This past couple of days I have noticed that there is a bit of downtime on this website. It is happening daily and the down time probably lasts for about 30 minutes. At first, I did not care about it since the attacks don’t last very long, but after investigating further, I found that this website is once again being attacked. Upon checking the SecurePort attack logs provided by Staminus, surprisingly there wasn’t any source of the attackers. Normally botnet owners require hundreds or thousands of hacked computers to launch a DDoS attack on a website but surprisingly there were only about 30 of them that are attacking my server.
I ran a whois on the IP using DomainTools, and found that the IP addresses belonged to webhosting companies such as Softlayer, ThePlanet, LunarPages, LeaseWeb, BlueHost and etc… Instantly, I knew someone that hated this website bought a tool called “Booter” to launch the attack. A booter is sold at a very cheap price, probably costing from $5 to $50 depending the length of subscription. The method that is used to “boot” off a connection is by using multiple hacked or rooted servers. Since servers have much faster bandwidth than home broadband connections, they are able to bring down a connection with only a couple of servers combining their bandwidth.
Using a booter is as simple as A-B-C. Just buy the tool, run it, enter the website URL that you want to attack and click a button. Normally a booter only allows you to hit a connection for a very short period of time, probably from 100 seconds to 180 seconds and it will automatically stop. All you need to do to continue hitting is just press the button again. The hard work goes to the person who develops and sells the booter because they need to constantly add new hacked servers into the pool. If the pool doesn’t contain enough servers, then it won’t be powerful enough to boot off connections.
What the person that is being attacked can do is to install a firewall, get the IP addresses that are attacking your server and report it to the abuse department.
Here is my Staminus SecurePort showing the list of IP addresses that attacked my server
I copied the IP address that is circled in red, go to http://whois.domaintools.com, paste the IP address in the box and click the lookup button. There should be an email address to contact the Abuse department.
Simply write an email to that abuse department asking them to take the necessary action and attaching the screenshot of the firewall log. The webhost or datacenter will normally respond to your request because they are in a business and they don’t want their servers being misused or abused for malicious activities. I’ve got a few replies assuring me that they have identified the issue and handled them accordingly. Although I wasn’t able to report all of the IP addresses because some of them don’t contain an abuse email, but I guess it should good enough to make their server pool smaller.