DDoS attack against abuse.ch

The webserver which is hosting abuse.ch and ZeuS Tracker is currently under high system load due to a ongoing DDoS attack against the blog (abuse.ch). The DDoS has started yesterday 02:00 pm (UTC):


The origin seems to be the same as last time (see previous post “DDoS Angriff & Joe Job gegen abuse.ch (german)”). Fact is, that the bots are using the same user agents as during the attack last year:

  • FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://i.love.teh.cock/support/crawler.asp)
  • Mozilla/5.0 (Slurp/cat; vaginamook@inktomi.com; http://www.supercocklol.com/slurp.html
  • Mozilla/4.0 compatible ZyBorg/1.0 (wn.zyborg@looksmart.net; http://www.lolyousuck.com)
  • Googlebot/2.1 (+http://www.googlebawt.com/bot.html)
  • If we google the user agent above we will find some interesting information about the origin of the DDoS attack:

    “Let’s take a look at yet another bot originating from the Mother Russia. It’s called Illusion, and it has a nice and clear GUI tool for configuration that even an idiot (you could argue that only idiots use malware anyway) can use.”

    Source: MWBlog: “Illusion – Now you see me, now you don’t”

    Currently it seems that the DDoS mitigation was successfull so that abuse.ch is now up and running again (but unfortunately with a high response time because the DDoS attack still goes on). Let’s see what happens in the next few hour/days.

    Stay tuned.

    3 Responses to “DDoS attack against abuse.ch”

    • Keep up the good work! – As of 17/2/09 Tuesday evening, I can load Zeus in my browser, but it does take a bit long to load pages. 🙂 At least I can see the site and the evidence.

    • What did you do to stop this attack? My own server is under attack by the same user agents mentioned above. Cheers

    • To stop such an attack without a ddos prevention device:

      install a squid in front of apache.
      create acl lists to deny access for these user agents
      parse the squid log for denied ips and add them to iptables (preferably using a script)

    Leave a Reply