<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("http://www2.cddc.vt.edu:80/marxists/incidents.htm","20071212133602","https://web.archive.org/","web","/_static/", "1197466562"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" /> <!-- End Wayback Rewrite JS Include --> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/> <meta name="author" content="Basgen"/> <title>MIA Status: Attack Log</title> <link rel="stylesheet" type="text/css" href="/web/20071212133602cs_/http://www2.cddc.vt.edu/marxists/css/border-black.css"/> </head> <body> <p class="title"> <a href="index.htm" class="title">MIA</a>: Attack Log </p> <blockquote> <div class="border"> <h3> Attack Log </h3> <hr/> <p class="fst"> <span class="term">January 10 - 13:</span> Sporadic reports come in from volunteers in Australia and Asia that the MIA is not accesible for a few hours, and then comes back. </p> <h5> First attack </h5> <p class="fst"> <span class="term">January 15:</span> MIA detects a series of DoS (Denial of Service) SYN floods from various Chinese networks. Unlike the attacks of the previous few days, these are constant. These attacks cause our server to have a kernel panic and crash. Just as soon as the server reboots, the SYN floods [<a href="https://web.archive.org/web/20071212133602/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0116">CVE-1999-0116</a>] cause another crash, and this continues constantly. </p> <p> First, we write a crude script that blocks every SYN flood attempt, every minute. This is successful only for a short period, as the sheer number of Chinese IPs sending the SYN floods is too large to overcome. Next, we figure out that the SYN floods are exploiting a vulnerability in the Linux kernel (version 2.4.23), and we rebuild the Linux kernel to version 2.4.34, which overcomes these attacks. Meanwhile, the nature and origin of the attack, our previous history with the Chinese government (censorship, etc), and the experience of others suggest that this maybe politically motivated and directed by the Chinese government. </p> <center> <table cellpadding="5%" class="data"> <tr> <td class="head" style="font-size: 10pt" colspan="02"> 1 hour sample of attacking IP origins </td> </tr> <tr> <td> 222.35.30.105 </td> <td> China Railway Telecom, Beijing </td> </tr> <tr> <td> 60.16.220.61 </td> <td> CNC Group, Liaoning Province Network, Liaoning </td> </tr> <tr> <td> 121.34.136.245 </td> <td> China Net, Guangdong Province Network, Guanzhou </td> </tr> <tr> <td> 222.240.83.89 </td> <td> China Net, Changsha Node Network </td> </tr> <tr> <td> 122.4.213.41 </td> <td> China Net, Shandong Province Network, Jinan </td> </tr> <tr> <td> 203.192.13.2 </td> <td> Xinhua News Agency </td> </tr> <tr> <td> 221.216.207.194 </td> <td> CNC Group, Beijing Province Network, Beijing </td> </tr> <tr> <td> 221.6.37.60 </td> <td> Nanjing Medical University, Nanjing Jiangsu Province Network, Nanjing </td> </tr> <tr> <td> 221.226.2.213 </td> <td> China Net, Jiangsu Province Network, Jiangsu </td> </tr> <tr> <td> 61.233.167.159 </td> <td> China Railway Telecom Center, unknown city </td> </tr> <table> </center> <p> At this point, however, our 4 year old server heaves under the strain. The string of constant reboots has taken its toll: the server reports a Machine Check Exception of a CPU context corruption, causing further crashes. This process further bludgeons the damaged server, and subsequent boots cause a failure in the RAID, forcing a rebuild of the array. During further crashes, one of the disks fails, causing future rebuilds of the array to be quite hopeless. </p> <p> Ironically, MIA had planned to purchase a new server in 2007, since our server was 4 years old, and our life expectancy for the server had nearly arrived. This attack forced this process to double, but another disaster would soon strike. </p> <p class="fst"> <span class="term">January 16:</span> In order to buy a new server, we needed to speak to our hosting provider and ISP, <a href="https://web.archive.org/web/20071212133602/http://www.communitycolo.net/">CCCP</a>. We had been trying to contact CCCP for several months, to no avail, but after an urgent appeal, we finally recieved a response: CCCP is shutting down on February 1st. This, at least, explained our difficulties in contacting them! </p> <p> To recount events to date: first, we are attacked by China; second, our server hardware fails; third, our hosting provider is shutting down in two weeks. </p> <p> Late in the day, after reviewing several options, we resolve on the kind of server to buy to meet our needs. </p> <p class="fst"> <span class="term">January 17:</span> After a long search consisting of about 12 different options for colocation, we find one that suits our high bandwidth needs at a reasonable, low cost. </p> <p class="fst"> <span class="term">January 18:</span> After three days of debate, MIA votes 14 to 4 to include notice indicating that the source of the attacks was likely the Chinese government. </p> <p class="fst"> <span class="term">January 20:</span> Marxists.org is redirected to our mirror servers. On the following day, a round robin DNS is setup between three MIA mirrors. </p> <h5> Second attack </h5> <p class="fst"> <span class="term">January 21-24:</span> Mirror sites find a change in tactics, now a more crude Denial of Service attack is launched: Chinese sources download in mass material from the Chinese section. The German mirror combats this by limiting the number of connections to the server. Nevertheless, server load remains extremely high. </p> <hr/> <p class="footer"> <a href="index.htm">Marxists Internet Archive</a> </p> </div> </blockquote> </body> </html> <!-- FILE ARCHIVED ON 13:36:02 Dec 12, 2007 AND RETRIEVED FROM THE INTERNET ARCHIVE ON 06:53:01 Nov 24, 2024. JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE. ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C. SECTION 108(a)(3)). --> <!-- playback timings (ms): captures_list: 1.448 exclusion.robots: 0.023 exclusion.robots.policy: 0.015 esindex: 0.011 cdx.remote: 8.951 LoadShardBlock: 285.936 (3) PetaboxLoader3.datanode: 115.756 (4) PetaboxLoader3.resolve: 179.932 (2) load_resource: 185.359 -->