Earlier today, for a couple of hours (maybe more), 3Cx.org was hit by a highly
unsophisticated DoS (Denial of Service) attack. I was browsing the web and noticed things were VERY slow (slower than a modem connection!). At first I thought nothing of it, but 5 minutes into my browsing session, I started to wonder what the heck was going on. I ssh'ed over to the firewall and checked snort's alert logs for anything interesting... nothing. Next, I ran a sniffer on the WAN interface. I saw only http traffic... but it was A LOT of http traffic. Hmmm...
I felt pretty confident that I was secure. My webserver was still running and seemed healthy (hardly any load). I reviewed apache's logs, but found nothing of interest (or at least I thought at the time... I AM a moron!). I'm not running a vulerable version of apache, but I did double-checked apache.org and bugtaq just to make sure. Hmmm...
Killed httpd, started a packet capture on the firewall, and restarted httpd. Boom. 20+ connections immediately sprang to life... from all over as far as I could tell (DDoS... ummm... no.). Killed the capture and reviewed what I got. By examining the payloads of the first data packets of each unique connection, I realized what this "DoS" was... it's a new exploit called "Mike is an idiot and google rocks!". Yeah...
There exists a little file respository at files.a-and-m.net (another domain running on this box - for those that don't know) which is normally password protected. I use it to store things I may need when on the road or at work and to share stuff with friends. Well, I screwed up and removed the password protection!! I was reorganizing my server a couple of days ago and failed to enable authentication in the new directory. And then the googlebot hit me.
The googlebot visited files.a-and-m.net and added info for the entire repository to its database, including listings for my collection of two groups of highly sought after media files: season 1 and what's been released of season 2 of Enterprise and what's been released of season 1 of Firefly. Nearly all svcd quality!
More than 20 people were using wget to suck me dry! They were all downloading different episodes of Enterprise or Firefly! It appears most, if not all, found them via google (checked the referrers in my httpd logs). One guy/girl found me like this: go to
Google and search for "enterprise s02e03 minefield" (an episode of Enterprise) (or just click
here)... notice the first result. OUCH! I promptly enabled authentication on files.a-and-m.net and the "DoS" was over.
If I had read my httpd logs a little more carefully the first time, I would have noticed that all the open connections were to Enterprise/Firefly episodes. To my own defence, I wasn't really looking AT the URLs as I was looking for strange things IN the URLs (if that makes any sense). Regardless, I got a good laugh out of this. I find it pretty amazing that Google, in a matter of days, had my site indexed and helped kill me. They rock and I don't!
![[QUIT SLASHDOT TODAY]](/misc/quit-slashdot.gif){kind=small}