Intel DDoS my website with 11.1M request
Last night at 5:30 PM and this morning at 10:45 AM, both in UTC+2 , my website was hit by massive DDoS attacks from two Intel IP addresses.
The peaks were 3.8M and 11.1M requests per second, respectively.
146.152.233.45: ASN 4983 - INTEL-SC-AS 146.152.233.53: ASN 4983 - INTEL-SC-AS
I would say that it is crucial to consider the possibility that their network might have been compromised, or that an employee might be involved in unauthorized activities.
Screenshot from Cloudflare WAF is here: https://imgur.com/a/ddos-by-ip-from-intel-A1ISx7C
Has anyone else experienced this? Any advice or insights would be greatly appreciated!
14 comments
[ 2.9 ms ] story [ 42.4 ms ] threadMy hoster of the frontend suspended it afterwards. Backend hosting service banned those IPs temporarily.
That would suggest end-users have some way to control them, though usually for spam.
Did you happen to by chance capture any of the individual packets in tcpdump verbose mode? e.g.
Command decoded: not promiscuous, checksums are useless computation here, all interfaces, disable resolving names, ports, services, use epoch time, very verbose, 16k buffer despite CPU likely being our bottleneck, full packet, 512 packets, not port 22 ssh, save to a file in a ramdiskDid you reach out to the person listed here? [2] Try that phone number in a few hours. Be polite and just give them the facts so they don't get defensive. If they don't answer try email.
[1] - https://github.com/firehol/blocklist-ipsets.git
[2] - https://bgp.he.net/AS4983#_whois
Any idea what they were looking for? Given other companies are hitting websites for ai training, I'd be curious if intel is trying to something similar?
Intel do have a developer cloud which they make servers available to people, so it's possible traffic could be coming from something like that rather than Intel corporate. See https://www.youtube.com/watch?v=MWsEKDklEkc
In which case putting in a simple hits/IP rate limiter with something like nginx is probably enough to defend against this for the future.
https://nginx.org/en/docs/http/ngx_http_limit_req_module.htm...
It turns out Intel does have some developer cloud, so the attack may come from random bad guy on the internet rather than Intel itself. Thanks to everfrustrated!