Layer 7 Attacks

Liam

smooth and dynamic
Staff member
FindRetros Moderator
Apr 10, 2013
1,275
864
Hi,

I normally wouldn't post in this section, but I'm putting my ego aside this time in search of help.

Since my reopening and effort, I have received Layer 7 Attacks (the typical "The service is unavailable.") from jealous people who clearly find it hard to see another hotel succeed. I have tried many things and can't seem to find a solution.

And I'm honestly not expecting a solution here, tbh. But does ANYONE have a solution?

I would appreciate the support!

Cheers.
 

Raizer

Active Member
Feb 21, 2019
145
76
But he’s from the Dutch community ? So is our community toxic or foreign people from their community invading ours with toxicity
Every country has toxic people? I know also people with huge problems from France and England for example .. Do you understand that the internet is a community is for toxic persons which have huge psychotic problems with theirself, because they can be themselve's there? And yes, toxic people stays and normal users leaves because of them and they have a social life.
 

Johno

:: xHosts :: www.xhosts.uk
Sep 12, 2011
586
255
They have proven that they can bypass CloudFlare free and free under attack mode, Do you know if they can bypass the business protection ?
 

Rebel

Spilling the tea, can't you read?🍵
Dec 24, 2015
186
161
They have proven that they can bypass CloudFlare free and free under attack mode, Do you know if they can bypass the business protection ?
That’s a good question, I’d hope not for the amount of cost that plan is, if anyone who has a business one that can be tested maybe I can have the guy test it. He seems to wanna test sites that I say can’t be downed so ayee maybe he’ll listen and help us to our way to a fix.
Post automatically merged:

Every country has toxic people? I know also people with huge problems from France and England for example .. Do you understand that the internet is a community is for toxic persons which have huge psychotic problems with theirself, because they can be themselve's there? And yes, toxic people stays and normal users leaves because of them and they have a social life.
Yeah you’re not wrong about that.
 

Sledmore

Chaturbate Livestreamer
Staff member
FindRetros Moderator
Jul 24, 2010
5,199
3,934
P.S
I don’t know the guy nor his friend, but I was curious so I asked him to test downing big hotels which he did in seconds as you can see in the screenshots.

How are other sites that are non-habbo related not easily taken down? How do we protect ourselves. I see 100000 thread about how to make a hotel and never one about how to protect your habbo retro. Not even boon is protected from this attack @Sledmore . I think the community should come together as a group and find a fix, yeah in 2020 retros will die most likely but would be nice to enjoy them while flash is allowed on chrome and other browsers still. Some hotels will move to desktop which could avoid this problem in the future.

Also the method @NOC gave you won’t work since I’m sure Zap Hotel is on that same Nginx set up with bitninja like he’s mentioned. Would be pointless to waste your time and money on a possible way that clearly doesn’t work. @li4m

Also he’s just downed findretros and devbest. I was trying to post and seen it down, screenshots are listed below.

It's not as bad as you say. We don't run a proxy or anything - we just wait for the attack and filter the IPs, I'm sure you could do this automatically but it's usually the same bot list each time (as in, it varies but it seems to not be as strong once you've blocked some ASNs), hence why giving it to other hotels seems to work fine for them.

I just don't like putting under attack mode on thus the 2-minute downtime on the webpage. Anyone on Nginx just tail the access log and filter by requests, you'll block his list in minutes.

It's worth noting that we use the Cloudflare API to automatically enable under attack mode if we're asleep - it kicks in after like 20 minutes.
 
Last edited:

BIOS

ಠ‿ಠ
Apr 25, 2012
906
247
Plenty of things you can do that don't cost too much.

Some basics:

As people have mentioned, use UAM (Under attack mode) if you're on CF.

I'd also recommend getting the pro plan if you can (like 20$) which gives you WAF and Firewall features. This'll give you the "bot fight mode" too which is basically a tarpit for bots, plus rate limiting settings.

Don't forget to block all incoming connections to your server from IPs outside of Cloudflare's ranges, too:

With either the above CF Firewall or your own, you could do a bit more fine tuning, i.e. block all POST requests that aren't on paths like /login, /register, and /housekeeping/*. POSTs are more expensive, and there's no need for your server to be processing garbage when it knows there's no POST route there.

Tbh also just look at your logs, majority of script kiddy bots these days will have the same UA string you can pick out and just blacklist entirely. If not, look for other common attributes you might be able to use against it, i.e. are they constantly hammering you from AWS EC2 instances? Then block all AWS IPS. Is it always the same path, same referrer? Check access logs to find out what you're dealing with.

Stick a captcha on your login and register page too, that way it limits what it can actually interact with.

Rate limiting within NGINX is also an option, see:

Also try to optimize your site resources where you can, minify assets and reduce the number of database calls per page. Some L7 bots do cache busting to make your server do more work, you'll know if you see stuff like /?number in your access logs. You can tune your caching rules on CF to include more content incl query string, or just outright block those requests.
 
Last edited:

69Filip

New Member
Sep 26, 2017
15
11
What people in the Habbo world don't understand is that Cloudflare free version is NOT a good option for protecting yourself against HTTP attacks (not even with Under Attack mode activated), all the free version is really good for is hiding the web servers origin ip address.

What @NOC suggested before is probably the best way (for the money) to easily block unwanted and malicious requests flowing into your system with the addition of Nginx and a basic configuration of rate-limit. This is what @Haidyn mentioned about PeakRP and this set-up would most likely stop this guy from being able to take your website down for more than a minute and anyone else in the Habbo community to do so.

and for those who's willing to pay money for a DDoS mitigation service, Cloudflare is not your best option, you've got companies such as or who provides much better protection and support over-all.
 
Last edited:

Rebel

Spilling the tea, can't you read?🍵
Dec 24, 2015
186
161
bitninja is good and everything but even that can be downed.

You must be registered for see images attach

You must be registered for see images attach
 

Rebel

Spilling the tea, can't you read?🍵
Dec 24, 2015
186
161
Anyone getting attacked by this guy,


1)Lockup IIS
2)Filter these on your cloudflare WAF

Thanks will try, and those attacks logs aren’t his, must be another person since there’s two people going around doing that. This guy isn’t the one downing any hotels. He’s actually help me test a couple on my TCP proxy to block them. But then told me even bit ninja could be downed and showed me an example. He’s a chill guy tbh and also I think the other guy NAM has quit booting retros since I had this guy have a talk with him
Post automatically merged:

no, he's not apart of lizardsquad or poodlecorp.
Yea probably not but his botnet is at almost 1 TB either way if he is or not the power is there
 

Bran

habcrush.pw
Mar 13, 2017
1,790
1,609
Every country has toxic people? I know also people with huge problems from France and England for example .. Do you understand that the internet is a community is for toxic persons which have huge psychotic problems with theirself, because they can be themselve's there? And yes, toxic people stays and normal users leaves because of them and they have a social life.
england? who pls spill
 

Users who are viewing this thread

Top