aFrInaTi0n Posted 13 hours ago Posted 13 hours ago Hello community, unfortunately somebody in the world seems to be invested enough in motivation and money to use some botnet for trying to DDoS (Distributed Denial of Service) us out of service. The situation has started since yesterday around 3pm UTC. Right now (18.04.2026, 11am UTC) the situation is still ongoing.. Counter measurements: We activated request rate limiting at the webserver level. We activated (temporary) banning on IPs which are firing requests above the configured thresholds too often. There a recommendation to users: Better don't hammer CTRL+F5 in your browser too often if the site is not instantly loading, as that may trigger your IP getting temp banned. If you get a plain page from the browser, telling your requests were not replied at all, your IP may be temporarily banned - after 10 minutes your IP will be allowed again - this may happen in the worst case - please report here in the topic if that happened to you! Can we forecast when this will be over? I reckon not, right now we need to endure it, until the motivated person lacks money or interest. Can this be prevented in the future? Possibly yes, with the usage of CDNs (Cloudflare or others) - but that can not easily be implemented on-the-fly. ---- Some (technical) insights: Graph is showing the Guest accounts - normally we may have around 1k - the DDoS is pushing this up as it is "unregistered accounts from different IP addresses" - meaning we are getting hammered with requests from ~15k diffrent IP addresses over long ranges of time.. *sigh From my sysadmin perspective it is finally a good oppertunity to see the system in a situation of being overloaded. One learning is already that I in the backgrounds everything is still capped at around 75% of CPU load, leaving enough computation power for the system to not break down completely under any load, but "just" getting too busy for the time being.. CPU total usage of tha last two days, normally we are around ~25% load, DDoS spikes hitting up to the limited ~75% ---- Update 12:20 pm UTC: Adjusted the configurations a bit - catching some more IPs & have hopes of that allowing our server to have less load. I am still observing to further adjust, so.... ---- I will update this posting further.. Quote
aFrInaTi0n Posted 13 hours ago Author Posted 13 hours ago Added a quick burst rule limit in the webserver for aggressive IPs trying to open more than 10 URLs per second (constantly) not allow to get content at all and instead receive a Reject with HTTP 503 code. *I may need to adjust the configuration for this a bit, will take further looks by tomorrow - but should lead to the site loading faster again. Quote
Auroralampinen Posted 9 hours ago Posted 9 hours ago (edited) Ok, i noticed todays's morning that my eurobricks was really really slow and did crash few times on me and eurobricks didn't want to open a few times and was really unresponsible. So when is this gonna be fixed:). Edited 9 hours ago by Auroralampinen Quote
aFrInaTi0n Posted 5 hours ago Author Posted 5 hours ago It may end for whatever of the two options is 1st lacking first for the attacker: money or interest.. The mitigations I did before I wrote the initial post should at least soften it a bit and temporarily ban nasty & spammy bot-ips directly at the webserver for them not further asking for too many pages too fastly. Quote
Ctan Posted 1 hour ago Posted 1 hour ago That sounds weird for me. What is the point of making such attack on eurobricks forum? So the people can't access MOCs made by community? Sorry for naive question, I'm not into digital goods. Anyway let's hope that the attacker will go away and won't go back for any reason :) Quote
aFrInaTi0n Posted 1 hour ago Author Posted 1 hour ago One can not look into the heads of others... there may be plenty of motivations.. Wikipedia is already giving a long list of different possibilities, https://en.wikipedia.org/wiki/Denial-of-service_attack May also be just some APT (https://en.wikipedia.org/wiki/Advanced_persistent_threat) group is testing with their capabilities of little cost for using botnets to hammer down generic domains with the intention to try to steal any information from any success of their attacks. Btw, this is why it is important to listen to your IT person when he tells "consider strong IT security, please" If it would be a singular person investing those efforts, I would find it funny for him/her creating an account and telling the reasons - just to feed my curiousity for what motivation it may be in another persons' head leading to such actions. Quote
Auroralampinen Posted 56 minutes ago Posted 56 minutes ago (edited) 58 minutes ago, Ctan said: That sounds weird for me. What is the point of making such attack on eurobricks forum? So the people can't access MOCs made by community? Sorry for naive question, I'm not into digital goods. Anyway let's hope that the attacker will go away and won't go back for any reason :) Well, maybe in simple terms they are probably souless person with no empathy and possibly the society has abandoned them. So they don't have anything to do and they want to ruin everyone's day by blocking the forum because their own life is ruined by the society or something else in their lifes so probably in their minds they think why everyone else can have fun but i don't have. It's sad reality but i think this is what is going on their minds sadly:/. And yes, i know hostile countries do pay hackers to ruin day. But i don't think a hacker group would make attact on eurobricks. I strongly think this is just one person attempt to ruin fun for everyone else. Because their life has been ruined or society has failed on them and they don't any one else to have fun either because they haven't got any help for their problems on society on time:/. And while i don't have empathy for these hackers actions. I think most of the hackers had really bad childhood and society failed to help them in time or the society didn't gave any help. So they resort to ruin everyone's day because their life is ruined and they don't have empathy because society failed on them sadly:/. Edited 55 minutes ago by Auroralampinen Quote
aFrInaTi0n Posted 54 minutes ago Author Posted 54 minutes ago Did some further checks of our monitorings - from my sysadmin perspective the only bottleneck is our CPU, but considering ~10-16k devices constantly firing requests in parallel, this may be expected. Besided CPU bottleneck I am happy that our server is happily caching 99% in RAM and the whole DDoS may not ever harm us in severe ways, besides slow page loading.. But again this could be mitigated with putting a CDN in front of Eurobricks in the long term.. I hope by being transparent with so much detail, I am demotivating the acting party for realizing us reacting fastly and them just wasting their resources / money with us. I am happy for learning on the situation here hahaha @Auroralampinen From how I understand the attack being fired at us it is not about trying to bruteforce logins of accounts, but just creating too many requests to block the regular traffic - so I may tend to lean into "singular person just having an intention to do harm to us / others". But please also keep the tone please nice here - they may have their motivations in their lifes for bad circumstances.. I can and do not want to judge anyhow. Instead I can only offer to listedn what their issue may be for us ideally finding a solution which would work better for them.. Quote
Auroralampinen Posted 41 minutes ago Posted 41 minutes ago 12 minutes ago, aFrInaTi0n said: Did some further checks of our monitorings - from my sysadmin perspective the only bottleneck is our CPU, but considering ~10-16k devices constantly firing requests in parallel, this may be expected. Besided CPU bottleneck I am happy that our server is happily caching 99% in RAM and the whole DDoS may not ever harm us in severe ways, besides slow page loading.. But again this could be mitigated with putting a CDN in front of Eurobricks in the long term.. I hope by being transparent with so much detail, I am demotivating the acting party for realizing us reacting fastly and them just wasting their resources / money with us. I am happy for learning on the situation here hahaha @Auroralampinen From how I understand the attack being fired at us it is not about trying to bruteforce logins of accounts, but just creating too many requests to block the regular traffic - so I may tend to lean into "singular person just having an intention to do harm to us / others". But please also keep the tone please nice here - they may have their motivations in their lifes for bad circumstances.. I can and do not want to judge anyhow. Instead I can only offer to listedn what their issue may be for us ideally finding a solution which would work better for them.. Yeah i do want to keep nice my tone:). Quote
aFrInaTi0n Posted 36 minutes ago Author Posted 36 minutes ago Sorry if it read wrong, my note was more for future posts as I do not really want to discuss deeper psycological or social topics here - unfortunately some have their motivations.. *sigh :) So I think I tuned down the overall CPU usage to ~50% - so while it is still ongoing I expect the pages to not take as long to load as before, but may not be the fastest experience still... Quote
Auroralampinen Posted 23 minutes ago Posted 23 minutes ago 11 minutes ago, aFrInaTi0n said: Sorry if it read wrong, my note was more for future posts as I do not really want to discuss deeper psycological or social topics here - unfortunately some have their motivations.. *sigh :) So I think I tuned down the overall CPU usage to ~50% - so while it is still ongoing I expect the pages to not take as long to load as before, but may not be the fastest experience still... Oh yeah thanks for clarification. Yes, i know this is wrong place to talk about them normally:). Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.