Hello, I am writing on behalf of Exherbo's "infrastructure" team. Yesterday our quote database (http://quotes.exherbo.org/) was under a very primitive attack which appears to have been launched from Gentoo controlled machines. The attack basically changed all of our quote rank values into negative ones. It started at 18:53 UTC and ended at 19:39 UTC. Using grep and some other commands to get the interesting information out of apache's access_log reveals the following: [ snip ] >>> 140.211.166.168: 18 168.166.211.140.in-addr.arpa domain name pointer osprey.gentoo.osuosl.org. ... >>> 140.211.166.183: 322 183.166.211.140.in-addr.arpa domain name pointer smtp.gentoo.org. ... >>> 64.127.104.142: 27 142.104.127.64.in-addr.arpa domain name pointer miranda.amd64.dev.gentoo.org. ... >>> 89.16.176.11: 338 11.176.16.89.in-addr.arpa domain name pointer albatross.gentoo.org. ... [ snip ] The first column is the IP of the request sender, the second column is the amount of requests in our access logs and the last column is the output of $(host "${IP}"). Other machines participated in this attack as well, but they are not under Gentoo's infrastructure teams control and therefore not interesting for this bug. Most of my research says that this attack was launched by 'astinus' (Alex Howells). I am going to contact the abuse contact for the networks on which these machines are located on and I must admit that I am very disappointed about this and I hope that you are going to take actions against such behaviour so that it wont happen again. Best regards, Alexander
It's also worth a note that astinus announced the attack on #gentoo-infra: 185551 * astinus has a funny idea 185656 < astinus> for i in $(seq 1 25); do wget -O /dev/null http://quotes.exherbo.org/?ratingminus\&id=$i; sleep 6; done 185855 < astinus> additional brownie points if you use -q with wget and CFengine it for a one-time run on 500+ machines 185913 < astinus> "Hey guys! All your quotes suck!" 185921 * astinus sighs
Do I really need to point out that writing something into #gentoo-infra and actually doing anything are two different things, never mind the question of whether his traffic logs and/or this complaint is genuine in any degree?? Judging by http://lolgentoo.blogspot.com it's highly liable a random amount of my conversation in #gentoo-infra leaked, and he's decided to take it upon himself to "Have a bit of fun"? ;) Last time I checked we had free speech, and I could threaten to break your legs in most countries. Not illegal, provided I don't actually start snapping bones. Anyway, nice to see eroyf is finding new and more ingenious ways to waste time. Perhaps as a side note Exherbo should "fix" their QDB so you can't skew it? Pretty much everything except Rash implements a 'Has this IP rated this quote in the last 24 hours?' rather than a "primitive" 5s flood prevention system. This will be my last response to this issue until at least Tuesday, I am off out with my other half for the weekend, and away (work related) all of Monday. Doubtless there will be more hilarious posts to read when I return, after all, if eroyf + co didn't generate "smelly stuff" by the metric tonne they'd still be developers rather than forcibly retired by Developer Relations.
nothing but accusations, nothing to be done.
Do investigate who ran those commands on those machines. These are founded accusations. Don't try to stuff this under the carpet. - ferdy
Attack? This was obviously a joke by whoever did it. Get the sand out of your collective lady parts and just fix your quotes db to not be susceptible to this kind of thing. If it hadn't happened now, someone else would have done it in the future.
(In reply to comment #4) > Do investigate who ran those commands on those machines. These are founded > accusations. Don't try to stuff this under the carpet. So you have a public web service at quotes.exherbo.org? You allow access to the world via a web server (Apache/1.3.37) and don't consider it to be an "internal" service -- there is no authentication required to access it? Along comes a random person, they request http://quotes.exherbo.org and are delivered content. They have sent a small number of *valid* HTTP requests to your service and that isn't a problem? You have a function for allowing site visitors to rate quotes, via the URL: http://quotes.exherbo.org/?ratingplus&id=something http://quotes.exherbo.org/?ratingminus&id=something Aforementioned random person clicks on a link. Rating is adjusted. No problem? If they reload the page, they get a message saying they must wait 5 seconds, then they can rate another quote, or even decrease the *same* quote further. Also not a problem, because this is how your application is setup? :) Then you have this case where you are complaining about an "attack" -- yet I fail to see how this is an attack?? No exploit was used, the amount of data involved was probably less than the broadcast traffic your server sees from being on a LAN in a datacentre, and yet you feel the need to throw accusations? If I didn't know better I'd swear this was legitimate usage of your service, albeit with a somewhat funny side-effect that all your quotes appear to suck. Earlier suggestion to fix your application was a genuine one.
Added URL to my blag where I am writing all the details on this attack.
Well, I kind of feel this bug is invalid until you provide proper evidence which includes a *full* access log and not just some accusation that included some wget/grep/wc output. Its kind of hard to verify anything with what you provided.
To clarify, I only want full (unedited) logs for the IPs that are controlled by gentoo-infra.
Created attachment 158793 [details] Accesslog with requests from Gentoo controlled machines. There you go.
Thank you for the logs. We will use this information to audit our logs.
Just because you can, doesn't mean you should... This behavior seems rather childish and abusive to me, but I'm just a random adult with an interest in getting things done. Please review the provided logs, and try and refrain from minimizing or trivializing stupid behavior. Perhaps a software change is also in order. Ultimately, facts and rational behavior are in order here, not pissing on someone else's turf or picking on less than optimal web services...
Thanks Mike. Timestamps are in CEST (UTC + 2).
eroyf: besides those four IPs, were there any other boxes with sustained wget requests during that time period? Can we get those logs too?
(In reply to comment #14) > eroyf: besides those four IPs, were there any other boxes with sustained wget > requests during that time period? Can we get those logs too? I am willing to give you that on the condition that you do not attach the file to this bug and that you are not going to put the logs online for public viewing.
FYI, I spoke with eroyf, and I'm taking back the request for the other logs. After some discussion, we don't really need them.
As reported on bug 229895, on 27 Jun 2008 at 19:04 UTC, there was unwarranted traffic sent to http://quotes.exherbo.org/ and some of the traffic involved originated from various Gentoo Linux infrastructure machines. The Gentoo infrastructure team conducted an audit based on logs from the machines as well as those provided by Exherbo's infrastructure team. Based on results of our audit and the user's admission via email, we have concluded that the said actions were taken by one of our developers named astinus. We have taken appropriate action and have removed the developer in question from Gentoo Linux infrastructure. We sincerely apologize to the administrator of quotes.exherbo.org for the involvement of Gentoo infrastructure machines.
For anybody following his retirement (again, from his -core email), that's on bug 82711.
Since there seems to be a bit of confusion about whether I retired, or was forcibly pushed, I'd like to clarify that I spoke to Gentoo Infrastructure and admitted what is essentially a stupid prank *not* intended to cause any damage, note the wording above states "unwarranted traffic" not "attack", and then drafted and sent a retirement message to gentoo-core (an internal list). My message stated a number of reasons for retiring, most of which were not related to this incident but rather the state of Gentoo Linux at this time. It's been my intention for a while to focus less on IRC-fuelled drama (particularly the Gentoo vs. Exherbo mess) and more on the 'real' world, and I am taking the opportunity to do just that. I wish both distributions best of luck with their future endeavours, and who knows, maybe 2008.0 before 2009? ;) Alex
(In reply to comment #2) > Last time I checked we had free speech, and I could threaten to break your legs > in most countries. Not illegal, provided I don't actually start snapping bones. You should check again. Its nice that you are coming from an idealized free speech perspective, rather than the other direction, however you should get your facts straight before you get yourself into more trouble. In the US, for example, in California a threat is: "Any person who willfully threatens to commit a crime which will result in death or great bodily injury to another person, with the specific intent that the statement, made verbally, in writing, or by means of an electronic communication device, is to be taken as a threat, even if there is no intent of actually carrying it out, which, on its face and under the circumstances in which it is made, is so unequivocal, unconditional, immediate, and specific as to convey to the person threatened, a gravity of purpose and an immediate prospect of execution of the threat, and thereby causes that person reasonably to be in sustained fear for his or her own safety or for his or her immediate family's safety." This is called a "422" in California, and it can be a felony or a misdemeanor. However, this seems to cross over the state-by-state situation as this example indicates: On February 2, 1999 a federal jury in Portland, Oregon, awarded Planned Parenthood and four doctors who perform abortions $107 million in damages. The defendants—14 anti abortion individuals and two organizations—were convicted of threatening abortion providers through a series of posters—and a Web site. The judge in the case said "I totally reject the defendants' attempts to justify their actions as an expression of opinion, or as a legitimate and lawful exercise of free speech." If you are going to make a threat, you do not automatically get a free pass because of your first amendment rights. Its a lot more complicated and you could get into trouble.
This bug is already fixed... Please leave it be.
closing
