LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

DDoS’ed Again – Both LowEndBox and LowEndTalk Affected

Tags: Date/Time: July 15, 2011 @ 8:55 am, by LowEndAdmin

As seen on WHT. I was on my last day of holidays — driving 500km back home. I was at the beginning of the journey when I received the notification from Pingdom. At the beginning it was LowEndBox.com (hosted at QuickWeb), and a few hours later (after I left some messages on LET), LowEndTalk (hosted at eNetSouth) is down as well. I am now back home trying to clean up the mess.

  • Roel from QuickWeb has offered me a new IP that’s not null routed by SoftLayer. I have updated DNS to reflect the changes. Moreover, I am putting CloudFlare in front of LowEndBox.com (as suggested on WHT) to see how it goes.
  • Brandon from eNetSouth has suggested to move LowEndTalk from San Jose to Chicago with ColoCrossing with better DDoS mitigation facility. This is currently in progress.

I will keep this blog post updated.

Updated 16 July 21:45 UTC: Looks like LowEndBox.com was attacked again around 4 hours ago (~18:00 UTC), as commented by Roel here. 3.5Gbps peak, although from my Cacti graph the incoming packets was only burst for < 15 minutes — could have been blocked on the router by Cisco Guard. It could be null-routed any time…

The original owner of LowEndBox known as "LowEndAdmin" or "LEA" for short founded LowEndBox in 2008 and created the concept of hosting applications on low resource "Low End Boxes". After creating the roots of the community that we know today, "LEA" stepped aside and allowed others to carry the torch forward.

225 Comments

  1. Haters be Haters :)

    July 15, 2011 @ 8:59 am
  2. Glad to see your back. CloudFlare is great, im sure you will love it.

    July 15, 2011 @ 8:59 am
    • Not great for dynamic sites.

      July 15, 2011 @ 9:03 am
      • I know Apache has a mod_security etc to mitigate smaller to medium scale DDoS, is there something in nginx that can do that?

        Also I am interested in the origin of these DDoS! May be, we could trace our little bugger who hates LEB

        July 15, 2011 @ 9:08 am
        • I know apache also has mod_evasive.

          July 15, 2011 @ 9:10 am
        • iKocka:

          No software will stop few gigabit attack on server :(

          July 15, 2011 @ 9:17 am
        • According to Brandon, the attach on LET are UDP based packets so not fake HTTP requests this time. Actually HTTP ones are relatively trivial to filter…

          July 15, 2011 @ 9:17 am
        • iKocka:

          Yeah, fake HTTP ones bring down Apache, but not Nginx. UDP ones kill connection so there is no way to access the server. I think CloudFlare will do the job.

          July 15, 2011 @ 9:21 am
        • NGINX isn’t immune to a HTTP DDoS, but its far more durable then Apache.

          July 15, 2011 @ 9:30 am
        • Jun:

          mod_evasive with mod_security in apache can mitigate fake HTTP request, but there is no such anti-ddos tool for nginx.

          July 15, 2011 @ 9:59 am
    • We’ll see — if it works well I am happy to pay for it. However it still reveals what your real IP is so the attackers can bypass CloudFlare and bring the backend down.

      July 15, 2011 @ 9:19 am
      • Birt Ian:

        how it reveals your real ip? i can’t find a way to get it.

        July 15, 2011 @ 9:21 am
        • @Birt

          several ways, Portscanning being one of them.

          July 15, 2011 @ 9:37 am
        • I’m also interested how can you still show your original IP instead of CF’s IP.

          July 15, 2011 @ 9:38 am
        • KuJoe:

          whois…

          July 16, 2011 @ 7:48 am
        • iKocka:

          Whois will eventually get updated and will show CloudFlare’s IP insted of QuickWeb’s IP.

          July 16, 2011 @ 7:54 am
        • WHOIS should already show CloudFlare’s NS.

          July 16, 2011 @ 8:10 am
        • This site seems to pretty up to date but shows the SoftLayer IP.

          http://who.is/whois/lowendbox.com/

          July 16, 2011 @ 8:13 am
      • Some of the reason is, if we see the dns info from intodns, our ip still exist there.
        Reverse MX A records (PTR)

        July 15, 2011 @ 10:50 am
      • Sure let us know how CF turns out for you. I’ve been reading few threads on WHT but a little skeptical about it still.

        July 15, 2011 @ 3:53 pm
      • When a DDOS occurs, CloudFlare will protect itself. CloudFlare primary not a ddos guard service! In the same situation, CF redirects all requests directly to your server, the results will be the same – your IP will be routed to blackhole :(

        And when you log in into CF, the following message will be waiting:

        “CloudFlare has been temporarily disabled due to a system issue. To ensure there is no performance degradation to your website, we are temporarily routing all traffic directly to your server. Once peak performance is back, we will automatically re-enable CloudFlare.”

        Be careful with CF, it will protect itself, not LEB :(

        July 15, 2011 @ 9:18 pm
        • it’s not easy to figure out which site causes a udp attack when there is 100s of sites sharing IPs.

          July 15, 2011 @ 9:23 pm
        • @dmmcintyre3,
          yes, it is.

          BTW, cant find the reason for such attacks to LEB.

          July 15, 2011 @ 9:30 pm
        • Also does CloudFlare use geoip for its DNS resolution or are they on anycast? With geoip, different zombie PC in the part of ddos botnet might be resolving the target to a different IP, which then dilute the attack…

          Still trying to work out how this cloudflare thingy works.

          July 15, 2011 @ 10:45 pm
        • CF is on anycast. They mentioned it on the plans page, and I found it on their blog (http://blog.cloudflare.com/1-billion-served-every-day) as well.

          July 16, 2011 @ 4:02 am
  3. maxexcloo:

    Good luck with getting the site back in working order!
    Any stats we can see?

    July 15, 2011 @ 9:10 am
    • Nope. Nothing this time — my 5 minute rrdtools shows *nothing* strange and I only know that it’s a DDoS when I saw someone asked QuickWeb Roel about the situation on LowEndTalk (before it went down).

      July 15, 2011 @ 9:21 am
  4. Damn! Who on earth would do that with a site that provides valuable information on how you can get more for less in relation with servers? :(

    July 15, 2011 @ 9:56 am
  5. circus:

    LET is still down for me :(

    July 15, 2011 @ 10:37 am
  6. Tom:

    I use CloudFlare on all my sites, it’s great and I see no reason not to use it when they offer free DDOS protection hosted offsite.

    July 15, 2011 @ 10:48 am
  7. CPS:

    I have noticed this when i wake up this “morning” (12 PM :P ) thanks to WHT someone open new thread for LEB (and LET).

    btw glad to see you back to your “office” LEA.

    July 15, 2011 @ 10:59 am
  8. Hope after this occasion, LEA would share some experiences to us.

    July 15, 2011 @ 11:18 am
  9. First thing I woke up this morning was to check on iphone to see LEB is back online, and gladly found so!
    And to DDOSers: LEB is here to stay, an attack from you means nothing more than you are a childish and foolish kid :)

    July 15, 2011 @ 11:38 am
  10. Go:

    My bad, I didn’t notice that, seems the few hours that had the attack, where exactly adjusted with my LEB visiting schedule! But I still can’t thank the hacker though!
    Keep it going LEB you are doing great stuff! :)

    July 15, 2011 @ 12:26 pm
  11. What kind of pathetic scumbag would DDoS LEB/LET…

    July 15, 2011 @ 1:15 pm
    • I can think of a couple folks who would take a shot at it.

      July 15, 2011 @ 2:27 pm
      • LEA has been posting a lot more ‘gameserver’ companies, namely ones doing minecraft and have a past in runescape. I know runescape is jam packed with DDOS skiddies and minecraft seems to be getting their bunch too (could very well be the same users).

        Francisco

        July 15, 2011 @ 7:54 pm
      • Haha yes. My own perception of gameserver-type — teenage boys need more dosh so resell part of their gaming clan’s hardware as virtual servers. At the same time I also want to acknowledge that it’s how many legitimate hosting companies got started in the first place, so I posted their “deals” anyway.

        July 15, 2011 @ 11:14 pm
      • *sigh* I remember runescape. Gave it a try a few months ago and couldn’t stand their new intro adventure. Never went past it.

        Wouldn’t Minecraft be promoted more because that’s what the “in” thing is currently with us techie types? I still haven’t played it.

        July 16, 2011 @ 3:22 pm
  12. If you are not running any UDP service, I suggest you filter UDP packages to REJECT by iptables.

    July 15, 2011 @ 1:53 pm
    • Not going to help if the attack is bigger than the server’s port speed. I have not seen ANY lowendbox with a 10gbps port.

      July 15, 2011 @ 2:42 pm
    • KLIKLI:

      Sorry, sir, but my 15$ year is dedicatedly connected to Level3 with OC-192. It also comes with a /8 of IPv4 so whenever the attacker attacks several IP I can simply null route them.

      (I’m sure this are to be removed – help!)

      July 15, 2011 @ 3:11 pm
      • Who is the provider? I am hoping they charge you separately for the network or else I’d wish they would not be in deadpool soon :)

        July 15, 2011 @ 3:39 pm
      • Show me where, so I can buy one.

        July 15, 2011 @ 7:57 pm
      • You have a /8? I looked at some OC-192’s but all they would give me with them was class C’s. (I can never remember what /# is which. I do remember though that a /8 is a Class A set of Ip addresses.)

        July 16, 2011 @ 3:24 pm
        • ab:

          c /24 iirc

          July 16, 2011 @ 4:43 pm
    • rds100:

      Doing this (filtering UDP packets with REJECT target) is a very good way to help the attacker totally kill your server. Better use DROP instead of REJECT. And watch out to not filter the responses from your resolvers.

      July 15, 2011 @ 3:33 pm
    • Udp should have been dropped by default on my iptables rules. However it’s the size of the attack that’s bigger than upstream. I got automatically null routed even before the packets have a chance to land on my box.

      July 15, 2011 @ 11:25 pm
  13. Nice. I’ve got someone slandering me over there on WHT. And folks wonder why I don’t spend any time over there.

    July 15, 2011 @ 3:00 pm
    • rds100:

      I think he was joking.

      July 15, 2011 @ 3:33 pm
      • So glad some folks think accusing people committing a felony funny.

        July 15, 2011 @ 6:07 pm
        • Ztc:

          You really are Dr. Sensitive.
          This is not the first time I catch you with no humor ;)

          July 15, 2011 @ 7:40 pm
    • KuJoe:

      I only saw your name mentioned once but it wasn’t serious at all. I would contact a WHT staff member though if you truly felt the user was trying to be malicious.

      July 16, 2011 @ 7:56 am
      • Already did. Got lied to three times by a “Community Liaison”, reminded that I was harassing them when I was trying to find out why I had been banned a few years back, got pointed out that I had created a dupe account to file the report which was a nono, (I created the account to make the report and was in fact honest that I stated it was a dupe when I did make the report.) and yet the post is still there.

        July 16, 2011 @ 3:28 pm
        • KuJoe:

          Oh, that sucks. Sorry to hear that.

          July 16, 2011 @ 8:40 pm
        • vedran:

          http://helpdesk.webhostingtalk.com/

          I don’t think you need a dupe to file a report there.

          July 16, 2011 @ 9:10 pm
        • circus:

          That WHT post is kinda harmless though.

          July 17, 2011 @ 1:14 am
        • KuJoe:

          drmike has his own views which he is completely entitled to… even though he has been wrong before (like when he went off on me for being a staff member of WHT when I never have been).

          July 17, 2011 @ 1:22 am
        • circus:

          @KuJoe, well that was my view about that post :) like you say everyone has their own views, and IMHO it’s always better to not feed the troll.

          July 17, 2011 @ 1:36 am
        • vedran:

          @circus I agree, it looks completely harmless to me too. But if it bothers drmike they should remove it.

          July 17, 2011 @ 7:29 am
        • KuJoe, you stated on LET that you were a member of WHT. I’d give a link but the site is still down of course.

          July 18, 2011 @ 12:21 pm
  14. innya:

    LEB will be getting better after each accident.

    July 15, 2011 @ 3:14 pm
  15. KLIKLI:

    BTW LEA if I were you I would rather not to update the DNS with dnsmadeeasy. I wouldn’t be brave enough to let attackers in again.

    July 15, 2011 @ 3:15 pm
  16. Is there any efficient way to prevent the DDos attack? Especially for the vps with tiny memory.

    July 15, 2011 @ 3:20 pm
    • Nothing to do with memory size I think. They simply jammed the pipe.

      I am not sure what can be done in the case of ddos. Hiding behind some fat pipe reverse proxy seems to be the easy way out.

      July 15, 2011 @ 11:33 pm
    • KuJoe:

      I’ve seen some awesome documentation on putting some Squid proxies in front of your servers to mitigate DDOS attacks but you’re still looking at additional server costs and paying for the bandwidth. I’ve read awesome things on WHT about DDOSDefend.com and they are really cheap also. Of course I’ve also read that LEA is adamant about not “hiding” his IP information.

      July 16, 2011 @ 12:05 am
      • $65 monthly isn’t really cheap compared to the LowEndVPS that LEA is using to host the site at the moment.

        I think CF is the best option here.

        July 16, 2011 @ 7:27 am
        • KuJoe:

          I meant cheap in regards to all of the other DDOS mitigation options out there. As previously mentioned CF is not a DDOS mitigation service so while it might do well for very small attacks, it doesn’t take much for an attacker to get past their limits.

          July 16, 2011 @ 7:38 am
        • Besides that attacks aren’t really a big thing here – LEA was on holiday which is probably why the attack lasted so long as he was unable to intervene. It’s the first attack in a while. I think DDoS solutions aren’t needed at this stage.

          July 16, 2011 @ 7:47 am
        • KuJoe:

          I was actually replying to Timothy’s comment and not LEA’s reply. ;)

          July 16, 2011 @ 7:57 am
    • @Timothy
      “Dismantling botnets in advance” might be the best way to prevent DDoS attacks. As a matter of fact, being DDoS attacked is a golden opportunity to collect the IP addresses of infected computers, if they haven’t been tampered with by the attacker. ISP should have dropped network packets with forged IPs in the first place.

      July 17, 2011 @ 2:02 pm
  17. Anon:

    If you’re using cloudflare set it up so your server only allows connections via it since as far as I know it acts as a proxy you can set it up so that your webserver only recieves requests through it and doesn’t allow direct access.
    Hope this helps.

    July 15, 2011 @ 3:51 pm
  18. Hey LEA
    I feel like most here, I was eager to see LEB back online. Well, as we all know we cannot do anything about those DDoS bitches, we could still offer you our help. I’d really love to provide a LEB mirror, and I think others might be too. BTW, why would someone attack such an awesome site such as LEB?

    July 15, 2011 @ 4:51 pm
  19. Roope:

    Don’t know how true it is but was at a hosting IRC and I said does anyone here use LEB.
    About 5 minutes later someone said yeah , so i asked him is it down.
    He said yeah and went onto say that he heard a kid called Jason had got mad with the community and admins.

    Again i don’t know how true this is but the ‘informant’ is quite well known in this particular IRC.

    July 15, 2011 @ 5:56 pm
    • Jack:

      That would be right. Jason is a little cry baby who starts up VPS business, takes the money and runs.

      July 15, 2011 @ 10:50 pm
      • Jason from that sky news article? AKA JSCL?

        July 15, 2011 @ 11:08 pm
    • If it really is then he had stooped even lower than I thought he’d ever go – Not that he’s a reputable person anyway.

      He is simply a bully and doesn’t like it when he gets his own way.

      He threatened me with legal action a week or two ago – Haven’t received no ‘letter on my doorstep’. Shows how pathetic he is.

      July 15, 2011 @ 11:22 pm
    • I would say that’s just a speculation heard from an anonymous on IRC. There has been some disgruntled users on LET and it could be done by pretty much anyone.

      I shall focus on rebuilding lowendtalk in the next couple of days, ie moving away from OSQA as suggested, than coming up with more speculations.

      July 15, 2011 @ 11:41 pm
      • Try XenForo , vBulletin or IPB. They are my favorites :)

        July 16, 2011 @ 11:17 am
        • cd:

          Paid solutions? lol. I find the ‘free’ ones to work a lot nicer and have better ‘usability’

          July 17, 2011 @ 6:00 am
  20. heh Just remembered about the wiki. That’s still up. :)

    July 15, 2011 @ 6:18 pm
    • The wiki is the same as LEB right?

      July 15, 2011 @ 7:11 pm
      • I believe so.

        Been trying to find a decent DNS provider. Been going down that list on the wiki of them.

        July 16, 2011 @ 3:28 pm
  21. Welcome back admin.

    July 15, 2011 @ 6:26 pm
  22. I noticed it was down a couple of hours ago, when I checked my site that has LEB feed.

    So welcome back from holiday and website recovery :)

    July 15, 2011 @ 10:57 pm
  23. Still can’t access LET – Any reason why?

    July 15, 2011 @ 11:18 pm
    • You sound like if you were the LEA’s boss ¬_¬

      July 16, 2011 @ 12:22 am
    • Spirit:

      Reason why?

      “Brandon from eNetSouth has suggested to move LowEndTalk from San Jose to Chicago with ColoCrossing with better DDoS mitigation facility. This is currently in progress.”

      I hope this answers…
      I am also glad too see this site back. Opening those pages became somehow part of my daily routine.

      July 16, 2011 @ 12:26 am
    • Yeah I am not too sure about the status. Maybe you guys can have a nice weekend at the beach, than trolling each other on the LowEndTalk community :)

      July 16, 2011 @ 6:00 am
      • KuJoe:

        I think that’s why I slept so good yesterday. :P

        July 16, 2011 @ 6:19 am
  24. Great to see that LEB is back again. :)

    July 16, 2011 @ 12:04 am
  25. @LEA At ydgh we have suffered a few DDOS in the past week as well. I feel they may be connected with yours.

    July 16, 2011 @ 4:28 am
    • Ahem. Sorry I don’t want to accept that association. I don’t want to see everyone getting DDoS’ed coming here whining “my site got denial of service attack because it was connected to LowEndBox!!!”

      July 16, 2011 @ 6:02 am
    • I highly doubt that it would be connected.

      July 16, 2011 @ 11:18 am
    • Christian:

      I don’t think it is an uncommon think for VPS providers to be getting DDoS attacks. I don’t think it has to do with the attack on lowendbox, but sure everything is possible.

      July 16, 2011 @ 11:34 am
  26. KLIKLI:

    @LEA,

    I found at least two traces to your “real” IP. Will be emailing you soon:)

    July 16, 2011 @ 4:36 am
    • I know the real IP too, I found it the same way I found LEA’s personal blog.

      July 16, 2011 @ 5:00 am
    • Thanks. It’s actually not hard to work out with *any* CloudFlare site, if you know that hard coded hostname CloudFlare exposed via its DNS, which I have no idea how to disable…

      @dmmcintyre3 — yeah I know that you knows about my personal blog + added me on Twitter, etc. Being online for so long it’s actually quite hard to be anonymised. However I chose to use LowEndAdmin alias here just to keep this part of my life separated. Getting DDoS is one thing. Having a mad man ringing your phone with death threats, stalking you online everywhere — to a point that I need to get police to issue a restraint order — that’s something else. It happened to me once over that mediocre startup I ran, and I do prefer having less of that. So, pssst, don’t paste my blog address everywhere.

      July 16, 2011 @ 6:12 am
      • dmm is an stalker :| damn… xD

        July 16, 2011 @ 6:33 am
        • What? the domain was the from address in his old comment subscription emails.

          July 16, 2011 @ 3:38 pm
        • Nope I wasn’t implying dmm was stalking. He has been pasting my blog address here before so I was just asking him not to do it anymore, as I do prefer to keep this part of my life separated.

          July 16, 2011 @ 10:20 pm
        • Yes I am just kidding you know :P

          July 17, 2011 @ 12:33 am
      • However I chose to use LowEndAdmin alias here just to keep this part of my life separated.

        And folks wonder why I won’t list the company I work for. What LEA covers pretty much happens to me. I have a few restraining orders out there.

        July 16, 2011 @ 3:30 pm
        • Gary:

          Against you? :P

          July 16, 2011 @ 7:09 pm
        • Nope, not a one. My ex tried to get one against me when she came back to Charlotte but the judge wouldn’t allow it after we documented her outstanding warrants as well as her mental instability bother when we were together and afterwards. (She never showed up in court. Would have solved lots of the current issues with the business if we had.)

          There’s a fairly popular developer who shall remain nameless who can’t come to Charlotte because of threats, both legal and physical, made to me over the net.

          July 16, 2011 @ 7:56 pm
        • Which part applies to you? Which end of death threat phone calls was it? :)

          July 16, 2011 @ 10:23 pm
        • Nah, she skipped over the phone calls and went straight to the drive by’s. Twice.

          July 18, 2011 @ 12:24 pm
    • When you comment on a post from the blog address with the IP rather than the domain – You also give the IP link address to any one subscribed ;)

      July 16, 2011 @ 7:31 am
    • You can use direct-connect.domain.com with CF to access the site directly.

      July 16, 2011 @ 9:37 pm
      • Yeah. That hostname applies to all CloudFlare sites when you need to find the actual IP address. I don’t think CF was designed to conceal the real IP of the servers in the first place.

        July 16, 2011 @ 10:17 pm
        • cd:

          You can remove the direct-connect in the dns manager, no?

          July 16, 2011 @ 10:23 pm
        • Nope. If anyone knows how please tell me :)

          July 16, 2011 @ 10:29 pm
        • It’s just another record, delete it or rename it.

          July 16, 2011 @ 10:30 pm
        • cd:

          Try going in to https://www.cloudflare.com/dns-settings.html?z=lowendbox.com – there should be an entry for direct-connect

          July 16, 2011 @ 10:33 pm
        • KuJoe:

          I always just rename the record to something completely random.

          July 16, 2011 @ 10:33 pm
        • Nope. No direct-connect there. It was offering to have a “direct.lowendbox.com” A record before which I removed, but there does not seem to be a way to change the direct-connect record. Maybe I shall click on that Help link to see whether it can be done.

          July 16, 2011 @ 10:40 pm
      • KLIKLI:

        Hold on. That was not true. Mine is NOT resolving – not just not appearing.

        July 17, 2011 @ 3:34 am
  27. so LET still down? glad the attacks already stopped… anyway things like this will make lowendbox.com stronger —looking at the bright side of things :)

    July 16, 2011 @ 5:32 am
    • Yes, it is. Takes a little time when you are bringing a permanent solution rather than circumventing a DC’s null route. ;)

      Glad to see LEB back as well.

      July 16, 2011 @ 8:32 am
    • Still down for me. Time out error for me.

      11:31 AM US Eastern time. 3:31pm UTC time Saturday

      July 16, 2011 @ 3:32 pm
  28. I second that, Roel :)

    July 16, 2011 @ 6:46 am
  29. Great! DDOS was stopped, Lowendbox is back :)

    July 16, 2011 @ 8:22 am
  30. Interestingly accessing the site from the IP loads the page faster than going through the domain and CF.

    IP: 2.9 seconds
    Domain: 3.8 seconds

    Tested from Pingdom.

    July 16, 2011 @ 9:14 am
    • ab:

      direct’s always gonna be faster than proxied, but check an image (cf-cache-status: hit) or w/e

      July 16, 2011 @ 12:00 pm
  31. The site was down again for a while. Was getting the CloudFlare error page saying that the server was down.

    July 16, 2011 @ 6:48 pm
    • LEB is behind Cisco Guard at the moment looks like it is under attack but now able to hold up a bit, attack is at 3.5G

      July 16, 2011 @ 9:19 pm
      • WTF 3.5G what kind of low-life would do such a thing?

        July 16, 2011 @ 9:21 pm
        • it “might” possibly get null routed again if it continue i’m afraid

          July 16, 2011 @ 9:27 pm
        • Where are the main offenders coming from? Because 3.5G is huge for a DDoS aint it.. Almost like its a Server Attack.

          July 16, 2011 @ 9:33 pm
      • it is from all over the place of course.

        July 16, 2011 @ 9:45 pm
        • i said main not Offenders in general :)

          July 16, 2011 @ 9:54 pm
        • @Daniel — when you have a 3.5Gbps DDoS flooding your link, it’s not likely to be generated from a single ADSL link in someone’s basement.

          I don’t recall offending any Russian mafia on this site before (although I could be very wrong), so being able to send such a payload would be from leased botnets. I guess it could be hard to find out who the main offender is by just analysing the traffic.

          July 16, 2011 @ 10:28 pm
        • Spirit:

          Actually we will never know how many of those unprofitable hosts with nice template but lack of company info, lack of support, etc… (which means unserious hosting business) from all over the world featured here aren’t anything else than money laundering.

          July 16, 2011 @ 10:33 pm
        • @Spirit I wash my money everyday… is so dirty

          LOL

          July 17, 2011 @ 12:32 am
    • Yup, looks like him all right ;)

      July 16, 2011 @ 9:55 pm
      • cd:

        Nope – this is him

        July 16, 2011 @ 10:21 pm
        • Oh yeah, I recognize the smile.

          July 16, 2011 @ 10:24 pm
        • CPS:

          Is that true? in my imagination Dr.Mike more look like Fat Mike (NOFX). no offense Dr.Mike. :)

          waiting LEA photo now.. :P

          July 17, 2011 @ 4:55 am
        • cd:

          Pfft, not posting LEA’s photo – he can do it himself if he wishes

          July 17, 2011 @ 6:10 am
        • Actually this is me:

          http://drmikessteakdinner.com/about.html

          And Youtube is blocked on this network so I can;t comment on that.

          July 18, 2011 @ 12:27 pm
        • Is that really you @drmike? wow, you don’t look 40 to me. Is it Photoshop’d :D?

          July 18, 2011 @ 12:33 pm
      • CPS:

        @Asim don’t forget this “nearly 40 year” and with “2007 shirt” :D but yeah, mostly +++ image editor. :P

        @drmike since when you put your own photo in drmikessteakdinner?? never seen that before.

        any news from LET (Brandon or someone) ?? i’m worrying my karma :D and maybe create new “question” – share your pics/photos!! – with some hope LEA could join in also. hehehe

        July 18, 2011 @ 1:11 pm
    • Spirit:

      I don’t think so. They would kick him out of a library if he would talk that loud!

      July 16, 2011 @ 10:39 pm
    • looks like there is Dr Mike fan club here aye?

      July 16, 2011 @ 11:03 pm
  32. wondering why :D

    July 16, 2011 @ 7:35 pm
  33. I am almost thinking to set up a FB fan page called something like: “Screw you LEB DDOSers” :) Anyone with me on that?

    July 16, 2011 @ 9:51 pm
    • Do it, but think that is just following their kiddie game… (I don’t know how to say the phrase in english xD)

      July 17, 2011 @ 12:21 am
      • Spirit:

        Yeah, less fuss around, better. Kids like attention… so who cares.

        July 17, 2011 @ 1:01 am
        • That is true, sigh, hopefully one day someone will find a way to resolve of the DDOS cr@p, very unlikely though…

          July 17, 2011 @ 5:43 pm
    • CPS:

      i’m not. :D

      1. i’m getting (small) DDoS too after i WRITE my comment here. so you must put me too in your fb fan page. :D
      2. i don’t have account in facebook. :(

      but still screw you LEB/LET DDoSers!!!

      July 17, 2011 @ 4:51 am
      • LOL, and screw CPS DDOSers too :)

        July 17, 2011 @ 5:43 pm
  34. Hi;
    It’s a shame to see that someone would DDOS such an excellent resource like Lowendbox. Hopefully it won’t happen again, Cloud Flare is great and it handles small to medium attacks pretty good in my personal testing. :)

    Best,
    Kevin

    July 16, 2011 @ 11:50 pm
  35. shearerc:

    There must be a way to completely remove the direct-connect.domain.com thingy since LulzSec can apparently remove theirs.

    I did a dig “any record” query on LEB and Lulzsec domains.

    ;; QUESTION SECTION:
    ;lowendbox.com.                 IN      ANY
    
    ;; ANSWER SECTION:
    lowendbox.com.          239     IN      MX      1 mail.lowendbox.com.
    lowendbox.com.          239     IN      MX      0 direct-connect.lowendbox.com.
    lowendbox.com.          239     IN      A       199.27.135.79
    lowendbox.com.          239     IN      A       199.27.134.79
    lowendbox.com.          43139   IN      SOA     jeff.ns.cloudflare.com. dns.cloudflare.com. 2011071620 10000 1600 604800 3600
    lowendbox.com.          539     IN      NS      jeff.ns.cloudflare.com.
    lowendbox.com.          539     IN      NS      jill.ns.cloudflare.com.
    
    ;; QUESTION SECTION:
    ;lulzsecurity.com.              IN      ANY
    
    ;; ANSWER SECTION:
    lulzsecurity.com.       43200   IN      SOA     may.ns.cloudflare.com. dns.cloudflare.com. 2011071620 10000 1600 604800 3600
    lulzsecurity.com.       300     IN      A       199.27.134.86
    lulzsecurity.com.       300     IN      A       199.27.135.86
    lulzsecurity.com.       600     IN      NS      may.ns.cloudflare.com.
    lulzsecurity.com.       600     IN      NS      rob.ns.cloudflare.com.
    
    
    July 17, 2011 @ 4:09 am
    • Maybe the non free service

      July 17, 2011 @ 5:00 am
    • KLIKLI:

      What I want to emphasize is that, none of my protected domains does have that “direct-connect” record and I’m using their free service.

      July 17, 2011 @ 5:06 am
      • So, then share how you did it.

        July 17, 2011 @ 5:14 am
      • KLIKLI:

        I’m just telling that it was not “hard-coded” or whatever. Believe me or not, it’s your decision. I’m not going to prove it to anyone.

        July 17, 2011 @ 5:19 am
      • I will play around with some setting later today. I suspect it might to do with other DNS entries depending on the direct connect. I will see removing those would hide the direct connect entry.

        July 17, 2011 @ 6:31 am
        • “We added a subdomain that allows you to access your server directly without passing through the CloudFlare network. You should use this domain to access services like SSH, FTP, and Telnet. You can change the default name of the subdomain to something other than direct for enhanced security.”

          So, maybe you can delete it or just rename to something unguessable.

          July 17, 2011 @ 7:37 am
      • Tom:

        Just check 3/10 of my domains on CF, there is indeed no such record hardcoded in the DNS.

        July 17, 2011 @ 6:32 am
      • Alright. Worked out how to remove direct-connect. If there is no other reference to @ in other DNS records, CloudFlare would automatically remove direct-connect hostname. Actually it should be the other way around — if there is any reference to @ in DNS records other than the ones CloudFlare knows how to handle, it would be converted to direct-connect.example.com.

        For example,

        foobar.example.com.         CNAME  example.com.
        

        would become

        foobar.example.com.         CNAME  direct-connect.example.com.
        direct-connect.example.com  A      123.123.123.123
        

        direct-connect.lowendbox.com should be removed now as I cleaned up the records. Still, the IP would still leak on email subscriptions.

        July 17, 2011 @ 10:32 am
        • cd:

          What about using something like google apps in the meantime to send out smtp email?

          July 17, 2011 @ 10:38 am
        • cd:

          (You also may want to get a 3rd and final IP change)

          July 17, 2011 @ 10:39 am
        • KLIKLI:

          FYI, nowadays GMail (or at least my GApps) is also including the X-Originating-IP header.

          July 17, 2011 @ 10:40 am
        • cd:

          Just checked, it does.. :/. I wonder if there is another solution in the mean time

          July 17, 2011 @ 10:42 am
        • Adam:
          July 17, 2011 @ 10:54 am
        • cd:

          Sure, but just not from GarmanOnline :P

          July 17, 2011 @ 11:05 am
        • Just purchase a cPanel account from somewhere and use that to send email via SMTP. I have a shared hosting with HostGator – if LEA want’s a email account on there for sending mail threw he’s more than welcome ;)

          July 17, 2011 @ 11:18 am
        • KLIKLI:

          Be careful of those abuse-controling headers. If I were you I would rather rent(or request!) another LEB just for sending out mails which you would be able to fully control everything. (Besure to remove the from: field though!)

          July 17, 2011 @ 11:21 am
        • Most SMTP servers also log incoming IP address in the Received: header so it’s a bit pointless using a 3rd party SMTP server.

          July 17, 2011 @ 11:26 am
        • With that solution I can see the mail box getting attacked and mail not working – Which would be a shame as I use the mail notification of this blog a lot.

          Atleast using some big shared host such as HostGator, Site5 etc will put the responsibility to deal with attacks on them.

          July 17, 2011 @ 11:28 am
        • KLIKLI:

          I guess I remembered the wrong field name sorry:P

          July 17, 2011 @ 11:28 am
        • @LEA – Surely there would be ways to remove that?

          July 17, 2011 @ 11:29 am
        • KLIKLI:

          Before I said that Google pointed me to http://goo.gl/oS9EH but I’ve not much time to got my swimming suite ready so sorry if I was mis-leading others.

          July 17, 2011 @ 11:32 am
        • Spirit:

          I think that we can live without email subcriptions and they can be easy atleast temporary removed. That’s little sacrifice in order too see this site online.

          July 17, 2011 @ 11:33 am
        • ab:

          My Google Apps has an option to hide the X-Originating-IP. Look for it een panel.

          July 17, 2011 @ 2:38 pm
        • KLIKLI:

          But still with GApps you’ll be showing your quering IP on the Received: field as long as it sent with SMTP.

          July 17, 2011 @ 2:40 pm
  36. 80486er:

    Those Kids running DDoS on LEB are f*cking annoying… No life…

    July 17, 2011 @ 6:03 am
  37. Teiresias:

    For me, seems to be a scripting kiddie with a botnet… I haven’t any clue which “enemies” LEB might have.

    July 17, 2011 @ 11:37 am
    • Teiresias:

      @Ixape

      July 17, 2011 @ 11:37 am
    • A ridiculous amount of traffic though which doesn’t come cheap – Which is why I ask how a kid would get hold of money needed to buy this kind of stuff.

      July 17, 2011 @ 11:41 am
      • Hmm… I remember seeing something like 1000 bots for USD 50 per day or so in a forum.

        July 18, 2011 @ 4:07 am
    • I prefer to get a PS3 or an Xbox with that money xD

      July 18, 2011 @ 1:03 am
  38. LEA: for the mail header’s revealing the real IP, you could ssh tunnel to another LEB and then connect to a SMTP server which could be running on the second LEB.

    July 18, 2011 @ 12:58 am
    • Or use Gmail n_n

      July 18, 2011 @ 1:02 am
      • I thought the real IP was still in mail headers with gmail/etc

        July 18, 2011 @ 1:04 am
      • Gmail still has the header when sending mail via SMTP – When it doesn’t have the header is when you send via the webmail interface.

        Also – I think LEB may hit some outgoing Gmail limits. I know a company I’ve worked for before hit limits when sending out mailing lists via Gmail and can imagine that LEB sends quite a few emails on a daily basis.

        July 18, 2011 @ 5:36 am
    • Yeah good idea. Some kind of tunnelling to a remote host before dispatching the mails to SMTP.

      @Yomero — yes Gmail would still leak your originating IP address.

      July 18, 2011 @ 1:27 am
      • Hmmm, so sad =( I didn’t thought about that

        July 18, 2011 @ 5:49 am
  39. Hi;
    Any ETA as to when Lowendbox Forums (Lowendtalk) will be back online? Kinda looking forward to checking out the forums :)

    Best,
    Kevin

    July 18, 2011 @ 2:55 am
  40. Looking up http://www.lowendtalk.com
    Making HTTP connection to http://www.lowendtalk.com
    Alert!: Unable to connect to remote host.

    July 18, 2011 @ 6:28 am
  41. Almost tempted to rack you your own server but I don’t have any spare blocks of addresses.

    July 18, 2011 @ 12:41 pm
  42. People seem to get distracted and got off-topic here. I am closing commenting now. If you want to continue to discuss LowEndBox/LowEndTalk DDoS related issues, talk about it on the you-know-where.

    July 19, 2011 @ 7:48 am

Sorry, the comment form is closed at this time.