Internet

I've been reading a couple of online comics recently.
One that really stands out from the crowd, is Æther.

Its based in a world with a kind of magic. Its got a clever, and intricate, plot with truly outstanding artwork. To give you can idea, on the right is one of the panels from the comic's Prologue, very recently re-drawn in colour. The character is called Pandora, the comics main protagonist. But, I'll leave you to find out more about her on your own.

The comic updates three times a week, Monday, Wednesday and Friday. There is also normally an update on the weekend, usually an extra "Reader Mail", in which characters from the comic answer questions from the readers.

The comic started out being black and white, but switched to colour at the third chapter. As mentioned before, the prologue has been re-drawn in colour.

The artist, Naomi, has an unusual ability to make her comic come alive with emotion: you can almost feel the emotions that the characters are going through.

(All Images © Æther, used with permission.)

Here are some useful things that I've learned slowly that Firefox can do, in conjunction with the Web Design toolbar, to make life easier for a web designer. These tools will allow you to pick up on mistakes much more easily, and help in the design of your site.

Firefox

Error Console

The error console can be reached by going to Tools > Error Console in Firefox. It lists warning and error messages about your site. It can also be reached by pressing the far right icon on the Web Designer toolbar (see below).

It's useful to detect where a error is in CSS especially, although it is also useful for use in debugging Javascript. If you are debugging a CSS Error, make sure you fix the first error in the sequence, as one syntax error will throw off a lot of code after it. Here I have deliberately created an error in one of my css files, so you can see what a CSS error looks like:

The error I created was a missing '}', in the definition above the '#visual-portal-wrapper' id.

View Source

The View Source page (right click, View Source) is a wonderful tool. It will pick up on basic html mistakes. Also, if one of the other tools has given you a line number to look at, it will highlight the line selected, as well as putting numbers to the left hand side. All useful little tools.

I have circled the area which the mistake is in in red. All the text colour is done by firefox, including the red part showing close to where I've gone wrong. I've also blanked out some things that could be used to identify the site which I was working on. Yes, I know that HTML is awful. It was very early in it's build stage. It looks a LOT nicer now. I even managed to get rid of the table :)

Page Info

The page info section is a little box, hidden under Tools > Page Info, which gives you detailed information on the web-page. Not as much as you can get using the Web Designer toolbar, but it comes in handy every now and then, especially if you want to examine a security certificate closely, or get information on how a form is working.

Here are a couple of screen shots:

Web Designer Toolbar

If you are a web designer or developer, and you don't have this toolbar, GET IT NOW!

It adds so much functionality to Firefox just for web designers, its untrue. I only have time to go through a couple of those functions. I'm picking the ones I find most useful during my work. But, there is much, much more, so explore it when you have the chance!

You can get the toolbar from here: http://chrispederick.com/work/webdeveloper/ or here: https://addons.mozilla.org/firefox/60/.

Disable Cache

It literally, stops the browser from caching anything, from images to css style sheets. This means, that you can just hit "CTRL + R" to refresh, instead of "CRTL + SHIFT + R" or "CRTL + F5" to skip the caches. This tool, however, does eat your bandwidth, so I would recommend only using it if your development server is in the same building / on the same LAN.

Display Element Information

This is a really useful tool. It will allow you to both highlight elements on your screen, as well as see information about them. A quick way to activate this is using the shortcut "CTRL + SHIFT + F". Alternately, click on "Information" and then "Display Element Information".

Here is a couple of screen-shots, currently showing information about my main content frame. I have cut this image up a bit, for those on low-resolution systems to be able to see it properly.

Resize

This is a feature of the web Design toolbar that I can't work without. We now design all of our sites to work with 1024 x 768 (As you may have noticed with this site), but also try to make them compatible with 800 x 600, as far as possible. Resize allows you to resize your browser to a defined value. When it is first installed, the resize drop-down only has 800 x 600, but it's just the work of a few moments to add 1024 x 768.
(Click on "Options"in the tool bar, click on "Options..." and then the resize tab. Then click the add button. Or, if you have the latest version, Click on "Resize" in the tool bar, and then click on "Edit Resize Dimensions")

No more changing my screen resolution, just to check the site. Here (again!) is a screenshot, of the options window that is opened when you choose get to the resize area...

Conclusion

Hopefully that has given you enough information. There are a plethora of other useful extensions to Firefox for Web Designers / Developers. If you have the time, look through the "Developer Tools" category in the Firexfox extention repository. I would also recommend the "Professor X" extension, which allows you to see a detail of a webpage's head, and all the information inside very easily, without having to open and scan through the source, and nicely formatted. (Screenshot here)

This site was getting hammered with spammy trackbacks, so I've disabled trackbacks.  Unfortunately, I also had to edit every article, which stuffed the dates again ><. I DON'T LIKE SPAMMERS.

I will make a proper post in the not-too distant future... life's been a bit manic atm...

The Storm Worm. A virus and set of malware that has been spreading across the internet since January 2007. According to this article, it is now estimated that it has turned up to 50 Million computers into bots (or Zombie Computers), and is more powerful than a supercomputer.

So, I thought, a fine time to do some number crunching, to see if we can see approximately how powerful this bot-net is. (See here for the full article, with calculations at the bottom, if you're looking at this from the homepage.)

The bot-net will probably have a maximum of around 40,000 Terahertz (THz) at its disposal. To put that into perspective, the worlds fastest supercomputer (The Blue Gene L) has around 91.8 Terahertz.

Ok, that is a really, really impressive amount of processing power. But what use is that power without being able to get data (spam emails etc.) onto the internet?

61 GigaBytes a second.

You heard me right. The bot network, will have the estimated capacity to pump 61 Gigabytes of data onto the internet per second.

At 20KB an email, thats 3,200,000 (Three Million Two Hundred Thousand), emails per second.
Revised email calculations (see note below): at 11.73KB an email, thats 5,442,177 emails per second.

Or, at 750MB per CDROM, thats 83.3 discs per second.

I think the term "Houston, we have a problem" doesn't even come close to showing the amount of pain these guys can cause. At that rate of data transfer, this cracker ("hacker" for mass-media) group will be able to take any website in the world off-line, with a Distributed Denial of Service attack. They may even be able to take the internet offline, with another Backbone attack.

Now, this has been a almost-worst-case scenario, but trust me when I say, this is not good. I think, something drastic may be in order.

Note: Checkout my math and assumptions by clicking the "Read More" (if you're not already in the full post). If you see any problems, or have some more-up-to-date information, feel free to register, and add a comment. (Sorry about forcing you to register. Spammers have been causing problems ><.) Alternatively, my email address can be found on the "about" page above."

Update: Looks like the bot-net is being brought into play to attack anti-spammer websites.
http://www.spamnation.info/blog/archives/2007/09/419eater_ddosd.html

Update #2: The webmaster of spamnation.info has confirmed (roughly) the analysis of this article, which says the average spam email is 11.76KB. As such, I have revised my email calculations. I'll probably post a follow-up to this, if I can get any more accurate data to go on, and I may re-do all of the calculations at some point, with a more conservative bot number estimate base.

Final Update: This post has been followed up here.

Read More - Calculations

All calculations are in computer-style notation, so * for multiplication, and / for division.

Processing Capacity (Zombies)

Assume 40 Million infected computers, (even though the article says 50,000,000, lets err more on the safe side...) 40,000,000.

Assume an average of 1Ghz processor in each computer. (Its probably more like 1.5, but safe side again.) 40,000,000 Gigahertz (GHz)

40000000/1000 = 40,000 Terahertz (THz)

Processing Capacity (Blue Gene L Super Computer)

Blue Gene L, has 131,072 Processors, each running at 0.7 GHz (700 Mhz).

131072 * 0.7 = 91750.4 Ghz

91750.4 / 1000 = 91.8 Thz (Rounded to 1 decimal place)

Data Transfer (Zombies)

Assume 40 Million infected computers. 40,000,000.

Assume that each computer has about 128kb/s upload rate. (Probably closer to at least 256kb/s, but lets err on the safe site. 40 million is a lot of computers...)

Get the 128 Kilobits into KiloBytes. 1 KiloByte = 8 KiloBits, so:

128 / 8 = 16KB/s per bot.

40000000 * 16 = 64,000,000KB/s transfer rate. Ok, that's too mind-boggling. Lets get the numbers to be more sensible.

1 MegaByte = 1024 KiloBytes, so:
64000000 / 1024 = 62,500/s. Not readable yet. Again.

1 GigaByte = 1024 MegaBytes, so:
62500 / 1024 = 61GB/s (rounded to 0 decimal places). Err... I did do these sums right... *checks*. Wow.

Emails per second with 61GB/s bandwidth.

Assume an Average spam email size of 20 KiloBytes (This article says 11.76KB, but its out of date, and source is offline. Err on safe side.)

From our bandwidth calculations above, there is 64,000,000 KB/s bandwidth available. So:

64000000 / 20 = 3,200,000 per second.

Emails per second with 61GB/s bandwidth (Revised calculations).

The 11.76KB appears to be accurate, so lets revise these calculations to take that into account.

Bandwidth 64,000,000 KB/s.

CDs per second with 61GB/s bandwidth.

CD-ROM total size : 750MB.

From bandwidth calculations above, 62,500 MB/s.

62500 / 750 = 83.3 CDROMS worth of data transfer per second. (Rounded to one decimal point)

I've read quite a lot in my search on information about the Storm worm.

Capacity

Apparently, a better estimate of the Storm Worm Botnet' current number of zombie machines is about 10 Million. As such, I've redone all my calculations (bottom of the article) with the updated numbers, and I've also spent some more time finding other numbers to remove some of the estimations from calculations.

I estimate, that the botnet currently has access to about 15,000 THz of CPU power. The fastest super computer currently in existence, Blue Gene L has 91.8 THz. So, this has fallen with the re-calculations.

I managed to find this report on the state of broadband in the US, which says that the average upload speed (all I'm interested in really) is about 371kb/s. So, I've recalculated all of my bandwidth calculations, working from that figure, as outside the US, e.g. canada, Japan, are likely to have much higher upload speeds. Also, Britain is starting to move to 448/812kb/s

About 442GB/s. Which, is equivalent to 339 Million emails per second, or 604 CDROMs worth of data every second.

Use

This report says that they are currently selling distribution capacity, as well as as of the 13th of August, testing their DDoS capacity.

This report from spamnation.info estimates that they are currently attacking a number of Anti- Spam / Malware sites. In fact, a large number of malware sites have / are under attack, including 419eater, which was basically overloaded with about 450GBs an hour worth of traffic, taking it off-line. CastleCops.com, is currently weathering the same high-level of incoming traffic.

Here is a graph of the traffic hitting 419eater.com. The attack took 419eater offline for a number of days, and they're only coming back online now. They are still under attack, but have moved hosts, to someone who can cope with a massive amount of data incoming.

At 11:44, traffic stops, as the site is taken offline, because the guys who hosted their website could no-longer cope with the sheer amount of incoming traffic.

Self Defence

The storm worm is (unfortunately for us) quite clever. It detects when its being used on what is called a virtual machine, a tool that some security researchers use to keep their PC safe from the trojan/virus, whilst they are trying to disassemble it.

Also, the botnet will launch a DDoS attack at any computer that either:

1. Downloads the virus too many times (Researcher)
   
2. Scans an infected computer for the basic signs of infection

I hope all this information is useful. The storm worm has quite worried me recently, and the only real way to combat it now, would be for the ISP's to take action. Which they are not going to anytime soon - it does not make economic sense to do so.

My calculations are below. If you have any more up-to-date information for me to base them on, I'd love to hear from you. Leave a comment, or send me an email. My address is in the "about" page, linked above.

Calculations

All calculations are in computer-style notation, so * for multiplication, and / for division.

Processing Capacity (Zombies)

Assume 10 Million infected computers. 10,000,000.

Assume an average of 1.5Ghz processor in each computer. (Its probably more like 2.5Ghz, but safe side it.) 15,000,000 Gigahertz (Ghz)

15,000,000/1000 = 15,000 Terahertz (Thz)

Processing Capacity (Blue Gene L Super Computer)

Blue Gene L, has 131,072 Processors, each running at 0.7 GHz (700 Mhz).

131072 * 0.7 = 91750.4 Ghz

91750.4 / 1000 = 91.7504 Thz

Round to 1 decimal place = 91.8 Thz

Data Transfer (Zombies)

Assume 10 Million infected computers. 10,000,000.

Assume that each computer has about 371kb/s upload rate. (Probably a bit higher, but thats the average for the US, so safe-side it. 10 million is still a lot of computers...)

Get the 371 Kilobits into KiloBytes. 1 KiloByte = 8 KiloBits, so:

  371/ 8 = 46.375KB/s per bot.

10000000 * 46.375 = 463,750,000KB/s transfer rate. Ok, that's too mind-boggling. Lets get the numbers to be more sensible.

1 MegaByte = 1024 KiloBytes, so:
463750000 / 1024 = 452,880.859375MB/s. Not readable yet. Again.

1 GigaByte = 1024 MegaBytes, so:
452880.859375 / 1024 = 442.266464233GB/s

Err... I did do these sums right... *checks*. Wow.

Round to 0 decimal places = 442GB/s

Emails per second with 442GB/s bandwidth.

Assume an Average spam email size of 11.76 KB from This article, and rough confirmation from spamnation.info

From our bandwidth calculations above, there is 463,750,000 KB/s bandwidth available. So:

463750000 / 11.76 = 339434523.80952381 emails per second.

Round to 0 decimal places = 339,434,524 emails per second.

Round to 3 significant places = 339,000,000

CDs per second with 442GB/s bandwidth.

CD-ROM total size : 750MB.

From bandwidth calculations above, 452880.859375 MB/s.

452880.859375 / 750 = 603.841145833 CDROMS worth of data transfer per second.
Round to 0 decimal places = 604 CDROMS data per second.

Thanks to

Had a situation pop up today at work. Spammers started to target (at a stupid hour in the morning) one of our customers' servers with referral spam. That is, they try and get their website's links into our logs.

Cue 9 hours later, I get in work, and one of our servers is complaining (seperate issue). Sort of fix that, to get a call "Our server is really slow."

So, go through the motions. Load on the server: 0.50 (for windows guys, think of it as the amount of spare thinking time the computer has, when load hits 1, its running at full capacity, when it goes above 1, it is having to make some tasks wait to run.)
Nothing wrong there.

Ping the server. 20ms response time. Nothing wrong there.

Remember that we installed ntop on a couple of servers a while back, and that this one should have it on as well. Load up the traffic graph. Wooo! Steady incoming traffic of ~2Mbps (~600kB/s).

Check the Apache server-status page. See stuff like this:

88.232.13.34 customerDomain.com GET hxxp://thecric.free.fr/AZenv/azenv.php HTTP/1.0

Referral spamming. See the ever useful wikipedia: http://en.wikipedia.org/wiki/Referer_spam

This is not the first time it has happened, so pull out our trusty tool for dealing with this (blacklist  program and log-scanning tool), and start playing wack-an-ip-address with the spammers. (Blacklisting their IP: no traffic at all will get to the webserver from that ip address.)

Fun.. so, LOTS of IP addresses later, traffic on the server is back to normal.

'So' I hear you ask, 'where does the stupidity come in?'

The server they attacked, is not public-facing. There are no fancy websites for you to visit. No content to be of any use to you. It is a corporate-tool hosting server. The referral statistics are not public. The spammers just wasted their time, and mine. With the sheer number of computers that decided to poke at us, it has to be infected computers in a bot-net.

Still, I like playing wack-a-spammy-ip. It's fun ^^, and the IP addresses can hopefully be used to stop these muppets from hitting our server again.

Recently, we came under attack from the Storm / Nuwar Botnet. The post I made about it on the third of October: We had mis-identified it as a referral spam attempt. Close, but no cigar.

Now, I've always tried to keep my name & employer from becoming too widely spread on the interweb, although there is a couple of really, really easy ways you can find it, just from this website. (One of them being, ask me ;) )

It appears, that as a result of the two posts I've made about the Storm Worm, someone decided to DDOS not this blog, but my employer's un-related servers, attacking one of our customers' managed servers, and then our webmail server. (This blog is hosted from servers in  the same rack as those servers.)

At its peak, the attack was drawing 8Mbps of data transfer. (About 1MB per second.)

Graph is read from right to left. <<<<<<< Time Flows that way. <<<<<<<

^{You can see at 0930, when I got in work and started combating the attack. We only really stopped it the morning this graph just ends on...}

Only problem, was that they were flooding our server with requests, literally using every available incoming connection on the server all the time. 

For non-techies, a web site is hosted by a computer somewhere on the interweb, 
that never gets turned off, connected to a really thick pipe to the internet. 
Its configured to accept a certain number of new people visiting its website(s) 
at once.

We've now completely mitigated this attack (to the point, where at most now its drawing 50kbps [6.5KB per second]). Technically, we can mitigate (and sustain) a much more serious attack. This was basically a "Get Lost, and STOP POSTING ABOUT US" poke.

An expensive poke. A sustained 8Mbps transfer rate is expensive in bandwidth!

So far (*wanders off to check*) we've identified 23,265 ip addresses which have tried to attack us. That's a lot of infected computers, but it could have been worse.

It appears the attack has been petering out, we are identifying one new bad ip (infected computer) once every 30-60 seconds. At its peak, we were picking up at least one new ip every second.

The attack started at 1AM GMT, and ramped up to full power in about 20 minutes. That means that it takes the Nuwar / Storm botnet about 20 minutes for a command to filter down into its bots.

At the beginning of the attack, the pattern we were seeing was a bad request from one ip, then 3 different bad requests, then back to the first IP. Sometime during the attack, I think about 1400 or 1500 (2 - 3pm) they switched to hitting us repeatedly from one ip address, showing that someone was probably monitoring at least a small part of this attack, and had noticed that we'd started to block the attacks.

Now, this happened quite a while ago.

So why haven't I posted about it yet? Why has it taken me 2 weeks to blog about this?

Because, its only now that we feel that we are able to safely weather another attack, should the Zhelatin Gang decide to start poking us again. If they didn't like me posting what I have, they're not going to like me posting this.

A message to them: I do not like bullies. Go pick on someone your own size for a change.

Firstly, Hello Planet Ubuntu-UK!

Sorry I haven't made a specific Ubuntu post in a little while, not too long now. If you think of anything you want to know about the gnome interface, comment and I'll blog on it. (The same sort of thing I did for Wanda the Fish.)

On a personal matter, I passed my driving test Saturday! Insurance is going to be fun... but I'm covered till thursday on a sort-of temporary one, so I drove to work this morning.
It feels very, very odd to actually be driving... now I've just got to decide where to go next!

News Comment: I saw this story come up on BBC recently
http://news.bbc.co.uk/1/hi/world/africa/7112929.stm

The teacher did not insult Prophet Muhammad, and had no intention of doing so. In fact, the name "Muhammad" is quite common among some populations. So why did you jump up and down on a teacher for naming the bear as the children wanted? Where is the insult there?

Is it just me that I can't see one?