Editor’s note: This article was updated on 9/29/14 at approx. 5:30 p.m. to include update from Tux Machines publisher Roy Schestowitz.
Since sometime last week the popular Linux site Tux Machines has been under an apparent distributed denial-of-service (DDOS) attack. For the last several days, those trying to visit the site have been redirected to Tech Rights, another site operated by Roy Schestowitz, the owner of Tux Machines, to a post dated Saturday by Schestowitz which reads:
“Windows botnets have been hammering on Tux Machines for nearly a week. It got a lot of worse yesterday and the site became unaccessible much of the time. We don’t know who the attacker is and what the motivations are, but in the mean time the site can be read via the RSS feed. The RSS feed links to all the latest news and the pages ought to work as usual. We apologise for this issue and we are working hard to find a permanent solution.”
The public was first made aware of the problem in a blog post by Schestowitz on Wednesday in which he explained that the site’s aggregators, a key component of the site, had been disabled:
“Aggregators in Tux Machines have been universally disabled (temporarily we hope) after a week or so of heavy load that took the site down (well, over capacity and hence not accessible). The culprit seems to be mostly — although not exclusively — a bunch of bots that hammer on the aggregators with spammy requests. It’s sad that so many hours need to be spent just keeping script kiddies out of the site, resulting in fewer bits of output, slower pageloads (performance degradation), and restlessness (monitoring alerts all day long), not to mention crafting of rules that merely keep the site running. Running Tux Machines is not quite as peaceful and trivial/simple as it may seem from the outside. It’s like a full-time job, or at least it feels like it, especially whenever the site gets flooded by rogue bots, necessitating special attention 24/7.”
On Friday, Schestowitz updated the site’s visitors, saying the attack had gotten worse.
“The bots are getting harder to block. Strategies are changing. They are all acting like zombies/botnet and they all have a “Microsoft Windows” in their HTTP header.”
Since originally publishing this story, we’ve received an email update from Roy Schestowitz who tells FOSS Force that the site seems to be being hit in ten minute cycles:
“Several times per day I try to put down the defenses to see if the server can cope, but it cannot. I keep checking whether the attack persist. There seems to be a Windows botnet programmed/commandeered to send bursts of rubbish requests that bypass the cache (varnish) and hammer hard on the CPU (those pages are targeted and the targets move). The bursts are about 10 minutes apart. A week ago I was able to block some parts of the site (sub-optimal), but now even the front page is targeted, so I need to redirect the requests at varnish on another server, with 4 CPU cores (Tux Machines has 2).”
Here at FOSS Force, we will keep you advised as the situation progresses.
Funny that Schestowitz immediately blames Windows even though it is common knowledge that there is a Shellshock worm on the loose. Typical uninformed drivel that I have sadly come to expect from Roy. He is one of those who recently claimed I was on Microsoft’s payroll because I said something he didnt agree with, he has driven tuxmachines into the ground and made it techrights 2.0.
“…he has driven tuxmachines into the ground and made it techrights 2.0.”
I don’t believe that’s true, Andrew. In fact, I believe he’s worked very hard not to let that happen. Also, here at FOSS Force we’re getting considerably more referrals from Tux Machines than we have for at least a year or so.
http://fossforce.com/2014/09/tux-machines-ten-months-later/
I’d like to believe it, but it’s unfortunately plainly obvious based on this link alone. It may be true that they have driven more hits to FOSS Force than previously, in that regard I can’t really say. If you go to tuxmachines.org right now, it just forwards to a techrights article.. It probably wouldn’t be very difficult to identify and filter, if it is a botnet (or the worm that it probably is), it would be trivial to find the pattern and drop it.
Not buying this part at all:
“The bots are getting harder to block. Strategies are changing. They are all acting like zombies/botnet and they all have a “Microsoft Windows” in their HTTP header.”
His story would be more believable if he had posted the headers as evidence, but evidence is conveniently missing.
Andrew, we’ve covered quite a few DDOS attacks and we’ve never asked for proof. The fact that the site is down is proof enough — unless you think he took the site down on purpose just to get some press. We first noticed there was a problem at Tux Machines (one of the sites we check daily looking for breaking news) late last week when the site wouldn’t load.
In any event, making accusations about a site that’s obviously experiencing technical difficulties is not very productive.
No, I don’t think it’s faked, I just think it’s more likely to be Shellshock worm activity than a Windows botnet is all.
Well, that’s a much better way of making a valid point and being helpful than attacking Mr. Schestowitz and how he runs his site.
You’re probably right, there is just some bad blood there. Maybe I was too harsh.
@Andrew 🙂
@Andrew, I think it might be you who is pushing “uninformed drivel”. He has the headers and could easily grab POST data to confirm if it was Shellshock. Yes user-agent strings are easy to change, but honestly what is more likely; someone using shellshock and changing user-agent strings, or the millions of zombie XP machines in the wild being used by someone to ruin his day?
Your commebts just look like a targeted atrack, for which you just opened any media outlet site and grabbed the first headline to try and justify your bias.
@Andrew It’s true that there was no real reason to mention that it was a Windows botnet being used, and it’s generally what one would expect anyway. Most botnets are created through trojans anyway, which exploit the user as the security flaw.
There is a Shellshock based worm in existence, but there is no indication that it has been terribly successful to this point. To use the exploit you need an exposed vector to inject bash commands which won’t exist on a lot of machines, and the machine has to be running an unpatched bash besides. Web servers are the most likely machines to meet these criteria, but a lot have been patched and a lot never really exposed an injection path to begin with. The vast majority of embedded systems, like routers, never ran bash to begin with, and desktop users would rarely have an exposed vector to inject bash commands remotely.
Mr. Schestowitz has certainly not made Tux Machines into another Tech Rights site. It’s just a general Linux news aggregator like LXer or Linux Today. There is no particular focus on the issues Tech Rights is all about. I don’t generally ever go to Tech Rights, but I visit Tux Machines at times.
@David, @CFWhitman: http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks
@Andrew That article doesn’t really contradict anything I said except that I had heard a worm existed, and that article said there was no worm so far. The machines being used were Web servers (as I mentioned being by far the most likely to be susceptible to this exploit). A lot of these servers may since have been patched and no longer participating in a bot net. Remember that there is nothing about this bug that necessarily gives the attacker root access to the machine.
With the access that an attacker was likely to get, if he did things just right he might be able to upload a script that created a new backdoor for him to use after the vulnerability was patched so the machine could continue to be used by him, but it would be much harder for him to plant something that would survive a reboot (I suppose that if he could manage to create a new cron job he might be able to use that, but the web server user shouldn’t be able to create cron jobs).
Remember that while the exploit existed a server could be “remote controlled” using the exploit and didn’t need to actually contain any code from the attacker to obey him, but that would only last while bash was unpatched.
I suspect that the exploits of this particular bug will not be large scale for any length of time. In the long run tricking desktop users into installing your malware for you is easier than exploiting bugs in Web servers because Web servers get patched, but some desktop users never learn.
It does sort of contradict it. There are systems out there being actively used as bots performing DDOS attacks on other targets. Also, the patches from last week did not completely close the gap, in some cases systems are still vulnerable.
Another thing to consider, if someone has patched and were externally vulnerable, if they did not reboot or kill all processes running as httpd or apache, they may still be participants. The bash patch did not require a reboot and could have been applied to running systems without even bouncing Apache.
An attacker doesn’t need root access to create a botnet, just access to an account on the system. The variable you could pass to the system could be curl or wget something | sh which would pull and start anything they wanted as Apache.
More info on the latest patches not working and more patches: http://lcamtuf.blogspot.ro/2014/09/bash-bug-apply-unofficial-patch-now.html
The main question is why Tux Machines?
Roy has gained plenty of enemies from the murky side, over the years, of course and his shoot from the hip style of writing gets disapproval from some quarters, but he’s never too far off the mark.
Best of luck with the DDOS, Roy. It’s not the first time and it won’t be the last.
My guess is his name starts with G rather than B. You’ve been twisting his slithery tail a fair bit, lately.