CCBill was under DDOS attack yesterday

[Simon]

If you noticed signups were down yesterday, it might not have just been a holiday slump. From a message on the CCBill site:


IMPORTANT INFORMATION REGARDING CCBILL PROCESSING
Posted May 30th, 2005 12:21:34, by CCBill Management
This morning, Monday, May 30, 2005 at approximately 6:45 am (Arizona Time) the CCBill network went under a DDOS attack, which directly affected most of our processing systems including our CCBill Sign up pages, our transactional processing, and our System5: Web Admin client reporting and account management.

Our Networks, Security and Product Teams were able to combat this issue, and eventually mitigate this attack. As of 11:10 am (Arizona Time) we returned to processing at a 100% level, and our networks are currently running at normal performance levels.

Please rest assured that we will continue to aggressively monitor this situation, and will notify you immediately of any changes in processing.

If you notice any fluctuations in your CCBill processing over the course of the next day, or if you have any questions or concerns regarding this issue, our Client Support Team is available 24 hours a day, 7 days a week at clientsupport@ccbill.com or Toll-free at 800.510.2859.

Please know that as your billing provider, we truly appreciate your patience during this unfortunate occurrence, and value your business.

Many thanks!

CCBill Management

[GunnCat]

I was wondering what was going on. Looks like sales went back to normal by the end of the day though.

[Qon]

ok, can someone elaborate exactly on what a DDOS attack is? thanks




..

[Cleo]

That explains what was going on with my sales. Their admin is still down for for me this morning.

DamnQ
It stands for Denial Of Service and basically it means that their server was flooded with bogus requests from many different computers to the point that their network was brought down.

[Wazza]

The first D stands for Distributed

|viking|

[Mefo]

still having problems right here, it's going up and down

[rollergirl]

We can't get them today.

[babymaker]

damn, i was wondering why i had only 1 damn sale and almost no clicks, still the same when i just logged in was on richards with new gallery last night and was about to change it before subbmiting elsewhere since the clicks were so unbelievably low, now i know it wasnt me PHEW!

[spanno]

DDOS sucks

[Boogie]

Looks like its still going on. I cant login

[Ramster]

Same, no login here.

[Qon]

Quote:

Originally Posted by Cleo

That explains what was going on with my sales. Their admin is still down for for me this morning.

DamnQ
It stands for Denial Of Service and basically it means that their server was flooded with bogus requests from many different computers to the point that their network was brought down.

thanks... that clarifies a LOT



..

[venturi]

Quote:

Originally Posted by DamnQ

ok, can someone elaborate exactly on what a DDOS attack is? thanks

It stands for Distributed Denial Of Service attack.

Basically, some script kiddie with an attitude grabs a piece of malicious code that has the ability to infect *lots* of innocent computers via unprotected IRC channels, newsgroups, emails and open ports. These infected computers become "war bots" under the control of one or more master computers and collectively launch millions of httpd/tcp requests on the target server literally dragging the web server to it's knees - or even cause it to crash completely.

Here's a couple of articles if you want to learn even more about these malicious biatches...
http://www.grc.com/dos/grcdos.htm
http://www.grc.com/dos/drdos.htm

[Simon]

Things are still slow there it seems. Sometimes we just get a blank page and nothing ever loads. And yes, signups are down.

Three things we've noticed in the last couple of days since we've had time to notice things:

1. Use a bookmark or your own link to go directly to one of these pages instead of entering through any other main page, since those are loading a lot slower (maybe more requests still being sent to those).

For sponsors -- https://webadmin.ccbill.com/
For affiliates -- https://affiliateadmin.ccbill.com/

2. Once inside the sponsor section, the "Quicklinks" seem to work faster, and without hanging, more often than the other links.

3. On the Mac platform, the Firefox browser seems to work fastest at logging in and navigating once inside either section.

[Cleo]

Quote:

Originally Posted by Simon

3. On the Mac platform, the Firefox browser seems to work fastest at logging in and navigating once inside either section.

CCBill has worked correctly with Safari since the 10.3.9 update but it still will not remember the login info so I'm still using Mozilla to check my stats rather then having to type in my login each time.

[Qon]

y exactly does someone do this? i mean, they just choose a mark & BAM!??




..

[tortus32]

Quote:

Originally Posted by Cleo

CCBill has worked correctly with Safari since the 10.3.9 update but it still will not remember the login info so I'm still using Mozilla to check my stats rather then having to type in my login each time.

That's exactly what I'm doing.
Safari doesn't remember much for me.

Plus I just bookmark the webadmin.ccbill.com page. I hate that if you go to the main page, on your way to the log in page every page opens in a new window.

I really like CCBill and I'm glad I went for the $750 to sign up and be Visa approved, but this has never happened with Verotel - lol!

Bill :o)

[Barron]

Quote:

Originally Posted by DamnQ

y exactly does someone do this? i mean, they just choose a mark & BAM!??




..

Yep, thats about the size of it, choose a mark and BAM!!

As for why, most of them do it because they think its funny.

The only way to stop it is to outlaw IRC networks. But, try to get that past a First Admendment Attorney


_

[Useless]

They're claiming that it's a DDOS attack, but really it's just my sales rolling in and placing heavy burden on their servers. I'm a marketing genius, ya know.

[tortus32]

Well it's certainly not my sales, at least not today - lol!

[cd34]

Actually, I would bet that these are copycats or the same guys that were taking down the offshore gambling and bookmaker sites.

The concept behind it is: Pay us $40000 or we will crash your server. Obviously, $40k isn't much money to the bookmaker/gambling site/processor, but, the loss in revenue is much greater. They keep the payout small enough so that the transaction can be handled quickly. So, someone pays, they are financed again to run their attack on someone else. The person that pays is supposedly 'whitelisted' and won't get attacked again. I firmly believe that they just wait 3 months and attack again under the guise of some other group. Once a payer, always a payer.

I think Barclays bank was hit a few months back as well as another financial institution.

Their zombies do use IRC to do most of the communications and it is quite a subculture.

As for getting the FBI involved, the FBI shows up in their suits, takes the info, you give them everything including address, cell phone numbers, locations, logs, city/state/zip/country on a few CDs and 26 months later they say, are the attacks still going on? Uhh, no, he was captured 11 months after I gave the attacker's info to another FBI task group.

It would be so easy for the FBI to fix things if they wanted to, but, they really have very little clue as to how to mitigate and identify the attacker. There is no quick way to deal with the FBI since they don't/can't use email. FBI charter states that all email must be printed by a dedicated workstation, sealed and delivered via departmental mail. You can send them CDs worth of data, mysql dumps of IPs, raw logs, etc, but, it goes to a group that has a handful of people that are able to do the analysis. If you're not directly impacted with substantial financial burden, and aren't someone that they can champion in the papers by helping, you are really put at the bottom of the stack.

And by being a civilian, we're quite limited in our ability to track things. These attacks come from hijacked machines that run a little bot that checks in with an irc network. The last attack I dealt with had machines from Cisco, government offices, foreign governments and thousands of other machines from around the world. Cisco did help immensely by logging the packets from the machine inside their network and handing me some of the logs. The government offices shut down the identified machine for a few days and bam, when they turned it back on, hey, its baaaack.

The FBI has a lot to learn, which regrettably makes it very easy for extortion on the net to work. Witness the little $200 extortions for documents that have been encrypted by virus/trojan horses.

[Barron]

Oops... I forgot about the extortion angle and all the new ways to acquire remote machines.


-

[lassiter]

CCBill stats were working as of last night, but they appear to be unreachable again this morning.

[tortus32]

I can get to my stats fine, unfortunately.

[Toby]

I can't get to the stats page, and refer links are timing out. Join page links on the sites themselves seem to be working, but none of my traffic can get there.