# www.Arowanaclub.ca is under attack



## stratos (Apr 21, 2010)

A heads up to mods on this site...what is happening to arownaclub.ca could happen here too...



> About an hour ago, our monitoring systems alerted us to a very high load on the web server hosting arowanaclub.ca. After investigating the issue, we determined that your site was experiencing a HUGE influx of traffic. You can actually see this number at the bottom of your forums - Most users ever online was 4,181 Today at 5:35 PM.
> 
> To protect other customers on the server, we were forced to temporarily suspend your account until the traffic stopped. We are seeing this happen a lot lately with vBulletin forums and it appears to be some sort of botnet scanning for vulnerabilities in the software. After about an hour of hammering your site, the traffic disappeared and we were able to bring your site live again.


Arowanaclub.ca admin: thanks for the notice. So, is this a DNS attack or some kind of variant of one?



> No. This was literally just 5000 machines loading your site at once. It's very odd but we are seeing this same pattern on many vb installations right now.... You're not the only one





> Unfortunately, we had to suspend it again as the attack continued. At this point, we must do a 12 hour suspension in order to ensure other customer sites aren't affected.


----------



## mitchb (Apr 27, 2011)

thanks for the update, was wondering about the suspension notice there.


----------



## Pamela (Apr 21, 2010)

Thanks for the heads up.


----------



## SeaHorse_Fanatic (Apr 22, 2010)

Thanks Stratos.


----------



## stratos (Apr 21, 2010)

Arowanaclub Admin: Do you think this could be due to a recently registered user who could be "rogue" somehow? Any idea as to motive?



> Not likely. Normally I would say yes, but over the past several weeks, we've seen this happen on almost two dozen VB sites. Thousands of users (From Russia, mainly) flood the site for several hours, then disappear. From what we've been able to figure out, it's either a poorly programmed search engine attempting to index the entire site at once or it's an exploit scanner.





> This morning we unsuspended your account after the 12 hour suspension and almost immediately your site again became overwhelmed with requests. Per our AUP, we must now suspend the site for 48 hours.
> 
> There is unfortunately nothing we can do to work around this problem, as unsuspending your account has an immediate effect on the other sites hosted on this server due to the huge load that it receives.


And so the buggers are still at it. Looking at getting a whole new secure server at a secure Canadian hosting company...could take a few days...


----------



## kacairns (Apr 10, 2012)

stratos said:


> Arowanaclub Admin: Do you think this could be due to a recently registered user who could be "rogue" somehow? Any idea as to motive?
> 
> And so the buggers are still at it. Looking at getting a whole new secure server at a secure Canadian hosting company...could take a few days...


A new server at a different hosting company isn't going to stop the attack. The attack is directed at the domain, so regardless of where it is hosted, it is going to happen. If server gets hosted elsewhere, and the new provider starts to get attacked immediately, they could find themselves with no hosting period!

There are multiple ways to filter things out depending on access/setup but... that could also possibly block legitimate users on other hosted systems (depending on setup/configuration of course again) so the easy solution is, suspend the account so requests use minimal system resources and ride it out


----------



## effox (Apr 21, 2010)

Tightening up the htaccess and upgrading the vbulletin version would probably help. Probably using an old exploited version and the ruskies are searching for vulnerabilities with thousands of bots.


----------



## stratos (Apr 21, 2010)

Arowanaclub Canada - Powered by vBulletin is live again. BlackSun Canadian Web Hosting | cPanel Host! looks to be a good company if you are looking for secure hosting with the ability to filter out bots. They are quite a bit more expensive, however, than the big American hosting services.

The site is being transferred now, should be viewable in 24 hours.


----------



## stratos (Apr 21, 2010)

www.Arowanaclub.ca is running again and seems to be stable.

If you want to protect yourself against hackers and bots, these guys can help: Home | CloudFlare | The web performance & security company


----------



## effox (Apr 21, 2010)

What version of Vbulletin did that use that was vulnerable? Shawn updated to 4.1.10 to try to prevent this from happening.


----------



## MEDHBSI (Sep 4, 2011)

AROWANACLUB is back up!!!!


----------



## stratos (Apr 21, 2010)

effox said:


> What version of Vbulletin did that use that was vulnerable? Shawn updated to 4.1.10 to try to prevent this from happening.


It was a 3 series version, now updated with all patches. So far so good.


----------



## effox (Apr 21, 2010)

Even if 4.x is vulnerable it wouldn't be as wide spread\as easy as a target, so they'd target other sites.

Glad to hear they updated and all is well Stratos.


----------



## stratos (Apr 21, 2010)

arowanaclub.ca is under dns attack again. Really annoying. I have heard from a few other mods of other forum sites (non fish related) that dns attacks are becoming more frequent.


----------



## Bunny (Oct 13, 2013)

They are becoming more frequent it seems... and on the topic of DDOS attacks - this youtube video explains it really well:


----------



## stratos (Apr 21, 2010)

Thanks for that link, very interesting 

The site is back up. A new record number of simultaneous users on January, 18, 2015- 14,973! Too bad they were all "zombie" computers.


----------

