Intel DDoS my website with 11.1M request
14 comments
It’s not really a DDoS if it’s two addresses. Just block them and move on.
That's correct, it's DoS!
Edited:
It turns out Intel does have some developer cloud, so the attack may come from random bad guy on the internet rather than Intel itself. Thanks to everfrustrated!
It turns out Intel does have some developer cloud, so the attack may come from random bad guy on the internet rather than Intel itself. Thanks to everfrustrated!
I had an attack on one of my websites from AWS network. Lasting for ~6 hours generating almost 100GB traffic on a ultra low-bandwidth site. Also several millions of requests.
My hoster of the frontend suspended it afterwards. Backend hosting service banned those IPs temporarily.
My hoster of the frontend suspended it afterwards. Backend hosting service banned those IPs temporarily.
Ohh that's said to hear about your story. However, AWS is selling EC2 and Elastic IP, I don't remember Intel also providing hosting services.
I see IP's from the same subnet in a couple of blocklists.
That would suggest end-users have some way to control them, though usually for spam.
Did you happen to by chance capture any of the individual packets in tcpdump verbose mode? e.g.
Did you reach out to the person listed here? [2] Try that phone number in a few hours. Be polite and just give them the facts so they don't get defensive. If they don't answer try email.
[1] - https://github.com/firehol/blocklist-ipsets.git
[2] - https://bgp.he.net/AS4983#_whois
blocklist_de.ipset:146.152.233.43
blocklist_de_ssh.ipset:146.152.233.43
firehol_level2.netset:146.152.233.43
From this repo [1]That would suggest end-users have some way to control them, though usually for spam.
Did you happen to by chance capture any of the individual packets in tcpdump verbose mode? e.g.
tcpdump -p --dont-verify-checksums -i any -NNnnttvvv -B16384 -s0 -c 512 not port 22 -w /dev/shm/dos.cap
Command decoded: not promiscuous, checksums are useless computation here, all interfaces, disable resolving names, ports, services, use epoch time, very verbose, 16k buffer despite CPU likely being our bottleneck, full packet, 512 packets, not port 22 ssh, save to a file in a ramdiskDid you reach out to the person listed here? [2] Try that phone number in a few hours. Be polite and just give them the facts so they don't get defensive. If they don't answer try email.
[1] - https://github.com/firehol/blocklist-ipsets.git
[2] - https://bgp.he.net/AS4983#_whois
Thanks, I emailed to a few email address @intel.com because my oral English is so bad so I don't want to call. But you know, those kind of emails usually fall on deaf ears
I haven't seen anything from those IPs in the past 90 days.
Any idea what they were looking for? Given other companies are hitting websites for ai training, I'd be curious if intel is trying to something similar?
Any idea what they were looking for? Given other companies are hitting websites for ai training, I'd be curious if intel is trying to something similar?
Well, it's a long story. I exposed something dark thingy about a cybercrime forum. And this is the one of the retaliations, the other one is card testing/fraudulent payment
If you do a WHOIS on the AS number you should find an Abuse email address which is the best place to start. Generally abuse@company if you just want to guess.
Intel do have a developer cloud which they make servers available to people, so it's possible traffic could be coming from something like that rather than Intel corporate. See https://www.youtube.com/watch?v=MWsEKDklEkc
Intel do have a developer cloud which they make servers available to people, so it's possible traffic could be coming from something like that rather than Intel corporate. See https://www.youtube.com/watch?v=MWsEKDklEkc
Thanks for the tip, it's amazing to me that they have cloud services...
You say website, so I'll presume this is http traffic.
In which case putting in a simple hits/IP rate limiter with something like nginx is probably enough to defend against this for the future.
https://nginx.org/en/docs/http/ngx_http_limit_req_module.htm...
In which case putting in a simple hits/IP rate limiter with something like nginx is probably enough to defend against this for the future.
https://nginx.org/en/docs/http/ngx_http_limit_req_module.htm...
That's exactly what I did, or even managed challenge entire ASN using Cloudflare WAF
The peaks were 3.8M and 11.1M requests per second, respectively.
146.152.233.45: ASN 4983 - INTEL-SC-AS 146.152.233.53: ASN 4983 - INTEL-SC-AS
I would say that it is crucial to consider the possibility that their network might have been compromised, or that an employee might be involved in unauthorized activities.
Screenshot from Cloudflare WAF is here: https://imgur.com/a/ddos-by-ip-from-intel-A1ISx7C
Has anyone else experienced this? Any advice or insights would be greatly appreciated!