DDoS attack against abuse.ch

The webserver which is hosting abuse.ch and ZeuS Tracker is currently under high system load due to a ongoing DDoS attack against the blog (abuse.ch). The DDoS has started yesterday 02:00 pm (UTC):


The origin seems to be the same as last time (see previous post “DDoS Angriff & Joe Job gegen abuse.ch (german)”). Fact is, that the bots are using the same user agents as during the attack last year:

  • FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://i.love.teh.cock/support/crawler.asp)
  • Mozilla/5.0 (Slurp/cat; vaginamook@inktomi.com; http://www.supercocklol.com/slurp.html
  • Mozilla/4.0 compatible ZyBorg/1.0 (wn.zyborg@looksmart.net; http://www.lolyousuck.com)
  • Googlebot/2.1 (+http://www.googlebawt.com/bot.html)
  • If we google the user agent above we will find some interesting information about the origin of the DDoS attack:

    “Let’s take a look at yet another bot originating from the Mother Russia. It’s called Illusion, and it has a nice and clear GUI tool for configuration that even an idiot (you could argue that only idiots use malware anyway) can use.”

    Source: MWBlog: “Illusion – Now you see me, now you don’t”

    Currently it seems that the DDoS mitigation was successfull so that abuse.ch is now up and running again (but unfortunately with a high response time because the DDoS attack still goes on). Let’s see what happens in the next few hour/days.

    Stay tuned.

    3 thoughts on “DDoS attack against abuse.ch

    1. Mary

      Keep up the good work! – As of 17/2/09 Tuesday evening, I can load Zeus in my browser, but it does take a bit long to load pages. 🙂 At least I can see the site and the evidence.

    2. Richard

      What did you do to stop this attack? My own server is under attack by the same user agents mentioned above. Cheers

    3. ddos-sucks

      To stop such an attack without a ddos prevention device:

      install a squid in front of apache.
      create acl lists to deny access for these user agents
      parse the squid log for denied ips and add them to iptables (preferably using a script)

    Leave a Reply

    Your email address will not be published. Required fields are marked *