Strangest thing I've ever seen - Viral DDoS attack?

I have several servers. One particular server had good uptime until a about a week ago. Since last week, it has started seeing huge load problems and crashing occasionally. See chart:

http://srv11.128secure.com/HotSaNIC/.../cpu-month.gif

Coincidentally since exactly that same week last week, one particular site I host on this server, BritneyBoards.com (a Britney Spears vBulletin message board) has been constantly seeing anywhere from 600-1200 users online at a time. 550-1150 of them being unregistered guests.

At first I thought it was a bug in vBulletin's software itself. I didn't really investigate the problem until the server started crashing frequently today. It turns out that those 550-1150 unregistered guests are real people who constantly refresh the index page (they do not go to any other page) of BritneyBoards.com causing the load to skyrocket. I then checked IP addresses of these "refreshers", and they are all different from different areas of the world from an AOL user in California to somebody from Japan, these people are coming from everywhere. I have determined that the IP addresses themselves are not proxies. Not only that, they do not respond to javascript requests (I placed some javascript on the front page for awhile to redirect and they didn't budge) which makes it seem obvious that they are not using standard browsers.

So what I have now done is (see http://www.britneyboards.com/) created a temporary index page telling "legit" visitors to visit http://www.britneyboards.com/index.php. (I'm not redirecting "legit" users to index.php with javascript because I've heard that can hurt search engine ranking. That's another story.)

Now all these "people" are refreshing http://www.britneyboards.com/index.html and because the html page has no php or mysql calls, the load has of course dropped dramatically. See chart:

http://srv11.128secure.com/HotSaNIC/system/cpu-day.gif

And vBulletin no longer shows the 1000 people online at a time.

My questions - is there anything at all other than temporary fixes to solve this problem? What does this look like to you? My best guess is that people's computers are infected with a worm that sends a request to bb.com to initiate a DDoS attack against that server. (I cannot imagine 1000 different people from all over purposefully forming a DDoS attack.) No, I think most people hitting the site don't even know they are and are infected.

If so, is there any way to track down who has started this? Any way to find a virus? What should I do? Why to such a small site?

Thanks ahead of time for your help! Strangest thing I've ever seen - Viral DDoS attack?

 

 

 

 

Top