Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
"Knock Knock"
"Who's there?"
"Knock Knock"
"Who's there?"
"Knock Knock"
"Who's there?"
- DoS Attack20 -
Today while livecoding in lecture, my prof got a call that got shown on his Mac. His response to that was very interesting:
“Has anyone else noticed that phones have gotten so advanced that when we receive a phone call we treat it almost like a DOS attack? It impairs is from doing everything that’s secondary to making and taking phone calls and that pisses us off”6 -
So... did I mention I sometimes hate banks?
But I'll start at the beginning.
In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...
Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.
So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).
The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).
The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?
Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.
However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.
And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.
So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.
So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.
Contract void. Sometimes, I love dealing with idiots.
And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?4 -
I’m fairly new to maintaining my own webservers. For the past week the servers (two of them) kept crashing constantly.
After some investigation I figured it was due to someone running a script trying to get ssh access.
I learned about fail2ban, DOS and DDOS attacks and had quite a fight configuring it all since I had 20 seconds on average between the server shutdowns and had to use those 20 second windows to configure fail2ban bit by bit.
Finally after a few hours it was up and running on both servers and recognized 380 individual IPs spamming random e-mail / password combos.
I fet relieved seeing that it all stopped right after fail2ban installation and thought I was safe now and went to sleep.
I wake up this morning to another e-mail stating that pinging my server failed once again.
I go back to the logs, worried that the attack became more sophisticated or whatever only to see that the 06:25 cronjob is causing another fucking crash. I can’t figure out why.
Fuck this shit. I’m setting another cronjob to restart this son of a bitch at 06:30.
I’m done.3 -
So I was playing with deauthing because I was curious about to and I got this little deauthing tool and I no joke fucked up my whole network for hours.
In my house we recently had tplink smart light switches installed and that created 40 more iot devices on the network. Soooo I disconnected them all at once and also cloned my AP so they went into this limbo state where they could not connect to anything and also for some reason Ethernet stopped working I think my isp thought I was getting a DOS attack or something idk but no joke took me hours to fix it.3 -
How do you counter DOS attack? I have one online service where an idiot just calls curl command to one endpoint.
Although my service is working and server performance is not affected, I found it annoying.
Cloudflare could be a solution, the reason I did not use before is user might have to wait a few seconds before seeing the app, but if no choice then.17 -
I been using digital ocean to host my server for a project, but they seem to get shutdown because of DoS behaviour. I have no idea why. The server is doing some soap and rest communication and controlling a database.
To be fair the password was poor, but it was meant to be a fast way for four people to work on it at the same time.
But after the first shutdown, we rebuild the server and work on functions. Finish the work and went home. But in the server 9 hours of uptime with 2 of them unsupervised it was detected as DoS behaving server.
💻🔪2 -
Back in the days of DOS/Win3.x I was jerking around in school sending messages to my friends in other classes by changing autoexec.bat on the workstations I used.
Somehow someone mistook my messages as a virus, and the IT department closed down the workstations for weeks.2 -
I just saw this video on slow loris attacks (https://youtu.be/XiFkyR35v2Y).
So my question is: why even bother with creating a botnet for a ddos attack?3 -
O great devs that know grep I have a log that I took from a local company's router that got DOSsed yesterday (they sell very nice sandwiches) and I wanted to know how I can take only the IP's from the log so that I can take action against the users (contacting the abuse if the ISP)10
Top Tags
Weekly Rant
View