Layer 7 Attacks

[Liam]

Hi,

I normally wouldn't post in this section, but I'm putting my ego aside this time in search of help.

Since my reopening and effort, I have received Layer 7 Attacks (the typical "The service is unavailable.") from jealous people who clearly find it hard to see another hotel succeed. I have tried many things and can't seem to find a solution.

And I'm honestly not expecting a solution here, tbh. But does ANYONE have a solution?

I would appreciate the support!

Cheers.

 

[Raizer]

Toxic community

 

[Rebel]

Toxic community

But he’s from the Dutch community ? So is our community toxic or foreign people from their community invading ours with toxicity

 

[Raizer]

But he’s from the Dutch community ? So is our community toxic or foreign people from their community invading ours with toxicity

Every country has toxic people? I know also people with huge problems from France and England for example .. Do you understand that the internet is a community is for toxic persons which have huge psychotic problems with theirself, because they can be themselve's there? And yes, toxic people stays and normal users leaves because of them and they have a social life.

 

[Johno]

They have proven that they can bypass CloudFlare free and free under attack mode, Do you know if they can bypass the business protection ?

 

[Rebel]

They have proven that they can bypass CloudFlare free and free under attack mode, Do you know if they can bypass the business protection ?

That’s a good question, I’d hope not for the amount of cost that plan is, if anyone who has a business one that can be tested maybe I can have the guy test it. He seems to wanna test sites that I say can’t be downed so ayee maybe he’ll listen and help us to our way to a fix.

Post automatically merged: Mar 26, 2020

Every country has toxic people? I know also people with huge problems from France and England for example .. Do you understand that the internet is a community is for toxic persons which have huge psychotic problems with theirself, because they can be themselve's there? And yes, toxic people stays and normal users leaves because of them and they have a social life.

Yeah you’re not wrong about that.

 

[Johno]

I will see what I can put in place, if it cannot be downed I will offer it via 4it

 

[Sledmore]

P.S
I don’t know the guy nor his friend, but I was curious so I asked him to test downing big hotels which he did in seconds as you can see in the screenshots.

How are other sites that are non-habbo related not easily taken down? How do we protect ourselves. I see 100000 thread about how to make a hotel and never one about how to protect your habbo retro. Not even boon is protected from this attack @Sledmore . I think the community should come together as a group and find a fix, yeah in 2020 retros will die most likely but would be nice to enjoy them while flash is allowed on chrome and other browsers still. Some hotels will move to desktop which could avoid this problem in the future.

Also the method @NOC gave you won’t work since I’m sure Zap Hotel is on that same Nginx set up with bitninja like he’s mentioned. Would be pointless to waste your time and money on a possible way that clearly doesn’t work. @li4m

Also he’s just downed findretros and devbest. I was trying to post and seen it down, screenshots are listed below.

It's not as bad as you say. We don't run a proxy or anything - we just wait for the attack and filter the IPs, I'm sure you could do this automatically but it's usually the same bot list each time (as in, it varies but it seems to not be as strong once you've blocked some ASNs), hence why giving it to other hotels seems to work fine for them.

I just don't like putting under attack mode on thus the 2-minute downtime on the webpage. Anyone on Nginx just tail the access log and filter by requests, you'll block his list in minutes.

It's worth noting that we use the Cloudflare API to automatically enable under attack mode if we're asleep - it kicks in after like 20 minutes.

 

[Asersecomic]

Is it just me? Or habcrush is also being attacked?

 

[Joe]

Kids got a new toy

 

[BIOS]

Plenty of things you can do that don't cost too much.

Some basics:

As people have mentioned, use UAM (Under attack mode) if you're on CF.

I'd also recommend getting the pro plan if you can (like 20$) which gives you WAF and Firewall features. This'll give you the "bot fight mode" too which is basically a tarpit for bots, plus rate limiting settings.

Don't forget to block all incoming connections to your server from IPs outside of Cloudflare's ranges, too:

You must be registered for see links

With either the above CF Firewall or your own, you could do a bit more fine tuning, i.e. block all POST requests that aren't on paths like /login, /register, and /housekeeping/*. POSTs are more expensive, and there's no need for your server to be processing garbage when it knows there's no POST route there.

Tbh also just look at your logs, majority of script kiddy bots these days will have the same UA string you can pick out and just blacklist entirely. If not, look for other common attributes you might be able to use against it, i.e. are they constantly hammering you from AWS EC2 instances? Then block all AWS IPS. Is it always the same path, same referrer? Check access logs to find out what you're dealing with.

Stick a captcha on your login and register page too, that way it limits what it can actually interact with.

Rate limiting within NGINX is also an option, see:

You must be registered for see links

Also try to optimize your site resources where you can, minify assets and reduce the number of database calls per page. Some L7 bots do cache busting to make your server do more work, you'll know if you see stuff like /?number in your access logs. You can tune your caching rules on CF to include more content incl query string, or just outright block those requests.

 

[69Filip]

What people in the Habbo world don't understand is that Cloudflare free version is NOT a good option for protecting yourself against HTTP attacks (not even with Under Attack mode activated), all the free version is really good for is hiding the web servers origin ip address.

What @NOC suggested before is probably the best way (for the money) to easily block unwanted and malicious requests flowing into your system with the addition of Nginx and a basic configuration of rate-limit. This is what @Haidyn mentioned about PeakRP and this set-up would most likely stop this guy from being able to take your website down for more than a minute and anyone else in the Habbo community to do so.

and for those who's willing to pay money for a DDoS mitigation service, Cloudflare is not your best option, you've got companies such as

You must be registered for see links

or

You must be registered for see links

who provides much better protection and support over-all.

 

[Rebel]

bitninja is good and everything but even that can be downed.

You must be registered for see images attach

You must be registered for see images attach

 

[Mrmoseby]

no, he's not apart of lizardsquad or poodlecorp.

 

[Johno]

Anyone getting attacked by this guy,


1)Lockup IIS
2)Filter these on your cloudflare WAF

You must be registered for see links

 

[Joshhh]

BEST_HTTP_Flooder_For_F

 

[Mrmoseby]

LOL,

 

[Rebel]

Anyone getting attacked by this guy,


1)Lockup IIS
2)Filter these on your cloudflare WAF

You must be registered for see links

Thanks will try, and those attacks logs aren’t his, must be another person since there’s two people going around doing that. This guy isn’t the one downing any hotels. He’s actually help me test a couple on my TCP proxy to block them. But then told me even bit ninja could be downed and showed me an example. He’s a chill guy tbh and also I think the other guy NAM has quit booting retros since I had this guy have a talk with him

Post automatically merged: Mar 29, 2020

no, he's not apart of lizardsquad or poodlecorp.

Yea probably not but his botnet is at almost 1 TB either way if he is or not the power is there

 

[Bran]

Every country has toxic people? I know also people with huge problems from France and England for example .. Do you understand that the internet is a community is for toxic persons which have huge psychotic problems with theirself, because they can be themselve's there? And yes, toxic people stays and normal users leaves because of them and they have a social life.

england? who pls spill

 

[Mrmoseby]

no, he does not have a botnet with the power of 1TB.

 

[Rebel]

no, he does not have a botnet with the power of 1TB.

I mean like I’ve said, if he does or not. It’s still powerful. But since obviously you’re Mr. Know it all I won’t question it ?