Fairfax Underground was taken offline yesterday by a 100+Gbps DDoS attack from 100,000+ hosts. My ISP (rightfully) blackholed the attacked IP with their upstream providers to prevent impact to other customers in their AS.
Fairfax Underground has since transitioned to a new netblock and migrated to CloudFlare for some DDoS protection, which should also help guard against spambots.
At first I thought this was a hired DDoS from one of our many detractors, but upon closer inspection this was a ransom attempt.
At 8:11am, shortly after the first volley, I received the following email (some headers clipped):
-- BEGIN RANSOM EMAIL --
From: Viktor Haussmanian [email@example.com]
Subject: read following carefully, it is about your website
Date: Thu, 20 Apr 2017 15:11:35 +0300
Your website (fairfaxunderground.com) will be attacked unless you pay protection fee
we have already done successfull test attack on your site
How to prevent?:
You pay us protection fee in bitcoin (150 USD)
(0.13 -> 1CierFSphq6G22t5tiRHm1Cx3qrAoW624w)
or you pay hundred USD+ in protection
Our attack is >100gbps
you do not have to reply. pay fee and we will not attack your website ever.
but if you do not pay, attack starts soon.
-- END RANSOM EMAIL --
This email was filtered to spam and went unnoticed until I received a phone call at 12:46am this morning from +7-499-586-03-97 (Moscow). The 3 minute call consisted of a man with a moderately heavy Russian accent telling me to "check my email" and that "I must send bitcoin". Finding the situation hilarious I laughed in his face, explained that the website creates no revenue, that I didn't particularly care that it was down, that his DDoS was lazy and ineffective (it was almost all UDP traffic to port 80, easily filterable and with no attempted amplification), that I'd be migrating to CloudFlare shortly, and that his attack was a waste of a botnet.
Some banter ensued with the attacker saying "oh Cloudflare you are leet haxor" and me rattling off "cyka blyat" and a few other Russian phrases that came to mind.
All in all it was a hilarious experience, and as always in the interest of full disclosure I felt compelled to share exactly what transpired.
I used the downtime to upgrade Debian/Apache/MySQL among other cleanup activities. With these changes and the migration to CloudFlare not all features may function correctly. Please report anything broken to firstname.lastname@example.org
With the DNS/subnet change and relatively long TTL Fairfax Underground may continue to be unavailable from some ISPs until the old IP expires from your DNS server's cache. Cox in particular always seems to hold onto IPs longer than the TTL specifies.
The DDoS was mostly from European (Swiss/Italian/etc.) broadband providers, indicating a virus-borne botnet. I'm collecting logs from my ISP and will be making reports to each and every network abuse contact.
Further downtime is not expected.
- Cary (the admin)