So who is attacking us now 

This server has been running non-stop for 1200 days.(up to 18 Sept 2016)

Reports on DDOS attacks from New World Hacking Group Sept 2016

For the past 18 years the server has been serving information from a stand alone webserver running a linux operating system. The server supplies about 3.2 million documents per annum in the form of HTML, PDF and JPG files. In the whole 17 years, on only about five occasions has it stopped and needed a reboot. Two of these stopages have happened in the past thirty eight months and as a result we have been investigating the cause.

It was last restarted on the 5 March 2013 after an internet attack knocked the machine over. From that time on we tightened access and monitored the attacking traffic. In the past six months it has withstood attacks from 40709 different attack sites launching 424386 attacks - all without missing a beat. Since Mar 2013 it has been attacked by 95648 different servers.

The attacks have given us data to analyse about who makes attacks on this site and details those attacking sites. Each of them has been identified and is blocked - receiving a blocking message immediately when they attempt to access the site.

The attacks we are tracking are for those wanting to access the site to illegally try to change information on the site, either by means of a Telnet process, an FTP process or wanting to access someone elses email account. For them to get access, their IP address must NOT be listed in the BLOCKING LIST, they must have an IP address that is listed in the HOSTS.ALLOW table and they must provide a valid login identity with the correct password.

When we identify a site that is trying to do this process, they get listed in the BLOCKING LIST. This prevents the computer giving them access to most of its services and also not accepting any mail from that ip address. We monitor every attack and when a site gets listed in the BLOCKING LIST , it stays in the list for 2 years since it last tried to approach our site.

The above graph shows attacks on the site from unique servers.
If a diewe makes many attempts in one day from one IP address, his attacks are only counted once.
These attacks are largely coming from the same set of IP addresses, and typically we only add 6% of the attacks per day to the list of servers that have not attacked us before (153 new sites added to the block list out of 1402 in the past week).
We found it very interesting on the drop-off of attacks during Ramadan - obviously the diewe don't think stealing is a moral crime in their religion.

Certain countries have more hackers than others. The following list shows attacks in the past week. When one takes into account population countries like Turkey, Russia, Vietnam, Israel and others stand out. Turkey and Russia are definitely the chief hackers.

Attacks in the week 4 October 2015 to 11 October 2015 have come from the following countries-

Frequency of attacks by country (Number of unique servers involved in this period)
Frequency of attacks by country
CN     483      34.5%
KR     97       6.9%
US     90       6.4%
RU     64       4.6%
BR     60       4.3%
TR     56       4.0%
IN     48       3.4%
ES     43       3.1%
TW     41       2.9%
UNCLA  35       2.5%
IL     21       1.5%
RO     20       1.4%
VN     20       1.4%
HK     18       1.3%
MX     16       1.1%
CO     16       1.1%
TH     14       1.0%
AU     14       1.0%
UA     14       1.0%
IT     13       0.9%
FR     12       0.9%
SE     12       0.9%
GB     11       0.8%
PL     11       0.8%
IR     11       0.8%
DE     10       0.7%
MY     10       0.7%
BE     10       0.7%
ID     9        0.6%
CL     7        0.5%
AR     6        0.4%
NO     6        0.4%
LT     6        0.4%
RS     6        0.4%
CR     6        0.4%
PH     5        0.4%
ZA     5        0.4%
DK     4        0.3%
NL     4        0.3%
CA     4        0.3%
KZ     4        0.3%
MD     3        0.2%
HU     3        0.2%
PE     3        0.2%
LY     3        0.2%
KH     3        0.2%
PK     3        0.2%
SG     3        0.2%
EG     2        0.1%
LV     2        0.1%
MA     2        0.1%
VE     2        0.1%
CZ     2        0.1%
AZ     2        0.1%
JP     2        0.1%
PS     2        0.1%
NP     2        0.1%
AL     2        0.1%
AT     2        0.1%
Number of servers involved =  1402 

Our policy with adding to the block list for countries that do a lot of hacking, is to block the adjacent 65000 addresses around the hackers IP address, so if they move to a machine on the same hub or center, it will already be in the block list. Normally we only block the 256 adjacent addresses to a hackers IP address. Remember these are all hackers that are trying to gain access to the control of the website for some thieving purpose. We identify every single attack.

Analysis by country

Major Spammers
  • Attacks starting from Russia
  • Attacks starting from Turkey
  • Attacks starting from Ukraine
  • Attacks starting from Vietnam
  • Attacks starting from Iran
  • Attacks starting from Israel
  • Attacks starting from Hong Kong
  • Attacks starting from Japan
  • Attacks starting from South Korea
  • Attacks starting from Singapore
  • Attacks starting from Taiwan
  • Attacks starting from Philipinnes
  • Attacks starting from Thailand
  • Attacks starting from Indonesia
  • Attacks starting from Malaysia
  • Attacks starting from Saudi Arabia
  • Attacks starting from India
  • Attacks starting from Pakistan
  • Attacks starting from China
  • Attacks starting from Belarus
  • Attacks starting from Poland
  • Attacks starting from France
  • Attacks starting from Italy
  • Attacks starting from Spain
  • Attacks starting from Germany
  • Attacks starting from United Kingdom
  • Attacks starting from Sweden
  • Attacks starting from The Netherlands
  • Attacks starting from Bulgaria
  • Attacks starting from Romania
  • Attacks starting from Czech Republic
  • Attacks starting from Serbia
    South America
  • Attacks starting from Brasil
  • Attacks starting from Colombia
  • Attacks starting from Peru
  • Attacks starting from Chile
  • Attacks starting from Argentina
  • Attacks starting from Venezuala
    North America
  • Attacks starting from USA
  • Attacks starting from Mexico
  • Attacks starting from Canada
  • Attacks starting from Australia
  • Attacks starting from New Zealand
  • Attacks starting from South Africa
  • Attacks starting from Egypt
  • Historical

    Past analysis of Server attacks for period 6 March 2013 to 2 February 2014

    This site was designed and is maintained by
    Trolley Scan (Pty) Ltd (South Africa)
    P.O.Box 59227,
    2100 South Africa

    Tel (South Africa) 010 237 0675 or 010 237 0676 or 072 992 6040
    Tel (International) +27 10 237 0675
    Fax (South Africa) 086 617 8002
    Fax (International) +27 86 617 8002
    Email info@trolleyscan.com

    less character endorsement rib anti agreement accept clearing sched co edia harmonised dumping ow rate exempt extra african media permit index

    Trolley Scan (Pty) Ltd /info@trolleyscan.com