Over this past weekend, I noticed that the site was slowing down and becoming nearly unusable. How can that be, I thought, since we hosted it on an //gs with TransWarp card, so there should be no shortage of raw computing power.
Digging in, I found not the low-level attack I anticipated, but a relatively primitive attempt to bomb WordPress into oblivion with repeated login attempts and random search strings. The only difference is here:
Last week I noticed yet another ongoing brute-force attack against our managed WordPress hosting. The botnet is very low key and each bot connects on average only once per day.
The difference is that instead of hitting once per day, these bots — mostly compromised hosts on Digital Ocean, Amazon Web Services Hong Kong and India, Google, Yandex, GoDaddy, and several regional providers in Asia and universities in New Zealand — were ramming in login requests 200 times per minute.
Now, normally I do not trouble my readers with this stuff, because unless you are super basement nerd (roll 20-sided die here) it probably strikes you as about as interesting as dismantling a coffee maker. But our logic tree provides us with some interesting possibilities:
If the latter, it makes no sense for them to go overdrive on Amerika unless they are being re-sold as a bot-net for hire. This means that either the owners of the botnet want to DDoS America, the botnet creator suddenly screwed up his own code, or that someone out there has chunks of money to spend on DDoSing conservative sites.
Of course, if any of them were purchased legitimately, this means that someone with access to lots of funding for a drive-by attack. That, too, points to someone organized, possibly a state actor who wants to use outside resources for plausible deniability.
The anomalies here which differ from the original article are the rate of attack, and the different user-agent string. In other words, this one looks more like an attack pretending to be normal botnet activities, and less like some bot code that got loose and went haywire.
My guess is that as usual, organized Leftism and organized crime overlap, and more than people think. It would also benefit their business interests to kick the Right off the web so that only the raving consumerist zombies remained.