11 October 2005
Once again I have seen another failed DOS attack against the firstaidquiz.com website. This occured at approximately 2pm today.
The attempt took the form of a large number of logins at the same time. This was from someone using various names including "Nick", "Bob Marley" and "Some randome[sic] crack head". I believe these to be made up names, but perhaps the latter being closer to the truth.
The logins originated from the IP address 184.108.40.206. As I've seen similar things in the past I had already incorporated some anti-DOS code into the Quiz engine. Details of the previous attempts are on my blog:
This DOS code detected the attack attempt, prevented the attacker from using/abusing the quiz and alerted me to the attack attempt. This time I was alerted to the attack whilst it was still in progress and I have locked the attacker out of the server. This may appear to the user that they have succeeded in taking the website down whereas in reality it is still up and working correctly, but that one IP address is blocked.
The quiz itself is able to minimise the impact of the attack and prevent it overloading the Database connections, but it still used some resources of the website, whereas blocking the user completely would reduce the impact even further. As my webserver doesn't not have much redundancy in processing power and resources dropping the IP address completely reduced the load further.
The technique that I used on this occassion was to re-route the traffic for that IP address down an incorrect interface. The command is as follows:
route add -host 220.127.116.11 gateway 10.0.0.1
as the 10 network doesn't have any external routing then the packets will be discarded.
It would have also been possible to add the host to the firewall running on the server to block the attacker that way.
It is possible to incorporate this functionality as an extension to the current DOS code, but I'm hoping to include some more functionality in the quiz so it's unlikely to make the next version (0.3.0).
As an aside there is one security feature that I do hope to improve on in the next version which is the handling of special characters in a person's name. At the moment the quiz will reject any login attempts where special characters are used in the name (ie. it currently only allows a to z, spaces and numbers). This is the simplest and perhaps most secure as it prevents any special characters that could trick the program code, but it does mean that some people are being rejected when they are trying to use ampersands (ie. two people doing the quiz together); accented characters or apostrophes.
For more details about the current project see PenguinTutor web quiz project page