The Beginning of the End

Jacques Distler was flooded by random comments using a script specially designed for MovableType called FloodMT. Terrato.org seems to be down however the scripts are still widely available. We are working hard to address this sort of problem, for example comment throttling has been in WordPress from the beginning, but it is not a trivial problem.

20 thoughts on “The Beginning of the End

  1. It’s a crazy world.

    A long time ago in science class we learned the dangers of only producing a small variety of foods — diversity prevents the food source from being wiped out, and diversity protects the food sources by continual adaptation. If we only produce and eat Granny Smith apples, which would push out other types of apples, we are vulnerable to disease, to famine, and to toxins.

    The more I read about MT attacks, the more I think about that lesson. Diversify or die.

  2. Much as I would like to see it as a monoculture thing, it would take me about five seconds to change from floodmt.py to floodwp.py. The current generation is incredibly lame (despite being the number two target in FloodMT 1.1, I haven’t had the least bit of trouble with it), but the only reason a non-lame version would take me more than half an hour to turn out is that I’m not very good in Python. Eventually, if you serve up an HTML form, and accept submissions from it, you can either throttle total comments/time, which turns Flood(MT|WP) into DoS(MT|WP), or you can use an inaccessible CAPTCHA. I don’t see a third alternative that doesn’t involve turning comments into something other than what they are.

  3. Those are some mighty fancy words. Too bad you have nothing to back them up.

    That’s how it’s with all you bloggers, apparently. All you do is talk, talk, talk, but I see no results.

    FloodMT being a tool which could be rewritten as a shell script using curl in five minutes still brings down server after server and you people can’t do anything about it because you are all clueless dolts who just happen to have an elementary knowledge of the English language and the“Internet social strata.”

  4. Correction: I was not subjected to a comment-flood attack. My new policies were purely prophylactic. *Other* MT users have been hit (hard) by these idiots. I was not going to take any chances, however.

    If WordPress does not have Comment-Throttling code in place, you should add it. It’s not like Dv and his dorky little friends have anything better to do with their time …

  5. Jacques, b2 (the predecessor to WordPress) had comment throttling over two years ago. However I’ve been having a lot of ideas lately, mostly with a high volume of comments automatically triggering WordPress’ comment moderation features. We’ll see where this goes.

  6. Ah, yes that is something different that isn’t implemented yet, but is basically what what I said above. When comments get really high they could go into the comment queue (which is easily manageable) instead of display on the website immediately. Better comment management would do a lot to address the problem as well, so if you were crapflooded with 400 comments from 400 different IPs in 20 minutes, you could build a query through the interface (without using SQL) to select the comments from that time period and then nuke ’em.

  7. Yeah. You’re in a bit of a different situation with WP.

    It’s the vast number of page-rebuilds that’s killing MT. WP is (if I understand correctly) fried, not baked, so that’s not so much of an issue. Still, large quantities of crap to be dealt with are large quantities of crap …

  8. Isn’t the overall endgame, though, requiring registration for comments? Web forms are easy to spam, and throttling and other methods simply put us in a bit of technological warfare.

  9. Jacques, that’s why I see it mainly as a management problem. It’s not going to bring down a site any more than a normal DoS would.

    Geof, I really don’t think so.

  10. “It’s not like Dv and his dorky little friends have anything better to do with their time…”

    I can’t speak for Dv, but that sums my situation up quite well.

    * twiddles thumbs *

  11. “It’s not like Dv and his dorky little friends have anything better to do with their time…”I can’t speak for Dv, but that sums my situation up quite well.* twiddles thumbs *

    That’s right, Jon. Think of the future. There’s lot’s of demand for people with expertise in writing crapflooding scripts. … I hear WalMart’s hiring.

  12. The beauty of all this is that I really don’t care about my blog. It’s just a blog. Heck, I usually don’t even know it’s been spammed until I check my email. Then it’s 3 clicks to delete it all, 30 seconds to find out who is running the page that hosts the code, 1 minute to copy and paste the email I send to the host, nameserver, and bandwidth providers, and 15 seconds to forward the logs to the authorities.

    I’ve cleaned up the mess in under 2 minutes IF I I bother retaliating, 4 seconds if I just delete it. I laugh knowing it took considerably longer to set up the attack, and they had to stand at the bedroom door to make sure mom didn’t poke her head in the whole time it was going on.

    If you’re REALLY good, you get mentioned on his page, like me. Apparently he thinks it was only me that got him kicked off and banned from sourceforge, and terrato.org brought down for awhile, and forced him to find a new nameserver. Heh, I’m just a little piece of the puzzle. Every day, more and more folks email his host. It’s only a matter of time before this one drops him too.

  13. Several of my MT sites were hit hard several days ago by comments flooding… after the attacks, I did some research on the phenom. Thanks for all the great links! You made my research much easier. πŸ™‚

    (And reinforced my conviction that the spam laws and current bills in Congress ought to be re-drafted to reflect comments flooding. Comments flooding makes the Compuserve spam cases of the early ’90s look like nothing.)

    Thanks again for a great job! πŸ™‚

  14. To my mind the solution is actually fairly simple. I’ve posted this both to the MT email address and on my blog: institute a system of public key certificate-based authentication for use with comments. Maintain a central CA (say at movabletype or technorati or some place like that). You cannot post without a comment/trackback without a freely-issued certificate. The certificate is revoked if the privilege is ever abused.

    Since the public-key method is absolutely secure (for sufficiently large keys) and is based on a fairly in-depth authentication method (see Thawte or Verisign) we should be able to virtually eliminate this form of attack.

    Throttling and the like will have some success but I’m not sure that this isn’t just “fighting the last war” if you know what I mean. We need to change the playing field — I really don’t see authentication as being too high a hurdle for bloggers.

    Your thoughts on this are welcome.

  15. Pingback: Mind of Mog
  16. Sorry about the “fairly simple” prefatory note. I meant that it’s conceptually quite simple. Probably not all that difficult to implement for a company. For an individual to create the authentication methodology would not be “simple” but still possible (if he or she had a bit of free time :>).

Leave a Reply to DvCancel reply