternet run shared servers for all their base website plans (nothing wrong with that; I use shared servers all the time). From personal experience your site has been flaky ever since you changed.

    As much as you would like this to be some conspiracy it’s unlikely in my opinion.

    My advice is to optimise your site. Remove any broken scripts (Shadowbox) and extraneous gadgets. If you have Firefox, install the Firebug and Yslow plugins and run some performance tests.

    If this doesn’t help, ask your host about their server performance. They may be able to move you to a different server (like I say, each server is different). If problems continue to occur try a different host.

  7. “Seriously, who would have a shared database?”

    Filthy uncivilized barbaric unhygienic Internet dwellers! Disgusting LOL

  8. Geoff, my bad. Yes I should have made it clear that this one IP address was not the only one involved in that window of incredibly high activity.

  9. 1599 hits over a very short time from the same IP on the same page, whether it’s a DOS attack or not, is obviously suspect. Obviously.

    Whether a server should be able to take more hits than that in overall traffic or not is beside that point. No one IP address would have a legitimate reason for that many hits on one page in that sort of timeframe. That is intentional, and surely malicious.

    I would be following up the source of that attack. Perhaps let Oxford know what address it came from. They would not be happy about that happening.

Leave a Reply

Your email address will not be published. Required fields are marked *

 characters available