Silk Road forums
Discussion => Silk Road discussion => Topic started by: bincofone on November 15, 2012, 10:55 am
-
Hi,
In case Silk Road appears to be receiving a DOS attack (which it probably is) I have a very good idea of how they are doing it and can propose a solution. Information on the attack and how it can be prevented can be provided. All apache versions are vulnerable, and traditional network security equipment like IPSs are useless against the attack. But there are software solutions to the problem.
Someone who is at least mod PM me if you're interested in the information. I don't want to disclose the information publicly here because it will give people ideas, although I'm sure some others in the more computer security conscious crowd here may be aware of it. This exploit is publicly available, but rarely used. The exploit is low bandwidth and works perfectly through Tor (so you can use it to anonymously take down clearnet sites too).
-
They use apache 2.2.22 and apache 2.4.3 has been Released
-
The solution isn't upgrading apache, it's putting something in between apache and the rest of the world.
2.2.22 is the nearly the most up to date of the 2.2.x branch (2.2.23 is latest). It will likely be more stable (and likely have less vulnerabilities) than 2.4.x branch which is less mature and introduces less mature features.
Higher version numbers are not always better in the world of running production servers!
2.2.23 does contain 2 security fixes (albeit for obscure situations) so they should get on to that
-
Higher version numbers are not always better in the world of running production servers!
Sage advice my friend. Anyone remember Windows Vista/ME/<INSERT SHITTY FAILED PRODUCT HERE>?
-
The best is to put all in static file (cache system, update when new activity)
Use nginx and not apache
And all will be good, they can handle a big ddos with nginx if more than 70% of the site is on static file.
-
Sound like a massive headache of a solution to me. There are too many dynamic components to the website to do it effectively, you need a static copy generated for every user on every account action, every product update for EVERY user and every config of domestic only/sort by X/Y/Z etc...
You could remove some of these features to make it possible, but PHP dynamic site is so much less dev time and much less strenuous in terms of total CPU/memory/disk, just not query latency.
-
How to give karma to other users anyway? BTW- Bravo on this thread!
Like I was saying in a different thread. Just think how many highly paid black-ops hackers from the military that the gubberment is using right now to exploit and/or fuck with SR right now.
The US gubberment has a bunch of those fuckers on this I'll guarantee!
We need to out think the military intelligent folks if we are going to survive this people.
That's why I keep recommending that all of the community get behind an opensource project that will be able to help DPR learn from other coders.
You know, even though it is a parallel project, DPR doesn't need to reveal anything of his to the community unless he wants to. But we can contribute our knowledge on a parallel project and DPR's team can steal from the opensource project.
I think DPR ought to donate 1000 BTC for a bounty on this actually. It would do nothing but benefit him and protect his investment. (and maybe create a little healthy competition.
-
+1 Keep this up so DPR or other mods see it! Good to get some help from the community in solving whatever this problem is. Just a hiccup guys, this is by no means the end of SR! :) Just be patient and you will see.
-
you cant ddos on tor. it doesnt transport udp
-
you cant ddos on tor. it doesnt transport udp
You can ddos by syn, tcp, ping ....
-
I think the best solution is to finally get a competent admin, no offense to whoever manages SR and the forum, but you suck at this.
Sound like a massive headache of a solution to me.
yaeh, but also a solution that has been dealt with successfully at a million companies before.
-
ion cannon that hoe! soulja bot tell em! ( :o)
-
Sound like a massive headache of a solution to me.
yaeh, but also a solution that has been dealt with successfully at a million companies before.
Companies that have huge teams of software developers and that don't have to keep their activities entirely anonymous.
ion cannon that hoe! soulja bot tell em! ( :o)
Ion Cannon is for tryhards on /b/ thinking they're uber hackers. About as effective as mashing the F5 key in your browser, and a pretty good way to leave a shit ton of evidence linking your computer to the attack. Not even some basic IP spoofing...
you cant ddos on tor. it doesnt transport udp
I'm talking about a DOS attack, not necessarily a distributed DOS. There is no need for this attack to be done from multiple clients, and it's done over TCP using legit TCP (no malformed frames) communications. Tor provides no protection (nor should it, it's not what it's designed for).
-
You have to understand the position that DPR is presently in. He is some guy probably middle aged, who got in to coding and wrapped up a pretty righteous setup. He's probably a biker/geek and he is probably not doing all levels of current coding standards. He probably pieced SR together and BTW did a fucking amazing job. But most companies that deal with shit like this have a whole fucking team of experts working on it.
DPR while he is probably a likable guy, probably worries about people rating him out if he trusts them. You never know how money or the threat of losing ones freedom will change someone from friend to foe. So he probably relies on a VERY VERY small team. Most of which are working with him remotely. DPR is probably implementing the code changes by himself on a test server. While the main production server is presently overloaded with a DDOS attack or something of that sort.
He is currently backed into a corner. There is something important he is lacking, like the change to the web server software perhaps, and if we just keep these threads going with obvious suggestions. And trust me, if we know how to do one thing or another, the gubberment probably already knows as well. So I think it's safe to share most things in public as far as suggestions for DPR.
As long as we give him quality advice, and he can test it in a test environment with some stress testing in a LAN.
Then apply the same fixes to the production server once he has perfected them. I think our generic advise could really help him.
The best and pretty much only advice I've saw so far is; "Use nginx and not apache"
-
ion cannon that hoe! soulja bot tell em! ( :o)
Ion Cannon is for tryhards on /b/ thinking they're uber hackers. About as effective as mashing the F5 key in your browser, and a pretty good way to leave a shit ton of evidence linking your computer to the attack. Not even some basic IP spoofing...
Thats where the soulja boy tell em bots come in!!! I was joking at the principle ;). The question is how many users are just sitting and F5ing? the site went down in the first place due to excess use so im wondering if DPR predicted the right amount of users who would come on at once. He could have under estimated and for all we know the server went down once more.
unless we know the exact config and set up of the SR network then its no good to say "hey DDOS" or "Hey LE"..ect. Its all speculation and nothing more. It creates more worry and even the forum is messing up, too many people! did we not forget about TOR? unless you have your own bridge then your sharing a connection with everyone (in one sense or the other). How many jumps do you make with TOR?
Sit back, use common sense and at worst your understanding of social engineering to read between the lines.
-
Companies that have huge teams of software developers and that don't have to keep their activities entirely anonymous.
But you don't need all of them to reinvent the wheel. What you do need is a network pro, who knows this shit inside out, not a webdevloper. Again, no offense to that profession, probably loads of fun.
It's not the first time that I and apparently many others get the feeling the problem is a bit out of their league. The lack of care that is put in the forum speaks for itself. It was all predictable and there is tons of ways to get help. I don't accept the "it's just DPR one man show" apology, he's paid for this pretty well. Could easily hire some help.
I'll stop as it's pointless, keep giving (good) advice that will get ignored again folks ...
-
He could have under estimated and for all we know the server went down once more.
[...]
It creates more worry and even the forum is messing up, too many people!
Agreed.
The forum, even this shitty one, seems to handle "too many people" pretty well though.
-
That's why I recommend DPR and or other benefactors of SilkRoad investing money into fueling an open source project. Have a few developers step up. Help the project out. Collect donations, and divide the donations equally.
For the security of the data of the users of this site, and for the security of the this market continuing on passed our involvement during our short life spans.
BIT WASP is a good nominee for a start of this endeavor.
https://github.com/Bit-Wasp
Getting a team of developers interested in this is my next goal. I imagine some people already are working on this project behind the scenes. But they are not likely to release the source code. Rather it's too tempting for many developers to just corner the market a little with their new inventions. (totally understandable).
But this is very important. If we have a parallel project going that imitates silkroad, it could inspire and directly help the future development of SR.
Blah. Who knows. But Im game with helping start a tip jar for the developers. Im willing to toss 50 BTC at it over 2 months time.
-
The Tor network is pretty bandwidth crippled as is, DOS from too many legit requests is unlikely. I've been raping the shit out of these forums bandwidth wise way more than I ever would SR, and it's fine.
Nginx might well be susceptible to the same attack, in fact I think it is (might download and test to confirm). The problem isn't apache being too bloated or anything, it's server connections being tied up in a very clever way. You can DOS some proxy server software in a similar way too.
The only web server I know that is immune to this particular attack is IIS 6 and up. But who the fuck would trust a site like this on Microsoft based infrastructure?
Could easily hire some help.
The risks in that are pretty huge. I'm sure he wants as few people to know sensitive information about the site as possible, his freedom depends on it, and that's likely far more important to him than any extra business he can do on SR with reduced downtime.
-
Hi,
Yes you can't use a classical DDOS on Tor due to the TCP characteristics but there are other tools you can use to DOS a server.
Slowloris is one of the example that is not a TCP DOS, so compatible with the Tor Network, and there are others possibilities also...
http://ha.ckers.org/slowloris/
So yes you can technically perform a DOS on Tor.
I don't mean that this is what is currently happening to SR, like many others i don't know, I just wanted to make the point that it is possible...
-
Nginx is vulnerable to this attack too, but less so than Apache, especially at default config settings. Needs a higher request rate, but there's nothing stopping you from running 500 Tor clients on a decent PC with a decent internet connection. How susceptible each particular server is depends on configuration values of the server.
-
Hmm just realised another attack vector could be requesting the generation of a fuck load of CAPTCHAs - image processing is very expensive compared to anything else the site is doing, especially when you're doing it through PHP, this might explain why the CAPTCHA is down to 3 numbers now (to lighten the load), but I still suspect network troubles over CPU exhaustion.
The server is at least up still, just access is very intermittent. I think the web server (at least software, maybe the whole server) has been reset regularly while SR was still up, I kept getting logged out (session invalidated) whereas back a couple of weeks ago I could stay logged into SR on a session for weeks (a silly thing to do I know, but at least it was possible and the account wasn't used for any purchasing/incriminating).
Debugging an anonymous server over Tor is hard lol
-
i don't want to start any rumors as they have started already but on the forum home page go to the "update" link in pink created when the site first went down and read page 91 or so onwards,
apparently some guy hacked SR and is blackmailing DPR
-
The guy posted messages supposedly from DPR with invalid signatures. Somebody's having a good troll.
Even if the guy had a valid password hash, it may very well be for his own password, in which case guessing the hash isn't too hard! That's assuming passwords aren't salted here.
Don't get why people value password salting and even hashing so much - if you compromise the server you can just log the plain text coming into the server, no need to crack hashes! I use randomly gen passwords for everything for this reason.
-
You should give it a try with Whonix (old name was TorBox) and a good firewall like IPcop.
All other things are just huge crap in my opinion.
If you hire a coder I bet he will hide some backdoors..... trust no one .... .
-
Hi,
First you have no clue of what is happening if you are not among the admins, so DOS or hacking is a possibility but nothing is confirmed.
Yes it is the usual hacking business to blackmail companies or admins of servers while you DOS their server but the hackers way is often more "low profile" so the post in the forums is kind of strange and could come for anyone even not related to an attack...
@bicofone : you are right with the Captcha possibility but I don't think it could so completely overload the whole SR login page as the captcha is loaded as an image and does not imply so much resources.
The whole thing definitely looks like a DOS attack of slowloris "type", the DOS of a server could easily lead to some unexpected things like a mess with Captcha, and the tendency to limit the resources on the server lately is a benediction in this case.
This is only an hypothesis but it fits very well in the situation...
-
'You should give it a try with Whonix (old name was TorBox) and a good firewall like IPcop.
All other things are just huge crap in my opinion.
If you hire a coder I bet he will hide some backdoors..... trust no one .... ."
Well said, bravo!
We should start a knowledge base for DPR to follow. This thread would work as good as any. Send a link to DRP if you have better access than I do. Let him know we have something cooking on the message board that may help him solve this problem quicker.
-
We are very much on a similar wavelength TheMonk.
alberthofmann, is IPcop any good at layer 7 (app layer) defense? Most firewalls do sweet fuck all at preventing them, usual defense is shitty signature based IPSs but these only stop the script kiddies. I believe this downtime is due to a layer 7 attack going on what little information I know about the operation of SR servers and the fair bit I know about Tor and DOS attacks in general.
There are ways to defend against these attacks, and they just involve filtering the traffic before it reaches the web server.
-
Microsoft TMG is a firewall, reverse proxy, and router that as never been broken. Yes, It's end of life, but UAG is still alive, and based on TMG.
Hi,
In case Silk Road appears to be receiving a DOS attack (which it probably is) I have a very good idea of how they are doing it and can propose a solution. Information on the attack and how it can be prevented can be provided. All apache versions are vulnerable, and traditional network security equipment like IPSs are useless against the attack. But there are software solutions to the problem.
Someone who is at least mod PM me if you're interested in the information. I don't want to disclose the information publicly here because it will give people ideas, although I'm sure some others in the more computer security conscious crowd here may be aware of it. This exploit is publicly available, but rarely used. The exploit is low bandwidth and works perfectly through Tor (so you can use it to anonymously take down clearnet sites too).
-
for i in $attackingIPs
do
iptables -a INPUT -s $i -j DROP
done
/thread
-
I think we won't bring solution ourself, I don't feel my knowledge is sufficient enough to give some advice, but if this is indeed some kind of DoS atacks, the first way would be to search some academic papers on matter, simple googling[basic, not in google schoolar] show something like this:
CLEARNET:
https://lists.torproject.org/pipermail/tor-talk/2008-November/015695.html
http://fc09.ifca.ai/papers/43_Detecting_dos_in_tor.pdf
-
Microsoft TMG is a firewall, reverse proxy, and router that as never been broken. Yes, It's end of life, but UAG is still alive, and based on TMG.
Hi,
In case Silk Road appears to be receiving a DOS attack (which it probably is) I have a very good idea of how they are doing it and can propose a solution. Information on the attack and how it can be prevented can be provided. All apache versions are vulnerable, and traditional network security equipment like IPSs are useless against the attack. But there are software solutions to the problem.
Someone who is at least mod PM me if you're interested in the information. I don't want to disclose the information publicly here because it will give people ideas, although I'm sure some others in the more computer security conscious crowd here may be aware of it. This exploit is publicly available, but rarely used. The exploit is low bandwidth and works perfectly through Tor (so you can use it to anonymously take down clearnet sites too).
For a company that makes pretty crap software security-wise they do make some of the most solid networking equipment around. These do not give you immunity to layer 7 attacks however (applications can always have any new bug introduced).
for i in $attackingIPs
do
iptables -a INPUT -s $i -j DROP
done
/thread
We are all on Tor, we all share the same pool of IPs...
-
Hi
I completely agree with bincofone, forget about simple Ip filtering and the Microsoft TMG, Ip filtering is not possible on Tor like on normal networks, and for these kind of attacks on Tor a Microsoft Firewall won't be a real help.
IF, it is still IF, it is a DOS of slowloris type there are not much a lot of solutions but complexify the login with a second layer and add a verification of the fact that HTTP requests are full and reject the incomplete requests that are the base of this type of DOS.
Again we are just "talking" about this possibility, nobody here can be sure of anything except the technical Team and DPR.
-
for i in $attackingIPs
do
iptables -a INPUT -s $i -j DROP
done
/thread
$attackingIPs would be 127.0.0.1 just like every user appears to be with a tor connection?
-
We are very much on a similar wavelength TheMonk.
alberthofmann, is IPcop any good at layer 7 (app layer) defense? Most firewalls do sweet fuck all at preventing them, usual defense is shitty signature based IPSs but these only stop the script kiddies. I believe this downtime is due to a layer 7 attack going on what little information I know about the operation of SR servers and the fair bit I know about Tor and DOS attacks in general.
There are ways to defend against these attacks, and they just involve filtering the traffic before it reaches the web server.
sorry I dont know layer7. I made with IPcop the best experience and please dont think that IPcop can just block IPs. I would prefer creating and using a network isolated environment with Whonix and IPcop under Virtualbox or VMware so no one can attack this isolated network. Its the best choice that would be worked fine. I learned this from people which build company and school networks just without the Whonix. The Whonix Gateway got a software firewall on top and with the Whonix Workstation it is the non plus ultra, because you are like a ghost on the internet. If anyone got a better and more secure choice write it down here please. hopefully DPR will read this Topic and think about it. I think if I send him PM he would read this next week, because of the many spam from the kiddz... @DPR please let the SilkRoad never die and I pray for you not to get busted!
-
I'm pretty sure Whonix and IPcop won't protect you from application vulnerabilities like SQL injections. SQL injections of course being a lot worse than a DOS vulnerability, but you get the picture.
There are reverse HTTP proxies you can use out to sort out these problems by rejecting the exploit requests outright (if indeed that is there attack vector, which I highly suspect it is from all the evidence - and it's what I'd use if I was doing it). As to the exact crafting of the exploit, I can't be sure, whatever it is it's good enough to get past whatever network defense SR has. Could be a script kiddie or a talented hacker.
-
I'm pretty sure Whonix and IPcop won't protect you from application vulnerabilities like SQL injections. SQL injections of course being a lot worse than a DOS vulnerability, but you get the picture.
There are reverse HTTP proxies you can use out to sort out these problems by rejecting the exploit requests outright (if indeed that is there attack vector, which I highly suspect it is from all the evidence - and it's what I'd use if I was doing it). As to the exact crafting of the exploit, I can't be sure, whatever it is it's good enough to get past whatever network defense SR has. Could be a script kiddie or a talented hacker.
whatever it is just the most secure hosting option I known. I think everyone would be know that just connection with TOR through Whonix is not secure and anonymously. It is written by the welcome message from the gateway.
HTTP? are you serious? ...
What is not ok with IPcop? it is possible to build OpenVPN connections and another virtual IPCOP or physical IPCOP at the end of the chain.
with a few whonix workstations build OpenSSH Tunnel.
A useful trick is "ssh -tt" which forces tty allocation, so instead of the above you can do the following, connecting to server2 via firewall as the jump host:
ssh -tt firewall.example.com ssh -tt server2.example.org
This opens an ssh terminal to the remote machine. You can also pass commands. For example, to reattach to a remote screen session using screen you can do the following:
ssh -tt firewall.example.com ssh -tt server2.example.org screen -x
The chain can be arbitrarily long and is not limited to just two hosts.
Hope this could be helpful for the pirates.
-
The problem is likely HTTP requests that are mal-formed. This is why you use a HTTP reverse proxy, as we are talking a site running on port 80 we all access using web browsers. IPCop will likely have no idea blocking certain HTTP requests is necessary (unless you can add bad packet signatures (which can be bypassed) or something similar to it).