It sounds like an emergency measure. Marc told me in chat that he had to block many different ip ranges which was probably very tedious and exhausting.
That's the whole point of a DDoS: a single instigator convinces a very large number of computers spread around the Internet to do the dirty work.
That doesn't always imply that the attackers have been "hacked", although there are many examples where e.g. domestic routers or IP-connected cameras have been compromised and then lent- or hired- out to do the dirty work. In some cases however it's due to an ill-conceived feature in a comms protocol, e.g.
https://en.wikipedia.org/wiki/Smurf_attackI wonder who is behind these attacks synchronized with the release of latest Lazarus ide. I expect that there will be more attacks in the future.
Joanna, KNOCK IT OFF. We've had enough of that.
Even if all legit forum users were whitelisted, ip addresses aren’t permanent.
Depends on whether the apparent attacker is using NAT. People in businesses or smaller ISPs will generally be associated with a small range of IP addresses, while those using a browser on a mobile 'phone are likely to see their apparent address change (my experience exploring this is that bigger 'phone companies have multiple layers of NAT). Works both ways: people are commenting that they were able to connect from a 'phone but not from their desktop.
I don’t know how feasible it would be to stop all accounts who aren’t logged in from entering the forum?
That's not such a bad idea, but my suspicion is that there are two cases here. The first case is preventing the login screen (and for that matter any more of the HTTP server software that hosts the forum) from responding to a login attempt. However that wouldn't protect against the second case which would need a lower-level blacklist to prevent /all/ traffic getting through the lower levels of the network stack (which might need an unprivileged webserver process to run privileged firewall commands, which is an obvious can of worms).
I have a vivid memory of setting up a relatively high-bandwidth server with SSH exposed on its standard port (22). Even without that being advertised on e.g. a webpage, within minutes there was a fullblooded attack going on of machines trying to brute-force the password, and even killing the SSH server left them taking kernel resources as a flood of "port unavailable" ICMP messages was routed outwards.
It got interesting though when I started running analysis software on a fraction of the attackers ** . However I remember a more innocent age 30 years or so ago when such things were considered grossly unprofessional...
MarkMLl
**
https://lcamtuf.coredump.cx/p0f3/ https://lcamtuf.coredump.cx/oldtcp/tcpseq.html https://lcamtuf.coredump.cx/newtcp/ noting that unlike e.g. Nmap those are passive.