Intel DDoS my website with 11.1M request

8 comments

• everfrustrated 43 days ago
  If you do a WHOIS on the AS number you should find an Abuse email address which is the best place to start. Generally abuse@company if you just want to guess.

  Intel do have a developer cloud which they make servers available to people, so it's possible traffic could be coming from something like that rather than Intel corporate. See https://www.youtube.com/watch?v=MWsEKDklEkc

  [-]
  • bennythink 43 days ago
    Thanks for the tip, it's amazing to me that they have cloud services...
• LinuxBender 43 days ago
  I see IP's from the same subnet in a couple of blocklists.

      blocklist_de.ipset:146.152.233.43
      blocklist_de_ssh.ipset:146.152.233.43
      firehol_level2.netset:146.152.233.43
  

  From this repo [1]

  That would suggest end-users have some way to control them, though usually for spam.

  Did you happen to by chance capture any of the individual packets in tcpdump verbose mode? e.g.

      tcpdump -p --dont-verify-checksums -i any -NNnnttvvv -B16384 -s0 -c 512 not port 22 -w /dev/shm/dos.cap
  

  Command decoded: not promiscuous, checksums are useless computation here, all interfaces, disable resolving names, ports, services, use epoch time, very verbose, 16k buffer despite CPU likely being our bottleneck, full packet, 512 packets, not port 22 ssh, save to a file in a ramdisk

  Did you reach out to the person listed here? [2] Try that phone number in a few hours. Be polite and just give them the facts so they don't get defensive. If they don't answer try email.

  [1] - https://github.com/firehol/blocklist-ipsets.git

  [2] - https://bgp.he.net/AS4983#_whois

  [-]
  • bennythink 43 days ago
    Thanks, I emailed to a few email address @intel.com because my oral English is so bad so I don't want to call. But you know, those kind of emails usually fall on deaf ears
• everfrustrated 43 days ago
  You say website, so I'll presume this is http traffic.

  In which case putting in a simple hits/IP rate limiter with something like nginx is probably enough to defend against this for the future.

  https://nginx.org/en/docs/http/ngx_http_limit_req_module.htm...

  [-]
  • bennythink 43 days ago
    That's exactly what I did, or even managed challenge entire ASN using Cloudflare WAF
• pxeger1 43 days ago
  It’s not really a DDoS if it’s two addresses. Just block them and move on.
  [-]
  • bennythink 43 days ago
    That's correct, it's DoS!
• midzer 43 days ago
  I had an attack on one of my websites from AWS network. Lasting for ~6 hours generating almost 100GB traffic on a ultra low-bandwidth site. Also several millions of requests.

  My hoster of the frontend suspended it afterwards. Backend hosting service banned those IPs temporarily.

  [-]
  • bennythink 43 days ago
    Ohh that's said to hear about your story. However, AWS is selling EC2 and Elastic IP, I don't remember Intel also providing hosting services.
• bennythink 43 days ago
  Edited:

  It turns out Intel does have some developer cloud, so the attack may come from random bad guy on the internet rather than Intel itself. Thanks to everfrustrated!
• nubinetwork 43 days ago
  I haven't seen anything from those IPs in the past 90 days.

  Any idea what they were looking for? Given other companies are hitting websites for ai training, I'd be curious if intel is trying to something similar?

  [-]
  • bennythink 43 days ago
    Well, it's a long story. I exposed something dark thingy about a cybercrime forum. And this is the one of the retaliations, the other one is card testing/fraudulent payment
• Olesya000 43 days ago
  [dead]