Getting errors today

[wiyosaya]

I've got *.techspot.com white-listed for cookies, yet starting today, I'm getting the following message along with failed postings and other issues:

(Note when I tried to reply to a post, this appeared in the composition box. You'll have to decipher this yourselves, but it is the gist of the error I'm getting.)

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>Site verification</title> <script type="text/javascript"> function redirect(commitType){let cookieenabled=false;if(navigator.cookieEnabled){if(navigator.cookieEnabled==true){let exdate=new Date();exdate.setDate(exdate.getDate()+1);document.cookie="DGCC="+escape(genPid())+";path=/; SameSite=Lax; expires="+exdate.toGMTString();cookieenabled=(document.cookie.indexOf("DGCC")!=-1)? true : false;}}if(cookieenabled){if(commitType=="reload")window.location.reload(true);else{let oFrm=document.createElement("form");let oEnvlp=document.getElementById("frmPlsHldr");oFrm.method="post";oEnvlp.appendChild(oFrm);oFrm.submit();}}else{document.getElementById('JSCookieMSG').style.display='block';document.getElementById('JSCookieMSGHeader').style.display='block';}}</script> </head> <body> <div style="display:none" id="sbbhscc"></div><script type="text/javascript">sbbvscc='%3c%73%65%6c%65%63%74%20%69%64%3d%22%73%62%62%5f%64%78%6f%68%4c%50%22%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%22%3e%3c%6f%70%74%69%6f%6e%20%20%76%61%6c%75%65%3d%27%56%77%7a%62%53%63%27%3e%74%64%47%59%3c%2f%6f%70%74%69%6f%6e%3e%3c%6f%70%74%69%6f%6e%20%53%45%4c%45%43%54%45%44%20%76%61%6c%75%65%3d%27%77%71%70%66%27%3e%75%61%77%79%3c%2f%6f%70%74%69%6f%6e%3e%3c%6f%70%74%69%6f%6e%20%20%76%61%6c%75%65%3d%27%42%4e%4c%5a%6b%27%3e%53%47%6e%79%7a%3c%2f%6f%70%74%69%6f%6e%3e%3c%6f%70%74%69%6f%6e%20%20%76%61%6c%75%65%3d%27%5a%74%4b%54%27%3e%57%56%5a%6d%3c%2f%6f%70%74%69%6f%6e%3e%3c%2f%73%65%6c%65%63%74%3e';sbbgscc='%66%75%6e%63%74%69%6f%6e%20%73%62%62%5f%79%7a%45%55%4a%28%29%20%7b%20%75%76%6f%67%71%20%3d%20%74%79%70%65%6f%66%20%31%37%37%32%3b%20%72%65%74%75%72%6e%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%75%76%6f%67%71%2e%63%68%61%72%43%6f%64%65%41%74%28%34%29%5e%35%30%29%3b%20%7d%66%75%6e%63%74%69%6f%6e%20%73%62%62%5f%7a%78%45%74%61%64%28%29%20%7b%20%52%42%79%4d%69%3d%28%34%33%29%2b%4d%61%74%68%2e%66%6c%6f%6f%72%28%28%28%28%28%28%28%28%28%28%28%28%28%38%36%29%20%2a%20%33%35%29%20%2d%20%39%37%29%20%2b%20%39%36%29%20%2d%20%31%35%29%20%2d%20%33%36%29%20%2b%20%34%31%29%20%2b%20%31%36%29%20%2a%20%38%34%29%20%2f%20%37%37%29%20%2b%20%39%38%29%20%2d%20%35%30%29%20%2f%20%39%33%29%3b%20%72%65%74%75%72%6e%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%52%42%79%4d%69%29%3b%20%7d%66%75%6e%63%74%69%6f%6e%20%73%62%62%5f%62%73%6d%64%77%4d%28%29%20%7b%20%73%62%62%4f%62%6a%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%73%62%62%5f%64%78%6f%68%4c%50%22%29%3b%20%73%62%62%4f%62%6a%2e%6f%70%74%69%6f%6e%73%5b%33%5d%2e%73%65%6c%65%63%74%65%64%20%3d%20%74%72%75%65%3b%20%72%65%74%75%72%6e%20%73%62%62%4f%62%6a%2e%6f%70%74%69%6f%6e%73%5b%73%62%62%4f%62%6a%2e%73%65%6c%65%63%74%65%64%49%6e%64%65%78%5d%2e%76%61%6c%75%65%2e%73%75%62%73%74%72%28%30%2c%31%29%3b%20%7d;function genPid() {return %73%62%62%5f%79%7a%45%55%4a%28%29%2b%73%62%62%5f%7a%78%45%74%61%64%28%29%2b%73%62%62%5f%62%73%6d%64%77%4d%28%29;}';</script><div id="sbbfrcc" style="position:absolute;top:-10px;left:30px;font-size:1px"></div> <div class="layout"> <noscript> <div style="position: fixed;top: 0px;left: 0px;z-index: 2000;height: 100%;width: 100%;background-color: #FFFFFF"> </div> <div class="layout__main" style="z-index: 3000;position: fixed;margin: auto;"> <h1>Please Enable JavaScript</h1> <p> <strong>www.techspot.com</strong> is using a security service for protection against online attacks.<br /> The service requires full JavaScript support in order to view this website. </p> <p>Please enable JavaScript on your browser and try again. </p> </div> </noscript> <div class="layout__main" id='main'> <p> <h1 id='JSCookieMSGHeader' style="display:none">Please Enable Cookies</h1> </p> <p> <strong>www.techspot.com</strong> is using a security service for protection against online attacks.<br /> This process is automatic. You will be redirected once the validation process is complete. </p> <p id='JSCookieMSG' style="display:none"> Please enable cookies on your browser and try again. </p> </div> <div id='frmPlsHldr'></div> </div> <script type="text/javascript"> try{y=unescape(sbbvscc.replace(/^<\!\-\-\s*|\s*\-\->$/g, ''));document.getElementById('sbbhscc').innerHTML=y;x=unescape(sbbgscc.replace(/^<\!\-\-\s*|\s*\-\->$/g, ''));}catch(e){x='function genPid(){return "jser";}';}document.write('<'+'script type="text/javascri'+'pt">'+x+' redirect("post");</'+'script>');</script> </body> </html>

 

[Vanderlinde]

When I attempt to quote someone from the frontpage, I get a bunch of javascript stuff going on.

 

[takaozo]

It's the new WAF/Proxy/Anti-Ddos or what ever they changed.
I have this type of issues daily with F5 Big IP that need fine tuning of the WAF security policy or TPP.

 

[Vanderlinde]

That obviously needs to be (proper) fine-tuned. You can't just deploy a waf like that and call it a day. A WAF is actually better and faster on a server side level rather then paying a CDN to perform that.

I know because I have 15 servers myself.

 

[Julio Franco]

Apologies for the site issues and other annoyances. We've been dealing with incessant DDoS attacks for the past month or so. It was slowing down the servers and causing other issues like brief downtimes. We tried a few solutions but nothing worked as effectively as enabling a WAF at the edge of our servers, however that in itself comes with problems of its own.

We are already exploring a different WAF that is faster and more effective, but transitioning to a different provider takes time. The current solution messes up the forum posting, etc. because it verifies the same user every 5 minutes or so. For now, the "trick" is opening another TechSpot page before submitting anything.

Everybody is also getting that flash/blank page (WAF verification) but the site is fast and accessible now -- so that's where we are for now. To give you further context, in the last 24 hours, the WAF says it's blocked over 2 million DDoS connection attempts to our servers.

As for proper configuration, believe us, we've tried everything with our current provider but in short, it's a horrible setup and the reason we only used them as a CDN and not for the WAF functionality. I hope we can get us on a better platform sometime next week.

 

[takaozo]

In my daily tasks I handle 600+ Cloud deployed WAF (R-Proxy). We had some issues at firsts deployments but get over them. We use Silverline, Imperva and Radware.

We keep the service running in parallels before changing the DNS CNAME record to new WAF. A simple entry in hosts file will let app owners test for as long as they please.

Also there is a golden rule not to make any change from Friday to Monday.
This way we make sure we have all the support needed during working hours.

 

[J95qRP7]

Not sure if it's the same error, but these are constantly happening.

 

[Vanderlinde]

Yeah some settings are really aggressive. You could inspect what they are actually trying to DDOS and based on that you set (predetermined) rules.

 

[wiyosaya]

Apologies for the site issues and other annoyances. We've been dealing with incessant DDoS attacks for the past month or so. It was slowing down the servers and causing other issues like brief downtimes. We tried a few solutions but nothing worked as effectively as enabling a WAF at the edge of our servers, however that in itself comes with problems of its own.

We are already exploring a different WAF that is faster and more effective, but transitioning to a different provider takes time. The current solution messes up the forum posting, etc. because it verifies the same user every 5 minutes or so. For now, the "trick" is opening another TechSpot page before submitting anything.

Everybody is also getting that flash/blank page (WAF verification) but the site is fast and accessible now -- so that's where we are for now. To give you further context, in the last 24 hours, the WAF says it's blocked over 2 million DDoS connection attempts to our servers.

As for proper configuration, believe us, we've tried everything with our current provider but in short, it's a horrible setup and the reason we only used them as a CDN and not for the WAF functionality. I hope we can get us on a better platform sometime next week.

Thanks for the update.

I'm not sure it will help, but I have a custom IPTables firewall script on a Linux PC I use as my router and firewall for my home network that limits the number of packets and protects against DDOS attacks. It sounds like you are using a third-party service. To me that means you may have little control over something like this.

That said, and FWIW - here's a page on "Server Fault" that deals with a similar mechanism. https://serverfault.com/questions/1105705/how-to-configure-iptables-against-ddos-attacks-or-others

BTW - Today, so far, things seem much better.

 

[wiyosaya]

Not sure if it's the same error, but these are constantly happening.

That's not quite what I was getting on Friday, but it is very similar. It was only displayed briefly, and the content closely matched the "garbage" in my original post. The "garbage" I posted was displayed when I hit "reply" to a post. Given @Julio Franco 's reply, the site must have been trying to reverify that I was a legitimate user.

 

[Vanderlinde]

Really, the home grown tools are nothing compared to a webserver's "WAF". A webserver WAF's primarily task is to "protect" a server from malicious code or scrips being send or executed. Or lets say, fill in some sort of "upload" form and try to fetch the file using a public link such as somedomain.com/uploads/test.php

All those little things can lead to backend access - even tho passwords are secured, you could still inject some sort of malware into it's template files which means we as a visitor would be getting malware presented.

OWASP ModSecurity Core Rule Set | OWASP Foundation

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

owasp.org

This is basicly what a WAF over a CDN is - but a CDN is'nt a holy grail. If you get DDOS'ed enough they simply disconnect you. You need a proper secured enviroment using also server sided stuff to protect yourself from.

With a good configured Modsecurity ruleset, you could still run "vulnerable" websites, that are known to get hacked (outdated for example) but because of Modsecurity your stuff is still protected.

 

[wiyosaya]

Not sure if it's the same error, but these are constantly happening.

That's not quite what I was getting on Friday, but it is very similar. It was only displayed briefly, and the content closely matched the "garbage" in my original post. The "garbage" I posted was displayed when I hit "reply" to a post. Given Julio's reply, the site must have been trying to reverify that I was a legitimate user.

Really, the home grown tools are nothing compared to a webserver's "WAF". A webserver WAF's primarily task is to "protect" a server from malicious code or scrips being send or executed. Or lets say, fill in some sort of "upload" form and try to fetch the file using a public link such as somedomain.com/uploads/test.php

All those little things can lead to backend access - even tho passwords are secured, you could still inject some sort of malware into it's template files which means we as a visitor would be getting malware presented.

OWASP ModSecurity Core Rule Set | OWASP Foundation

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

owasp.org

This is basicly what a WAF over a CDN is - but a CDN is'nt a holy grail. If you get DDOS'ed enough they simply disconnect you. You need a proper secured enviroment using also server sided stuff to protect yourself from.

With a good configured Modsecurity ruleset, you could still run "vulnerable" websites, that are known to get hacked (outdated for example) but because of Modsecurity your stuff is still protected.

So, to state what might be the obvious, it sounds like the "solution" TS originally employed was not the right one for the DDOS problem they were trying to solve.

 

[Vanderlinde]

You need to dive in logs really to understand what's going on, and based on what you find act on that. It sounds to me a "All-in-one" patch was attempted to be deployed that perhaps solved it but added alot of other bugs into it.

If I spawn open 100 browsers at the same time adressing this website, the CDN your using will simply allow all that traffic to pass through. Your origin webserver would still be loaded quite heavily. A CDN is not a holy grail but more like a proper toolset if you know how to use it.

I use CDN for only 2 reasons:

1: Geographical stuff. If I have a website that is in english and I'm adressing lets say world wide visitors then a CDN is helpfull. Google will also pick a server nearby instead of 1500miles away from the person who's searching for stuff.

2: Block unwanted or most likely bot traffic. Think of bots searching for old templates, files, plugins etc. And it happens. If you run a wordpress website 60% of your source traffic is just garbage and automated scans from all over the world.

There's good tools to bring that to a minimum, but other then that that's what a CDN is good for. The build in WAF is simply the same as Modsecurity.

 

[Vanderlinde]

There's something wrong with the mailer or at least follow up emails being send whenever there's a update on this.

It's sending out url's such as "tchspot.com" rather then "Techspot.com" I.e

https://www.tchspt.com/community/topics/getting-errors-today.281470/unread?new=1

 

[Julio Franco]

We've been testing a few server related changes, a new WAF and more, hopefully we'll be golden by tonight / tomorrow.

 

[wiyosaya]

We've been testing a few server related changes, a new WAF and more, hopefully we'll be golden by tonight / tomorrow.

FYI - I've somehow got resubscribed to threads to which I unsubscribed.