Disclaimer: VideoLAN president and lead VLC developer here.<p>The attack started on our new mirroring system (powered by mirrorbrain) 2.5 days ago, during the night (after 2am, so we were sleeping).<p>We were woken up (OP and I) in the morning by many mirrors complaining of high bandwidth use. The actual number of requests was not that high (400 req/s), but the botnet was downloading the whole vlc.exe, aka 22MB. So, we were at around 70Gbps during the night, in average.<p>Afterwards, North America got up, and things got worse. We had up to 1660 req/s, so around 292 Gbps...<p>This is very weird for a DDoS, to be honest.<p>Our front machine that splits the down mirrors was taking most of the load, and we were able to find the patterns to drop the botnet connexions, in order to not kill too much our mirrors. I won't discuss too much of the patterns, as you can imagine, but as usual, I'll be happy to discuss it IRL or by mail.<p>Tweaking the front server was also important to reduce the number of open connexions, to not kill our server.<p>2.5 days after, the attack is still going on, with an average of 500req/s.<p>The video was done using logstalgia, using scripts of OP, on my machine (<troll>he was running eclipse, he couldn't do both at the same time :)</troll>).
Perhaps it's worth it to code a quick and dirty solution using JavaScript encryption. On your download page setup a script that would receive a given encrypted string, decrypt it with a provided key, and the use it to prepend to the download link. On the server, symbolically link the file on demand and send it to only one user, ip limited. This way the attack, though still can be automated, would require some code rewrite from that attacker, which might be beyond his/her abilities. Also, if the encryption algorithm is CPU intensive, then it wold require several seconds of CPU time per request from the attacker.<p>To make the decryption CPU intensive you may simply use any encryption algorithm you like, many are available as JS libraries, but instead of giving the entire decrypt key, skip the last 2 digits, and let the end user brut force the last 2 digits in the client via JS. That way there is a computational cost to each attack request.<p>Just some ideas off the top of my head. Not sure at the moment how to implement the server side part at the moment, but I am guessing that their are server side rules that allow you to easily set per ip access restrictions to folders or fils.<p>PS: please excuse spelling, typing this on my iPhone.
I'd be willing to go out on a limb and estimate that maybe some private interests in Hollywood, with certain four letter acronyms, despise open source media player projects like VLC, since they might represent a channel that can potentially enable bypasses that can circumvent precious, precious DRM.<p>The perception being: if you can see the source of a media player program, the encryption might be implicitly compromised. This is a silly idea though, because it neglects certain realities about the very nature of electronic encryption, and media consumption. Maybe having source code lowers the bar in some respects, but the reality is that determined people will simply bootleg media anyway, by other means.<p>Not an accusation though, just that my tinfoil hat is tingling. Who else might be so motivated to attack an awesome software project like VLC?
It it possible this is an accidental DDoS? VLC is popular to bundle with things, and all it would take is the code that checks for a new version and automatically downloads to have a bug that it always thinks there's a new version...
I actually have Logstalgia running with my primary server for Minotar, and at 4,000 requests per second this is normally what it looks like. Awesome program!
Pretty cool stuff! glTail [0] does similar visual analysis of pretty much anything.<p>[0] <a href="http://www.fudgie.org/" rel="nofollow">http://www.fudgie.org/</a>
Fantastic! I had read about such a log visualisation tool a long time ago (I'm not sure but I think I read it about it via NTK which should date it) but I had lost any knowledge of what it might be until now.<p>Now I can see such a tool and it looks wonderful.<p>(More on topic, DDOS is beautiful!)
Brave of them to disclose it's just the user-agent they are filtering.<p>It's not possible to inspect the user-agent via the linux firewall (iptables) is it?<p>I guess you can use this if your iptables supports string matching<p><pre><code> --string "useragent"</code></pre>
I just got one of my servers attacking TicketMaster by a faulty cgi.
(my alert system notified 5 minutes after it started)
The mob is angry now It was disabled..
I think it has more targets that only vlc...
I was browsing HN on a friend's computer that without adblock and clicked this link. Wow! Is this what the internet looks like without adblock? The ad/content ratio is crazy...