DDos attack on my Norwegian site.

[kgun]

1. Norwegian site: http://www.multifinansit.no/
2. Post here: http://www.blognorway.com/
3. Does you see the site?
4. Thanks for constructive comments.

I had to make my own Blog, since I am excluded from posting at WebmasterWorld. No serious reason.

Kjell Bleivik
http://www.multifinanceit.com/

[ADAM Web Design]

I don't get what your post has to do with a DDoS attack.

[xmx]

The sites work normally for me here in Switzerland.

Perhaps it has only been a temporary down of your
webhoster.


Regards

Gian L.

[kgun]

The site is still down here.

My hoster said that the server that hosted my site had a DDOs attack.

The following happened:

1. On wednesday the site was down for the first time. My daughter that use the same internet provider experienced the same.
2. On thursday, the site was up for some hours. Since then it has been down. But now my daughter that live in the same town and use the same internet provider have no problems loading the site.

A light version of a (D)Dos attack as far as I know is blocking of my IP address or a man in the middle attack.

What else can it be?

No known virues, trojans, adware or spyware on my Pc. I have also used Trend Micro online hackercheck for port blocking.

I have Windows Xp with serverpack 2 installed. Normal firewall settings.

I have sent an email to my internet provider and my hoster.

If you have other proposals, they are welcome.

My popularized definition of "a man in the middle attack". Software or other tools that cut / block the connection beween my computer and the server where the site is hosted.

KBeivik

[minstrel]

1. What specifically do you mean by "the site is down" in this case? What happens, what do you see in your browser when you try to connect?

2. Can you connect to the site using an FTP program?

3. Do a search on your local computer for any and all files named host* - make sure you select the hidden and system files option in search. Find anything?

[kgun]

1."What specifically do you mean by "the site is down" in this case? What happens, what do you see in your browser when you try to connect?"

Does not find server. The site can not be shown.

2. "Can you connect to the site using an FTP program?"

No. Get the message “An FTP error occurred – cannot make connection to host.”

3. "Do a search on your local computer for any and all files named host* - make sure you select the hidden and system files option in search. Find anything?"

No file with that name found. No hidden or system file either.

As I said, no problem for my daughter that use the same internet provider and live in the same town to load the site. Do you see it in Canada?

http://www.multifinansit.no/ and
http://www.dinnettbutikk.no/

When I try to log into the Cpanel where the sites are hosted

http://209.59.132.186:2082/frontend/x/index.html

and

http://209.59.132.186:2082/

I naturally get the same error as in 1 above.

Kjell Bleivik
http://www.multifinanceit.com/

[ADAM Web Design]

I see both fine.

Have you tried running a traceroute and/or ping to the host? It won't give you a lot of information, but if your host is blocking your IP, your requests will be blocked and they'll timeout. Traceroutes will give you more info than pings will, though.

If you did have a DDoS attack, your host may have blocked all traffic from a certain IP block within which you are contained. So if your IP is 1.2.3.4 and your host has 1.2.3.0-1.2.3.255 blocked, you're in that group even though you're an innocent victim.

Since DDoS attacks occur from multiple machines, this is a possibility as well.

At this point, it's pretty well a given that the problem isn't with your host, since all of us can see it. The bad thing about that is then it becomes a much deeper issue.

[kgun]

Yes it is not easy.

I have not done a ping and / or a tracerouter. I have never done a tracerouter in Xp. Do you have to do it in Dos sub task in a similar way to a ping?

Yes it is very curious:

1. I have no problems with other sites.
2. It happened when the hoster had a DDos
attack on their server.
3. Yes a region or what you call it in english of
IP adresses may have been blocked.

My internet provider is quite silent. It must be possible for them to monitor and test the connection.

Nevertheless, all thank you very much so long, for your patience.

Kjell Bleivik
http://www.multifinanceit.com/

[kgun]

The internet provider has not responded yet, to the message I sent them (verified received)july 9th.

My hoster sent the following message (translated to English by me)

"Have you checked with your ISP if their router has had blocking of IP or other IP problems?"

How long response time do you in other countries require from your ISP?

I found this "IP Address Watcher"

http://www.cleanercode.com/ipchange/

application on the internet.

Have any of you tried it or know of a better program?

I have a dynamic IP adress.

Kjell Bleivik

[minstrel]

I would be seriously considering getting an account with a different ISP - almost a week with no response to a support question is unacceptable.

[kgun]

The following commands:

Start + run + tracert www.multifinansit.no

and

Start + run + tracert www.dinnettbutikk.no

?

Start + run + ping www.multifinansit.no

Request broken on the ping part. Sent result of the tracert to my ISP. Await their reply.

Unneccesary with the ping as you said, since it is a subset of the above?


Kjell Bleivik
http://www.multifinanceit.com/

[kgun]

The IP addresses of

MultiFinansIT.no: 209.59.132.186
ISP: 80.202.128.1
My IP (dynamic after router turned off for some time. Not done to find out):
80.202.128.144

Excellent tools:

http://moensted.dk/spam/

http://www.completewhois.com/traceroute.htm

Additional links here:

http://multifinanceit.com/it/security/security.htm

And the worst of all, I found a large Norwegian power subbply company on the

The Spamhaus Block List

http://www.spamhaus.org/sbl/index.lasso

Interesting problem this.

Question:
Is it a criminal action to block the IP to my site MultiFinansIT.no and DinNettButikk.no?

Kjell Bleivik
http://www.multifinanceit.com/

[ADAM Web Design]

Quote:

Originally Posted by kgun

The following commands:

Start + run + tracert www.multifinansit.no

and

Start + run + tracert www.dinnettbutikk.no

?

Start + run + ping www.multifinansit.no

Request broken on the ping part. Sent result of the tracert to my ISP. Await their reply.

Unneccesary with the ping as you said, since it is a subset of the above?

What is the result of the tracert?

[kgun]

Result of Start + Run + tracert run yesterday:

Sporer rute til multifinansit.no [209.59.132.186]
over maksimalt 30 hopp:

1 <1 ms <1 ms <1 ms 10.0.0.1
2 16 ms 17 ms 17 ms 1.80-202-128.nextgentel.com [80.202.128.1]
3 18 ms 17 ms 17 ms 217-13-19-161.dd.nextgentel.com [217.13.19.161]

4 18 ms 17 ms 17 ms 217-13-1-173.dd.nextgentel.com [217.13.1.173]
5 19 ms 19 ms 19 ms 217-13-1-213.dd.nextgentel.com [217.13.1.213]
6 19 ms 19 ms 19 ms 217-13-0-62.dd.nextgentel.com [217.13.0.62]
7 18 ms 19 ms 17 ms 217-13-6-197.dd.nextgentel.com [217.13.6.197]
8 19 ms 19 ms 19 ms ge0-3-0-103.ar1.OSL1.gblx.net [208.51.41.57]
9 131 ms 129 ms 130 ms so6-0-0-2488M.ar2.NYC1.gblx.net [67.17.64.158]
10 131 ms 129 ms 129 ms POS1-0.BR3.NYC8.ALTER.NET [204.255.168.133]
11 130 ms 129 ms 129 ms 0.so-6-2-0.XL2.NYC8.ALTER.NET [152.63.21.126]
12 155 ms 154 ms 154 ms 0.so-7-0-0.XL2.CHI2.ALTER.NET [152.63.68.90]
13 153 ms 154 ms 154 ms POS7-0.GW7.CHI2.ALTER.NET [152.63.67.185]
14 164 ms 162 ms 162 ms liquidwebOC12-gw.customer.alter.net [65.207.234.
198]
15 186 ms 204 ms 232 ms lw-core1-ge2.liquidweb.com [209.59.157.30]
16 163 ms 162 ms 162 ms lw-dist2-ge1.liquidweb.com [209.59.157.6]
17 * * * Forespørsel avbrutt.



Sporer rute til dinnettbutikk.no [209.59.132.186]
over maksimalt 30 hopp:

1 <1 ms <1 ms <1 ms 10.0.0.1
2 17 ms 17 ms 17 ms 1.80-202-128.nextgentel.com [80.202.128.1]
3 17 ms 17 ms 17 ms 217-13-19-161.dd.nextgentel.com [217.13.19.161]

4 18 ms 17 ms 19 ms 217-13-1-173.dd.nextgentel.com [217.13.1.173]
5 18 ms 19 ms 19 ms 217-13-1-213.dd.nextgentel.com [217.13.1.213]
6 19 ms 19 ms 19 ms 217-13-0-62.dd.nextgentel.com [217.13.0.62]
7 18 ms 17 ms 19 ms 217-13-6-197.dd.nextgentel.com [217.13.6.197]
8 18 ms 19 ms 19 ms ge0-3-0-103.ar1.OSL1.gblx.net [208.51.41.57]
9 129 ms 129 ms 129 ms so6-0-0-2488M.ar2.NYC1.gblx.net [67.17.64.158]
10 129 ms 129 ms 129 ms POS1-0.BR3.NYC8.ALTER.NET [204.255.168.133]
11 129 ms 129 ms 129 ms 0.so-6-2-0.XL2.NYC8.ALTER.NET [152.63.21.126]
12 155 ms 154 ms 154 ms 0.so-7-0-0.XL2.CHI2.ALTER.NET [152.63.68.90]
13 155 ms 154 ms 154 ms POS7-0.GW7.CHI2.ALTER.NET [152.63.67.185]
14 161 ms 162 ms 162 ms liquidwebOC12-gw.customer.alter.net [65.207.234.
198]
15 161 ms 162 ms 162 ms lw-core1-ge2.liquidweb.com [209.59.157.30]
16 163 ms 162 ms 162 ms lw-dist2-ge1.liquidweb.com [209.59.157.6]
17 * * * Forespørsel avbrutt.


************************************************** ***************************


Using this tool today:

http://www.completewhois.com/traceroute.htm


Traceroute from completewhois.com (AS13620) to 209.59.132.186

1 vlan001-ether0.core0-lrw.santaclara.ip.elan.net (216.151.192.254) 1.012 ms 1.990 ms 0.844 ms
2 elan-0.t36012.ussnfc2-bsn.savvis.net (209.144.160.89) 11.515 ms 7.083 ms 6.940 ms
3 kar2-at-2-0-0-990.SanFranciscosfo.savvis.net (206.24.209.133) 7.020 ms 7.106 ms 7.100 ms
4 dcr1-ge-1-3-1.SanFranciscosfo.savvis.net (206.24.211.13) 7.179 ms 7.858 ms 7.577 ms
5 dcr2-so-0-0-0.Denver.savvis.net (204.70.192.113) 50.820 ms 50.576 ms 50.766 ms
6 dcr1-so-7-0-0.Chicago.savvis.net (204.70.192.134) 73.838 ms 74.299 ms 112.376 ms
7 acr1-so-0-0-0.Chicago.savvis.net (208.172.3.54) 75.977 ms dcr2-so-5-0-0.Chicago.savvis.net (204.70.192.46) 88.990 ms acr1-so-0-0-0.Chicago.savvis.net (208.172.3.54) 92.032 ms
8 acr1-so-1-0-0.Chicago.savvis.net (208.172.3.78) 74.040 ms liquid-web-inc.Chicago.savvis.net (208.172.3.174) 87.312 ms acr1-so-1-0-0.Chicago.savvis.net (208.172.3.78) 73.943 ms
9 lw-core2-ge4.liquidweb.com (209.59.157.26) 103.474 ms 164.603 ms liquid-web-inc.Chicago.savvis.net (208.172.3.174) 99.725 ms
10 lw-dist2-ge2.liquidweb.com (209.59.157.18) 82.845 ms lw-core2-ge4.liquidweb.com (209.59.157.26) 85.981 ms 84.571 ms
11 * lw-dist2-ge2.liquidweb.com (209.59.157.18) 92.728 ms *
12 * * *
13 * * *
14 * * *
15 * * *

But this

http://moensted.dk/spam/

give some negative results for Hostean.net

Various whois lookups, e.g.

http://www.completewhois.com/

+ Ip address

209.59.132.186

brings me from Norway to the USA.


Kjell Bleivik

[kgun]

IP: 80.202.128.144

http://njabl.org/lookup.html

Here is the result of your query:

80.202.128.144 is listed in dynablock.njabl.org.

80.202.128.144 resolves to 144.80-202-128.nextgentel.com

http://www.completewhois.org/cgi-bin...80.202.128.144

Red flag: dnsbl.sorbs.net

Database lookup at SORBS:

An Error Occured Processing Your Request
Sorry your query for [80.202.128.144] cannot be performed at this time.
Reason: No Cookie Set
Explanation: To stop abuse this page requires you to
have logged in and a cookie set to proceed.

To get a cookie you will need to register and login.

If you don't want to register you can use the SORBS Support System

************************************************** ************************

This is open communication.

Kjell Bleivik
http://www.multifinanceit.com/

[kgun]

But that should not be related to my ability to load the two sites.

[kgun]

C:\>ipconfig /all

Windows IP-konfigurasjon

Vertsnavn . . . . . . . . . . . : privat-wkwakua1
Primær DNS-suffiks . . . . . . . :
Nodetype . . . . . . . . . . . . : Ukjent
IP-ruting aktivert . . . . . . . : Nei
WINS Proxy aktivert. . . . . . . : Nei

Ethernet-kort Lokal tilkobling 2:

Tilkoblingsspesifikt DNS-suffiks :
Beskrivelse . . . . . . . . . . : Accton EN1207D-TX PCI Fast Ethernet-k
ort
Fysisk adresse . . . . . . . . . : 00-30-F1-34-AD-A2
DHCP aktivert. . . . . . . . . . : Ja
Automatisk konfigurasjon aktivert: Ja
IP-adresse . . . . . . . . . . . : 10.0.0.2
Nettverksmaske . . . . . . . . . : 255.255.255.0
Standard gateway . . . . . . . . : 10.0.0.1
DHCP-server. . . . . . . . . . . : 10.0.0.1
DNS-servere. . . . . . . . . . . : 217.13.4.24
217.13.7.140
Leasingavtale mottatt. . . . . . : 23. juli 2005 19:41:17
Leasingavtale utgår. . . . . . . : 24. juli 2005 07:41:17

C:\>

There is an internal and an external IP address. As far as I know "the requst to load a site" comes from the external.



KBleivik
http://www.multifinanceit.com/