High latency, extortionist claiming SQL injection vulnerability

[jpatokal]

Openflights was reporting high latency earlier today, and I received this extortion attempt:

Hello Sir, I'm John. We've identified your site's vulnerability. I have detected a sql injection vulnerability. I can provide you with a detailed report and tell you where the vulnerability is.

https://openflights.org/ check your site down. If you care about your customers, I will provide you with the solution and why the problem is, welcome to contact.

After paying $5000 to the USDT/TRC20 account, I will send my solution file and all the problems caused. My team has stopped all traffic to your site now, thanks to this vulnerability.

https://t.me/johnweb My Telegram. [johnbogh@gmail.com](mailto:johnbogh***@gmail.com) My Mail.

(I've censored the addresses because there's no point in contacting this scum.)

I have no evidence this was an actual SQL injection, which we should be reasonably well protected against at this point, so AFAICT this was more likely a DDOS attack. The website is operating normally at this time and there's no sign of database compromise. I'll investigate more tonight.

[jpatokal]

Investigation confirmed that the "SQL injection" line was bullshit, this was just a garden-variety DDOS targeting only the home page. Cloudflare absorbed >99% of it, but there was enough hammering away from >10k IPs to cause some pretty serious load on the DB server (below).

If this becomes a recurring problem it might be worth investing in caching the front page DB requests better, but for now it looks like they've crawled back under the rock they came from.