Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Bots Effectively DDoSing Perl CPAN Testers

Posted by timothy on from the stuck-in-a-rut dept.

at_slashdot writes "The Perl CPAN Testers have been suffering issues accessing their sites, databases and mirrors. According to a posting on the CPAN Testers' blog, the CPAN Testers' server has been being aggressively scanned by '20-30 bots every few seconds' in what they call 'a dedicated denial of service attack'; these bots 'completely ignore the rules specified in robots.txt.'" From the Heise story linked above: "The bots were identified by their IP addresses, including 65.55.207.x, 65.55.107.x and 65.55.106.x, as coming from Microsoft."

6 of 332 comments (clear)

  1. Typical M$ by omb · · Score: 0, Flamebait

    Lazy, feckless, inconsiderate crooks.

  2. Looks like a simple bug to me by MerlynEmrys67 · · Score: 0, Flamebait
    Sadly not microsoft's though. If I am doing this correctly Robots.txt seems to return a 404 error. Looks like cpan removed their robots.txt file at least from where I am sitting.

    Looking at another Robots.txt file seems to return what I expect.

    Let no rock remain unthrown when it shows Microsoft is in the wrong - even if they aren't

    --
    I have mod points and I am not afraid to use them
  3. Re:So how do we DDoS Microsoft? by tomhudson · · Score: 0, Flamebait

    Of course, you presume that the gateway is smart enough to route all traffic to the correct device or sub-domain, and that the under-budgeted admin actually knows how to do that.

    I've seen a number of small companies with a very active digital presence for which the owner/president also manages the gateway and has the entire company running on a bank of repurposed workstation towers - each providing a specific service. The gateway box at domain.com doesn't provide anything but traffic cop services. The system named 'WWW' provides ONLY the HTTPd service. Likewise separate boxen provide POP, SMTP, etc...

    You don't need the "www" prefix to figure out that requests for port 80 are http, port 21 are ftp, 443 are https, 25 are smtp, and 110 is pop3.

    For those wanting to try this at home and work around their providers' traffic blocking: You also don't need a the power consumption of a repurposed box for that when you can use port forwarding on a router. It'll even let you use one of your boxes on your home lan as a public-facing web/ftp/mail/whatever server (and you can set them up to listen to alternate ports, like 8080 for http, and 2525 for running your own private mail server). Throw in a redirect to your external ip from a known web page, and you're in business. You can even run a proxy that way.

  4. Re:So how do we DDoS Microsoft? by Achromatic1978 · · Score: 0, Flamebait
    Ye gods. I think, of all the threats to its business model that Microsoft has... "Needing to DDoS CPAN to stifle competition" ranks somewhere about ... oooh, 5,542nd?

    Shit happens. People misconfigure things. Even professionals. Someone noticed, complained, and someone else said they'd investigate and get resolved. Wow. Yawn.

    Instead we have Slashtroglodytes screaming about conspiracies by MSFT.

  5. Re:So how do we DDoS Microsoft? by tomhudson · · Score: 0, Flamebait

    As another poster pointed out, showing websites without the www or other hostname portion goes agent RFC rules

    No, it doesn't. The rfc the poster quoted was about naming machines in general, NOT specifically about naming web servers. The title was "Choosing a name for your computer".

    The pertinent part says"

    Avoid domain names.

    For technical reasons, domain names should be avoided. In particular, name resolution of non-absolute hostnames is problematic. Resolvers will check names against domains before checking them against hostnames. But we have seen instances of mailers that refuse to treat single token names as domains. For example, assume that you mail to "libes@rutgers" from yale.edu. Depending upon the implementation, the mail may go to rutgers.edu or rutgers.yale.edu (assuming both exist).

    In other words, don't name your machine "slashdot" and expect it to work all the time.

    And:

    Avoid domain-like names.

    Domain names are either organizational (e.g., cia.gov) or geographical (e.g., dallas.tx.us). Using anything like these tends to imply some connection. For example, the name "tahiti" sounds like it means you are located there. This is confusing if it is really somewhere else (e.g., "tahiti.cia.gov is located in Langley, Virginia? I thought it was the CIA's Tahiti office!"). If it really is located there, the name implies that it is the only computer there. If this isn't wrong now, it inevitably will be.

    And, as I point out, it's only a suggestion, now rendered obsolete by 20 years of practice:

    This FYI RFC is a republication of a Communications of the ACM article on guidelines on what to do and what not to do when naming your computer [1]. This memo provides information for the Internet community. It does not specify any standard.

  6. Re:So how do we DDoS Microsoft? by tomhudson · · Score: 0, Flamebait

    Maybe 'example.com' points to my mail server, because I am an email company. That means I must use a subdomain, and it must be one my visitors KNOW IN ADVANCE

    Route your traffic to the right server based on the port requested. "cat /etc/services" for the list. No need for subdomains.

    All they need to know is example.com.

    Q: What's your domain name?
    A: example.com
    Q: So what's the name of your ftp server?
    A: example.com.
    Q: What's the smtp mail server?
    A: example.com.
    Q: What's your pop3 server?
    A: example.com.
    Q: So they're all on one machine?
    A: No. We use magic pixie dust.