http://www.darkreading.com/document.asp?doc_id=149497
By Kelly Jackson Higgins
Senior Editor
Dark Reading
MARCH 28, 2008
Security watchdog site CastleCops is currently under yet another
distributed denial-of-service (DDOS) attack. The anti-spam, anti-malware
site manned by volunteers has been under siege from waves of botnet
traffic since Wednesday.
CastleCops is no stranger to DDOS attacks -- it gets hit regularly, with
its most recent attack back in August -- but this one took a different
spin on an old trick.
"Typically, attacks involve some sort of HTTP GET, but this one seems to
include a POST instead," says Paul Laudanski, founder and administrator
for the CastleCops site, who says he first detected the attack on
Wednesday morning after noticing some performance problems with the
site.
He initially witnessed a rise in the server load and a pattern in the
server logs that indicated a DDOS, he says.
The attack hasn.t taken down the site, but is causing occasional
connectivity problems for visitors. "It appears we.ve attracted some
fresh bots, too," Laudanski says.
"Apache has been saturated a few times already, necessitating manual
httpd restarts, while ensuring bots are filtered," he says.
CastleCops, like other anti-spam and anti-cybercrime sites including
Spamhaus, has been an obvious target for disgruntled bad guys due to its
community-based efforts to investigate malware and phishing attacks, as
well as its collaboration with other researchers and law enforcement.
"I think the question is: When isn.t CastleCops under DDOS attack? They
are constantly being hit," says Alex Eckelberry, CEO of Sunbelt Software
.
To mitigate the DDOS attack, CastleCops has been filtering traffic based
on the attack fingerprint, according to Laudanski, and posting the
offending IP addresses, which has kept the attack from crippling the
site. And one member of the CastleCops community noted on the site's
message board that the attack indicates that CastleCops has struck a
nerve with the dark side.
"We have been rattling a lot of cages lately and to me, this DDOS shows
we are on the right track," writes "Ernstl."
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
