Attacks on WinMXGroup + increase in network flooding attempts

[KM]

several threads have spawned up about what is going on, so basically to let you know what's happened:

Thursday night all of the peer caches used by the patch (winmxgroup servers and user hosted caches) were hit by a large DDoS, this basically crippled the user caches however the winmxgroup servers were mostly able to soak it up. This attack was directly targeted at winmxgroup as as soon as the caches used were updated the list of places being attacked changed as well. this caused a very odd pattern with the user caches as they would be attacked and knocked offline causing them to be removed from use, so the attack would stop hitting them, bringing them back online, so they would be brought back in to use, and get attacked again...

The winmxgroup servers were able to handle the attack without major problems (once the packet filter was re-enabled on orion anyway) so i made the decision to just leave it and wait to see what happened.

Last night while I was at work the attacks appeared to have stopped, shortly after that the server hosting the winmxgroup website was taken offline by the provider (name and shame: memset). they sent an email claiming "It has come to our attention that your server is being used for p2p file sharing. This is in breach of our terms and conditions and due to this your server has been place on hold for now."

When i got home from work this morning and saw that email and the outage associated with it I responded informing them of several facts they had overlooked, like the fact no p2p client was running on it, and the fact that their terms and conditions don't forbid it anyway so if i wanted to then I could run all the p2p applications i wanted. I have yet to receive a response.

Also for the last few days the block list changes have not been being announced on the site (for various reasons).

It would appear that macrovision watch the blocklist update thread (as we suspected), and seeing that the changes were not being announced there probably thought we were no longer detecting them and blocking them, as they suddenly in the last 24 hours have had 10 extra dynamic IP Addresses for us to block (bare in mind they don't normally have that many active flooders on dynamic IP Addresses on winmx, they normally use mostly statics with only 4-5 dynamics, they added an extra 10 dynamics...)

Of course it could be unrelated but i strongly suspect that macrovision thought our systems were no longer detecting them and decided to "make a move" and see if they could break through the patches filtering. They probably thought that knocking out the website would prevent updates or something ridiculous like that, and also tried knocking out the caches to cause connection problems.

They have of course failed, because not only were we detecting their dynamic IP addresses and blocking them, but also the cache system is redundant enough to sustain a massive attack, in the event that a cache is knocked offline it is automatically removed from service, in the event that a widescale attack knocks out all of the caches (actually if there are less than 2 functional caches) then it automatically starts using backup caches as well, the first set up backup caches is sabre and co (sabre has apparently been soaking up attacks for a while so is a good bet to be one of the last to fall offline in an attack) and of course if all of those are down as well then there are extra caches that are only to be used in an absolute emergency.

The test this week of not announcing the blocklist updates did confirm our suspicions, and as such changes will no longer be announced on the forum.

Users should not have been effected in any way, the patch is specifically designed to remain functional under even the worst of circumstances and that is why it has never suffered an outage. Cache outages were automatically dealt with and the blocklist updates were also automatically dealt with and blocking continued to function as usual.

I've temporarily brought the winmxgroup website back online hosted elsewhere until the issues with the normal server are resolved (ie. they bring it back online along with a public apology for their actions), the update bar is offline, purely because i can't be bothered to do anything with it (nothing like honesty...). the update bar is not important so will be left until the server is restored and it fixes itself.

As with most things, it is now a waiting game to see what memset do to decide how to continue. everything important remained functional through backups that were automatically in place, and the semi-important stuff (the website) is online temporarily, so now we wait...

I think what has happened over the last 2 days has been a great test of winmxgroup and how well the patch and associated systems handle the worst case scenarios - I would say everything exceeded my expectations, but I was actually expecting it to handle the worst case situation without a problem, it was designed by me after all

btw for those people who claim peer guardian blocks everything needed and the patch doesn't... the lists for peer guardian do not even contain all of the known flooders (for example the 10 added in the last 24 hours, not one is blocked by any peer guardian user), whereas the patch... well, do a search and you can see that nothing gets through, proving it is blocking everything. (and those who claim about blocking "data mining companies", you can't block them, peer guardian doesn't and the patch doesn't, as there is no way to identify them... and even if they could be blocked it would be a pointless thing to do)

[Max™]

Thank You KM for your speedy actions in getting WinMXGroup back online, as you probably see in our posts, we have been reassuring people that the patch is still operational and as you said, the system stood up to the attacks, a big Well Done.

[KM]

i did nothing in response to it, except bring the site back up which i waited a while before doing because i was expecting the original server to come online

apart from the site everything else was dealt with automatically by systems that have been in place for ages waiting for just this to happen

also poor timing, the time when the servers are needed the most is the time when hydra finally gets cut off (it was canceled and was meant to have been cut off 2 weeks ago)

[dabud]

thanks to all
we appreciate the good work
have been using patch 3.0 for a while now
BEATS ALL

[SamSeeSam]

Well you didn't do anything... but placed a system that does not need you to do anything.
So hats off  to km

Cheers

[edit] And Also a big big thanks to Me Here and Ghostship as well. Clicked post instead of bring the mouse to the line so that I could type  this. D'oh [/edit]

[Lagerlout666]

yes big thak-you to you also km,  your sharing a vital bit of information allowed me to set up my system to allow it to stay online while getting this terrible ILLEGAL attack upon my system, Fortuantly it was online but wida few drops here and their but not bad for aol me thinks lol. Stayed online for a very long time and soaked up a fair whack a few times.

Also i would like to thank the user's. As far as i am concerned i have heard of no reprisals from people blaming the pie teams for the attacks. I appreciate you standing your ground but as i have said many times before i always suspected the attacks where coming from the cartel and not betwen each other. An i an many others are very proud that you listened to us and didnt go off blaming each other, This shows the work that has been put into this has showed its fruits of it labour

So KM can have a deserved vodka and bar of chocolate, ME_HERE and QUICKS your tireless work never ceases to amaze me, and the independant cache host's who i know took abit of a beating but all tirelessly fought al night to try and keep online and keep users connected as best as they could.     

   I think i can honestly say though UP YOURS CARTEL ..|.
                    you will have to do better than that......!

[KM]

The update bar is now back online

I was hoping that it would be simple to resolve and the server would be back online today so I had left the update bar offline and put winmxgroup.com on my home connection for a few days, however today it was made clear that would not be happening.

memset responded by stating that they don't care if i actually was breaking the terms or not they are going to claim they think i might have been and then use their belief that i might have been as justification to break a legal contract, followed by stating they would refund me for this months service - now if i had actually been breaking their terms of service then they certainly would not be giving any refund at all, let alone refunding for part of a month that has already gone

I have now placed an order for a server elsewhere to replace it, however it will not be until next week that it is online so until then I have put winmxgroup.com and the update bar up on orion. Once that new server is online it will take winmxgroup.com and the update bar, and I will also be moving winmxworld on to it as well to save money by getting rid of the one currently hosting winmxworld.

I could have done with having a few higher capacity servers laying about spare this weekend, but I managed to make do with what i had and keep things working at least

[Max™]

Well KM, your just having a little server up your sleeve to fall back on until you get the new one sorted is not just a small thing, its a Very Big thing keeping WinMXGroup & WinMXWorld up and running as well as keeping WinMX connected and the downloads are downloadable.

its a Very Big thing and we say a Big Thank You for keeping it all going under the conditions that have been thrust upon us.

[J a M e S]

memset responded by stating that they don't care if i actually was breaking the terms or not they are going to claim they think i might have been and then use their belief that i might have been as justification to break a legal contract, followed by stating they would refund me for this months service - now if i had actually been breaking their terms of service then they certainly would not be giving any refund at all, let alone refunding for part of a month that has already gone

Seems abit Odd..

[dabud]

special thanks and our hats off for stellar work  plain and simple
thank you!

[Victim]

Nice work KM

[Cobra]

So in other words, you should probably thank macrovision for confirming some suspicions and putting the system through DDoS/bombardment "tests" that you probably never would have yourself to not only show how strong the system already is but also helps you know where the few obvious leaks were that can now be plugged.

How nice of them!

[Faithless_Sniper]

well i am glad to hear that everything will be sorted soon. Thanks KM once again for not only helping our network but keeping us informed.

[slartybartfast]

yes thanks KM it amazes me at the sheer dedication of you guys

[Andy Lloyd]

many thanks to KM and all you guys that keep WinMX going

[Andy Lloyd]

keep up the good work

[shewolf38]

Many thanks to all for your sterling work. I'd be lost without MX

[burrito]

Km you have always been good to me . i appreciate all ur hard work .u r truly a visionary......................Burrito

[nylly444]

I moved Randy's question here https://forum.winmxworld.com/index.php?topic=4195.msg25249#new since it had little chances of getting answered where it was

[RIKK]

Hello Folks  - It's the 4th Feb here in the USA - and I can't connect to WINMX. Is there still a server problem ? I'm not sure I'm posting this message in the right place - or how I might be able to help. All these WINMX boards get 'c'fusing ! S.O.S. berik@mhcable.com    RIKK  Thanks !