Intel DDoS my website with 11.1M request

[bennythink]

Last night at 5:30 PM and this morning at 10:45 AM, both in UTC+2 , my website was hit by massive DDoS attacks from two Intel IP addresses.

The peaks were 3.8M and 11.1M requests per second, respectively.

146.152.233.45: ASN 4983 - INTEL-SC-AS 146.152.233.53: ASN 4983 - INTEL-SC-AS

I would say that it is crucial to consider the possibility that their network might have been compromised, or that an employee might be involved in unauthorized activities.

Screenshot from Cloudflare WAF is here: https://imgur.com/a/ddos-by-ip-from-intel-A1ISx7C

Has anyone else experienced this? Any advice or insights would be greatly appreciated!

[everfrustrated]

If you do a WHOIS on the AS number you should find an Abuse email address which is the best place to start. Generally abuse@company if you just want to guess.

Intel do have a developer cloud which they make servers available to people, so it's possible traffic could be coming from something like that rather than Intel corporate. See https://www.youtube.com/watch?v=MWsEKDklEkc

[bennythink]

Thanks for the tip, it's amazing to me that they have cloud services...

[LinuxBender]

I see IP's from the same subnet in a couple of blocklists.

    blocklist_de.ipset:146.152.233.43
    blocklist_de_ssh.ipset:146.152.233.43
    firehol_level2.netset:146.152.233.43

From this repo [1]

That would suggest end-users have some way to control them, though usually for spam.

Did you happen to by chance capture any of the individual packets in tcpdump verbose mode? e.g.

    tcpdump -p --dont-verify-checksums -i any -NNnnttvvv -B16384 -s0 -c 512 not port 22 -w /dev/shm/dos.cap

Command decoded: not promiscuous, checksums are useless computation here, all interfaces, disable resolving names, ports, services, use epoch time, very verbose, 16k buffer despite CPU likely being our bottleneck, full packet, 512 packets, not port 22 ssh, save to a file in a ramdisk

Did you reach out to the person listed here? [2] Try that phone number in a few hours. Be polite and just give them the facts so they don't get defensive. If they don't answer try email.

[1] - https://github.com/firehol/blocklist-ipsets.git

[2] - https://bgp.he.net/AS4983#_whois

[bennythink]

Thanks, I emailed to a few email address @intel.com because my oral English is so bad so I don't want to call. But you know, those kind of emails usually fall on deaf ears

[everfrustrated]

You say website, so I'll presume this is http traffic.

In which case putting in a simple hits/IP rate limiter with something like nginx is probably enough to defend against this for the future.

https://nginx.org/en/docs/http/ngx_http_limit_req_module.htm...

[bennythink]

That's exactly what I did, or even managed challenge entire ASN using Cloudflare WAF

[midzer]

I had an attack on one of my websites from AWS network. Lasting for ~6 hours generating almost 100GB traffic on a ultra low-bandwidth site. Also several millions of requests.

My hoster of the frontend suspended it afterwards. Backend hosting service banned those IPs temporarily.

[bennythink]

Ohh that's said to hear about your story. However, AWS is selling EC2 and Elastic IP, I don't remember Intel also providing hosting services.

[pxeger1]

It’s not really a DDoS if it’s two addresses. Just block them and move on.

[bennythink]

That's correct, it's DoS!

[nubinetwork]

I haven't seen anything from those IPs in the past 90 days.

Any idea what they were looking for? Given other companies are hitting websites for ai training, I'd be curious if intel is trying to something similar?

[bennythink]

Well, it's a long story. I exposed something dark thingy about a cybercrime forum. And this is the one of the retaliations, the other one is card testing/fraudulent payment

[bennythink]

Edited:

It turns out Intel does have some developer cloud, so the attack may come from random bad guy on the internet rather than Intel itself. Thanks to everfrustrated!