Today at approximately 5:18 a.m., the PP Blog came under attack from a swarm of international IPs. The attack appears to have disrupted operations for approximately two hours and 19 minutes.
Functionality was restored at approximately 7:38 a.m., although signatures of the attack continued to appear. The attack appears actually to have begun prior to 5:18, with prelude signatures appearing overnight — prior to the arrival of an insurmountable swarm.
The vast majority of IPs that appeared during the swarm were non-U.S. IPs. The PP Blog is published in the United States and focuses on U.S.-based crime and fraud schemes. Most of its traffic originates in the United States.
After the disabling attack was abated, a second, smaller attack, appears to have occurred. Certain elements of the twin attacks are consistent with efforts to probe the Blog for vulnerabilities and to execute command strings that include thousands of characters. A “normal” command string contains perhaps dozens of characters.
A professional analyst who reviewed a huge command string targeted at the Blog last week said it was consistent with a hacking attempt, meaning the attackers might have sought to break into the Blog’s server. Elements of today’s attacks were consistent with the same pattern. Nothing suggests the break-in bids — if that’s what they were — were successful. In any event, the traffic was so overwhelming that it knocked the Blog offline for more than two hours.
The PP Blog experienced sustained DDoS attacks in October 2010 and November 2010, including one in which more than 6 million “hits” were directed to the Blog in three hours. The Blog also has been subjected to spoofing bids, relentless spam and other efforts designed to disrupt its publishing operations and create havoc.
The image above captures a sudden wave of mostly international IPs that descended on the Blog beginning at 5:18 a.m. The sudden visitors mostly sought to pull “old” stories simultaneously — on a range of topics.
Meanwhile, the image below shows that the PP Blog was knocked offline for more than two hours earlier today. An IP associated with China recorded the last “hit” on the Blog at 5:19 a.m. The next “hit” did not occur until 7:38 a.m. Because of certain signatures left by the visitors, the Blog believes that U.S.-based IPs also were a small part of the attack and that the event was engineered robotically.