10 September 2005. The attack has stopped. No response to emails to Opera.com and its upstream servers. Here are suggestions received:
September 8, 2005 It might be interesting to contact the upstream provider. To find it, I did a traceroute: http://dnsstuff.com/tools/tracert.ch?ip=pat-tdc.opera.com which give teledanmark.no If I use the RIPE (European regional registry for networks) whois database: http://www.ripe.net/fcgi-bin/whois?form_type=simplefull_query_string=&searchtext=teledanmarkdo_search=Search you can see that there is a line with contact info in case of trouble: remarks: trouble: staff@ip.tele.dk Also, second step that might be taken is to use .htaccess to block access from that ip. http://www.google.com/search?hl=enq=.htaccess+block+ip&btnG=Google+Search Third step might be asking the help of verio (since you are hosted on them) to help. The abuse contact can be found here: http://dnsstuff.com/tools/whois.ch?ip=161.58.59.189email=on
September 8, 2005 If your friends in Norway are at 213.236.208.22 per: http://www.dnsstuff.com/tools/lookup.ch?name=pat-tdc.opera.com&type=A You might try to add the line: deny from 213.236.208.22 to the .htaccess file.
Septgember 8, 2005 It might not stop the logfile from filling up with crap, but it could help with the bandwidth trouble... have you tried a .htaccess deny rule for the IP doing the HTTP GETs? http://www.kayodeok.co.uk/weblog/200312/denying_by_ip.html http://httpd.apache.org/docs/1.3/mod/mod_access.html
September 9, 2005 You might interested in Lokutus Prime below... http://lokutusprime.blogspot.com/ http://www.blogger.com/profile/5052446 and http://my.opera.com/lokutus_prime/about/ - 'It say he is from Southern England' http://www.livejournal.com/userinfo.bml?User=lokutus_prime Lokutus Prime's blog friend and recently writer for Quentin S Crisp at http://my.opera.com/quentinscrisp/blog/show.dml/3359 and http://quentinscrisp.blogspot.com/
September 9, 2005 One of my friends who uses Opera was blocked by Slashdot a short while ago, there is a function in the Operabrowser to reload a site every x second´s. I think it should be turned off and then it is o.k. [Cryptome: This sounds like it could apply to the attack.]
September 9, 2005 http://my.opera.com/stephan/about/ Hope that helps
September 9, 2005 From: lokutus prime <lokutus.prime[at]gmail.com> Thank you for your reply to my email ( which I had sent to you in response to your previous communication). I am very disturbed to hear that Opera.com's server has been highjacked. I hope you will receive a reply from Opera.com very soon, responding to your request to them for help in stopping the attack. As one of the thousands of Opera users I shall be grateful if you will keep me informed of the outcome. I do not know what I can personally do to help you because, as I intimated earlier I am an ordinary person, a user of Opera's facilities at their website, but if I can pass on any messages or information, from you, to the Opera 'community' then I shall be glad to do so, if it helps stop what is happening. Best wishes, and thank you for your prompt reply.
September 10, 2005 Opera Software, the creators of the Opera webbrowser, is a highly respected company in Norway and I find it strange that they haven't responded to your e-mails, in fact I find it strange that an attack originated from their servers IP address. Anyways, I just wanted to tell you that it is possible to mail or phone the Håkon Wium Lie (CTO, Opera Software). Contact information is provided on his homepage: http://people.opera.com/howcome/
September 10, 2005 As blocking the IP address of the attack source only reduces the amount of data flow, you may like to go a level deeper. If you block all TCP/SYN packets from the 213.236.208.22, and just drop them without reaction, the attacker can only achieve bombarding you with the SYN packets without any reaction from your server (who will ignore them), thus limiting its effect to merely consuming a little of your downstream bandwidth. This effect is further reduced by forcing the attacker to timeout the connection attempts (if they use standard socket open call instead of custom meddling with packets), perhaps even making it run out of available sockets in a while, effectively DOSing itself and further limiting the attack rate and impact. The implementation is on the level of iptables (Linux) or other means (BSD and other flavors of unix) of the firewall wizardry. Do it yourself if you know how, or consult your system administrator. Exact details depend on your firewall configuration. Note from the trenches: run the firewall rule set command from the commandline. If you screw up anything and cut yourself off, you can recover by just rebooting the machine, which many hostings can do on customer's request by phone.
September 10, 2005 Since you didn't provided more details in your post im not sure if you have tried this already. You can strip out the stuff you dont want to see by using a piped log. This even works with chroot if you can live with a logfile outside of the chroot. On my OpenBSD machine I need to make sure the signals are properly received (they block the HUP signal to the child in http_log.c). Otherwise you could use monit to monitor the log process and kill it when needed. e.g.: ErrorLog "| exec grep -v --line-buffered pat-tdc.opera.com >> /tmp/error_log" Another maybe more elegant way to do this is to add a button for filtering via environment variables like the other log directives do. This requires that the ErrorLog functionality is extended with the stuff from mod_log_config.c or a new command like "CustomLog logs/error_log error" is introduced that wraps around the standard error logging. like: SetEnvIf Request_URI "^foo$" dontlog ErrorLog logs/error_log env=!dontlog
9 September 2005. Based on the response below from Lokutus Prime, it appears that his Opera web site server has been hijacked to cloak the origin of the attack on Cryptome, which continues. No response to two emails to Opera Software, the host of opera.com and to its upstream providers. Several suggestions for blocking the attack have not worked.
8 September 2005
To: lokutus.prime [at] gmail.com cc: lokutus-prime [at] operamail.com Date: 9/8/2005 Cryptome.org has been under severe attack from an IP address which appears to be associated with you: pat-tdc.opera.com (213.236.208.22). This attack has generated over 2 GB of error messages today and used all bandwidth and storage on the Cryptome server rendering it nearly inaccessible. Nothing we've tried blocks the attack, which is generating some 30-40 error messages *per second*. The error messages contain these words, which we see you have hosted at: http://my.opera.com/lokutus_prime/journal/ along with photos from Cryptome: "I offer free usage of this poem, to anyone who feels that by publishing it elsewhere it may do some good - bring some comfort, achieve something, no matter how small. I do not ask that my name be shown against it." A sample of the error messages is given below, from among hundreds of thousands. If this attack is coming from you or your web site we urgently request that your stop it. Thanks very much, John Young Administrator Cryptome.org ---- pat-tdc.opera.com - - [08/Sep/2005:23:53:24 +0000] "GET /%3E%20%0A%0A%0A%0A%20%20-%20I%20offer%20free%20usage%20of%20this%20poem,%20to%20anyone%20who%20feels%20that%20%20%20%20by%20publishing%20it%20elsewhere%20it%20may%20do%20some%20good%20-%20bring%20some%20%20%20%20comfort,%20achieve%20something,%20no%20matter%20how%20small.%20I%20do%20not%20%20%20%20%20%20ask%20that%20my%20name%20be%20shown%20against%20it. HTTP/1.1" 403 516 "-" "MyOperaTB/1.0" pat-tdc.opera.com - - [08/Sep/2005:23:53:24 +0000] "GET /%3E%20%0A%0A%0A%0A%20%20-%20I%20offer%20free%20usage%20of%20this%20poem,%20to%20anyone%20who%20feels%20that%20%20%20%20by%20publishing%20it%20elsewhere%20it%20may%20do%20some%20good%20-%20bring%20some%20%20%20%20comfort,%20achieve%20something,%20no%20matter%20how%20small.%20I%20do%20not%20%20%20%20%20%20ask%20that%20my%20name%20be%20shown%20against%20it. HTTP/1.1" 403 516 "-" "MyOperaTB/1.0" pat-tdc.opera.com - - [08/Sep/2005:23:53:24 +0000] "GET /%3E%20%0A%0A%0A%0A%20%20-%20I%20offer%20free%20usage%20of%20this%20poem,%20to%20anyone%20who%20feels%20that%20%20%20%20by%20publishing%20it%20elsewhere%20it%20may%20do%20some%20good%20-%20bring%20some%20%20%20%20comfort,%20achieve%20something,%20no%20matter%20how%20small.%20I%20do%20not%20%20%20%20%20%20ask%20that%20my%20name%20be%20shown%20against%20it. HTTP/1.1" 403 516 "-" "MyOperaTB/1.0" pat-tdc.opera.com - - [08/Sep/2005:23:53:24 +0000] "GET /%3E%20%0A%0A%0A%0A%20%20-%20I%20offer%20free%20usage%20of%20this%20poem,%20to%20anyone%20who%20feels%20that%20%20%20%20by%20publishing%20it%20elsewhere%20it%20may%20do%20some%20good%20-%20bring%20some%20%20%20%20comfort,%20achieve%20something,%20no%20matter%20how%20small.%20I%20do%20not%20%20%20%20%20%20ask%20that%20my%20name%20be%20shown%20against%20it. HTTP/1.1" 403 516 "-" "MyOperaTB/1.0" pat-tdc.opera.com - - [08/Sep/2005:23:53:24 +0000] "GET /%3E%20%0A%0A%0A%0A%20%20-%20I%20offer%20free%20usage%20of%20this%20poem,%20to%20anyone%20who%20feels%20that%20%20%20%20by%20publishing%20it%20elsewhere%20it%20may%20do%20some%20good%20-%20bring%20some%20%20%20%20comfort,%20achieve%20something,%20no%20matter%20how%20small.%20I%20do%20not%20%20%20%20%20%20ask%20that%20my%20name%20be%20shown%20against%20it. HTTP/1.1" 403 516 "-" "MyOperaTB/1.0" pat-tdc.opera.com - - [08/Sep/2005:23:53:24 +0000] "GET /%3E%20%0A%0A%0A%0A%20%20-%20I%20offer%20free%20usage%20of%20this%20poem,%20to%20anyone%20who%20feels%20that%20%20%20%20by%20publishing%20it%20elsewhere%20it%20may%20do%20some%20good%20-%20bring%20some%20%20%20%20comfort,%20achieve%20something,%20no%20matter%20how%20small.%20I%20do%20not%20%20%20%20%20%20ask%20that%20my%20name%20be%20shown%20against%20it. HTTP/1.1" 403 516 "-" "MyOperaTB/1.0" -----
Date: Fri, 9 Sep 2005 08:03:35 +0100 From: lokutus prime <lokutus.prime [at] gmail.com> To: John Young <jya [at] pipeline.com> Subject: Re: Request for Help Dear Mr Young I can assure you that I have not instituted or in anyway promulgated any 'attack' of any sort on Cryptome.org . I visited your site to look at the digital images (photos) there, having seen one published in the national press, depicting the disaster in New Orleans. I mentioned your site address, simply as a matter of source information, something that any one else could do. I am distressed that you may feel that I am attacking you, because you say "If this attack is coming from you or your web site we urgently request that you stop it.". I am an ordinary person and I am not associated with any action to do anything injurious to anyone or to any site. I have no idea what is happening. I assure you that I do not support 'attacks' of any sort on any site. The whole idea is abhorrent to me. I do not have my own web page. Like many other people I write using a website hosted by a large organisation. I have noticed that I am presently unable to gain access to 'my webpage', hosted on their website there, but I associated this problem with the fact that the hosts have recently relaunched and upgraded their browser and are having server (I infer) problems. I will write to Opera technical support - I am still able to access their browser's home page - to see if they have any ideas, or if there is anything they can suggest. Apart from this I do not know what else I can do. Yours sincerly.