DVD-quality lessons (including tabs/sheet music) available for immediate viewing on any device.
Take your playing to the next level with the help of a local or online banjo teacher.
Weekly newsletter includes free lessons, favorite member content, banjo news and more.
Hi All,
I want to share some info about the recent site slowdowns, as I think you all might find it interesting. (Or maybe just nerds like me find this interesting...)
So, site performance has been suffering because what appears to be a hacker botnet (a large group of computers under some level of control by hackers) is submitting lots of login requests to the site. Like... more than 1 request per second.
The hack is hard to block because the requests don't come from a single IP address, or even a small pool of IPs. Instead, they're being distributed across thousands of IP addresses. That said, I've got some super-sneaky measures in place to block the attacks... and I'm continuing to evolve my approach so it works better and better.
The hackers appear to have some sort of list of email addresses and passwords which they're trying to validate by logging in on the Hangout site. I have no idea where they got this list of addresses - certainly not from the Hangout itself, as none of the emails they're trying to log in with are in use by users on the site. (Well, perhaps a few of them are... but we're talking a 99.9% failure rate, or more).
My theory is, the hackers procured a huge list of email/password combinations somewhere on the darknet, and are now submitting those to websites all over the Internet. If they find one that works, they'll then use it to attempt something nefarious.
If you notice the site moving slowly, feel free to email me at eric@banjohangout.org. And I'll keep working on getting these sorts of attacks diverted so they don't slow down the site!
Keep up the good work Eric.
DDOS attacks seem to be getting worse as tech develops. And of course the black hats are always at the cutting edge and the security apparatus is forced to react. The current solutions only work marginally and carry pretty significant downgrades in user experience. That said I do think the username/password paradigm will be all-but-gone within the next decade. At least, I hope.
Unfortunately with this type of site, recreational and discretionary, convenience is critically important to maintain high engagement. Anything that could be be effective at slowing down the DDOS or increase security (captcha, tokens, 2fa/mfa) will carries the risk of a non-trivial decrease in engagement.
Have you considered cloudflare or other proxy services? I use a few other sites that have been victim to this type of thing and cloudflare has helped. But I think it might be expensive so that's a big factor.
Edited by - KCJones on 09/27/2024 14:14:01