search

muirglacier / bridge-ui

MIT License
9 stars 3 forks source link

IP Addresses from DDOS attack #75

Open muirglacier opened 1 year ago

muirglacier commented 1 year ago

For all those of you who are pissed off by the Bridge being inoperable for the last three days, thank this guy :-) He is renting from Hetzner! Must be a powerful entity, as he was using quite expensive servers (and also quite many) just to get the Bridge down. DDOS is mitigated now, and all firewall configurations + rate limiter are now resilient to these type of attacks now!

Bridge is stronger than ever, and this dude is now stuck with a monthly contract for a lot of servers looooool.

11:51:19.053951 IP static.22.138.75.5.clients.your-server.de.42724 > ip-172-31-38-65.ap-southeast-1.compute.internal.http-alt: Flags [S], seq 1653601116, win 64240, options [mss 1460,sackOK,TS val 465391520 ecr 0,nop,wscale 7], length 0 11:51:19.053951 IP static.22.138.75.5.clients.your-server.de.42626 > ip-172-31-38-65.ap-southeast-1.compute.internal.http-alt: Flags [S], seq 4213951112, win 64240, options [mss 1460,sackOK,TS val 465391520 ecr 0,nop,wscale 7], length 0 11:51:19.053951 IP static.22.138.75.5.clients.your-server.de.42068 > ip-172-31-38-65.ap-southeast-1.compute.internal.http-alt: Flags [S], seq 1832053862, win 64240, options [mss 1460,sackOK,TS val 465391520 ecr 0,nop,wscale 7], length 0

and this one

11:32:16.580291 IP static.148.195.34.188.clients.your-server.de.41456 > ip-172-31-38-65.ap-southeast-1.compute.internal.http-alt: Flags [R], seq 2574659577, win 0, length 0

and this one

11:32:16.579918 IP static.247.239.90.157.clients.your-server.de.45902 > ip-172-31-38-65.ap-southeast-1.compute.internal.http-alt: Flags [R], seq 1792540734, win 0, l

and so many more!

Mazbe we should alert Hetzner as to the type of their customers

GuybrushX commented 1 year ago

I would report it for sure with a few logs to prove it so they can investigate the issue internally as well. I guess they will have internal logs about the traffic and can compare it. They should also see quickly if it were innocent victims of compromised servers or if someone rented the servers only to cause harm. Nevertheless they should be taken offline to not repeat something like that.