Comment by dunder_cat

20 days ago

Hmm. If it is an attempt at DDoS attacks, it's probably not very fruitful:

  >$ resolvectl query gyrovague.com

  gyrovague.com: 192.0.78.25                     -- link: eno1
                 192.0.78.24                     -- link: eno1

Viewing the first IP address on https://bgp.he.net/ip/192.0.78.25 shows AS2635 (https://bgp.he.net/AS2635) is announcing 192.0.78.0/24. AS2635 is owned by https://automattic.com aka wordpress.com. I assume that for a managed environment at their scale, this is just another Wednesday for them.

6 comments

dunder_cat

arcfour 20 days ago

I believe they're probably trying to get the blog suspended (automatically?) hence the cache busting; chewing through higher than normal resources all of a sudden might do the trick even if it doesn't actually take it offline.

mike_d 20 days ago

It is using the ?s= parameter which causes WordPress to initiate a search for a random string. This can result in high CPU usage, which I believe is one of the DoS vectors that works on hosted WordPress.

dunder_cat 20 days ago

It occurred to me while reading the article that I could also just have checked the TLS cert. The cert I was given presents "Common Name tls.automattic.com". However, maybe someone will discover bgp.he.net via this :-)

notmysql_ 20 days ago

good ol' hurricane electric
catlifeonmars 20 days ago
> maybe someone will discover bgp.he.net via this
I did, thank you!
- justsomehnguy 20 days ago
  
  Add https://bgp.tools to the list