Replies to This Discussion

Permalink Reply by Frank Judnich on December 8, 2012 at 6:47pm

I think there also may be a problem with www.atheist.org.

Permalink Reply by Matt Kovach on December 8, 2012 at 7:39pm

The technical team behind the project confirmed it was a DoS attack.  We had processes in place to manage the influx, including the temporary suspension of submissions when the email queue grew too large.  We are working to get the site back online as soon as we can.

Permalink Reply by Reg The Fronkey Farmer on December 8, 2012 at 8:04pm

I don’t know what email type you have but if you disable relay on the exchange server and send only from its own or specific IP addresses it might help. You could get your MX and A-records changed with you ISP – messy but could work quickly enough. Maybe first change your admin a/c passwords and the same on your firewalls. If you want to post any tech info on it I can take a look at it.

Permalink Reply by Matt Kovach on December 8, 2012 at 10:55pm

if you think you may be able to help Reg The Fronkey Farmer, please contact info@atheistalliance.org

Permalink Reply by Gallup's Mirror on December 9, 2012 at 12:00am

@Matt

You're running Apache on Linux, hopefully Debian or CentOS. The IP responds to pings. (Is it coming in on HTTP only?) It's likely a brute force SYN flood. There's a module for Apache called mod_evasive that may help. Google it. Make sure you get the latest version of mod-evasive for whatever Apache version you're running.

Most DDOS attacks come from 6000 agents or less. Keep blocking IPs and they'll run out of zombies sooner or later. If you block more than 50,000 or so and it's still coming at you, you may be dealing with a super botnet. If so, you're screwed and need to use an ISP that specializes in DDOS resistance.

gallup@eternal:~$ ping atheistcensus.com

PING atheistcensus.com (213.175.214.148) 56(84) bytes of data.
64 bytes from server.studioexcel.co.uk (213.175.214.148): icmp_req=1 ttl=50 time=91.3 ms
64 bytes from server.studioexcel.co.uk (213.175.214.148): icmp_req=2 ttl=50 time=93.0 ms
64 bytes from server.studioexcel.co.uk (213.175.214.148): icmp_req=3 ttl=50 time=91.9 ms
^Z
[1]+ Stopped ping atheistcensus.com

gallup@eternal:~$ telnet 213.175.214.148 80

Trying 213.175.214.148...
Connected to 213.175.214.148.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 09 Dec 2012 04:20:17 GMT
Server: Apache
Last-Modified: Sun, 11 Nov 2012 03:20:36 GMT
Accept-Ranges: bytes
Content-Length: 111
Connection: close
Content-Type: text/html

<html><head><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>
Connection closed by foreign host.

Permalink Reply by Gallup's Mirror on December 9, 2012 at 4:20am

@Matt

I also see you're using cPanel & WHM. Here are installation instructions for mod_evasive on that. It should work.

Permalink Reply by Matt Kovach on December 9, 2012 at 10:09am

I'm completely lost on this info would you please contact info@atheistalliance.org  if you can help

Permalink Reply by archaeopteryx on December 9, 2012 at 3:16pm

My site is routed through http://www.cloudflare.com/ - I was a charter member, and they've taken good care of me for years (plus I got a free T-shirt!)