26 07 2025

On July 25, 2025 a Distributed-Denial-of-Service (DDoS) attack was launched against interssl.com, performed by a botnet. Current counter shows a total of 512030 different IPs accessing our server. The attackers simulated millions of fake campaign clicks from bingads and trustpilot company profile.

How to distinguish between legit traffic and this botnet?
1) Check your logfile for URLs with “%C2%A4” which is only used by the botnet
2) Look for “bing” “msclkid“, “githubhelp“, “trustpilot” and “company_profile” in your logfiles
3) In case you are running paid Microsoft Bing Ads campaigns, rename your bingads campaign name. Then filter out all traffic that is still using the old campaign name, or, simply look for “%C2%A4” that is only used by the botnet

How to defend?
1) Block the botnet IPs using iptables (see IP lists + scripts below)
2) For later added botnet IPs, you can use (permanent) HTTP 301 redirects in .htaccess to fend off subsequent HTTP(S) requests… This way only the first request from each IP needs to be processed by your server, all subsequent accesses will be using the cached redirect (at least for now as I’m writing this).

RewriteCond %{QUERY_STRING} %C2%A4 [NC]
RewriteRule ^.*$ https://%{REMOTE_ADDR}/? [R=301,L]

In case you are affected, here is the IP list to block the botnet using e.g. iptables

ALL 512030 IPs
Download ddosban_ips_all.txt (IPs only)
Download ddosban_ips_all_stats.txt (sorted, with statistics)
Download ddosban_ips_converted.zip (abuseipdb.com bulk report CSV)

TOP 3000 IPs (based on access frequency)
Download ddosban_ips_top3000.txt (IPs only)
Download ddosban_ips_top3000_stats.txt (sorted, with statistics)

Last updated: 26.07.2025 21:15 CET

Block IPs using iptables / ipset
This simple script executes in about ~3 minutes:

#/bin/bash
IP_FILE="ddosban_ips_all.txt"

# Show total number of IPs
date ; wc -l $IP_FILE

# Create "ddos1" list
ipset create ddos1 hash:ip
iptables -A INPUT   -m set --match-set ddos1 src   -j LOG
iptables -A INPUT   -m set --match-set ddos1 src   -j DROP
ipset flush ddos1

# Block IPs
while read -r ip; do
    ipset -q -A ddos1 $ip
done < $IP_FILE

ipset list ddos1 | grep "Number of entries:" -B 100

Block IPs using "ipset restore" (performance optimized)
This script executes in about ~20 seconds:

#!/bin/bash
IP_FILE="ddosban_ips_all.txt"
SETNAME="ddosban"

# Show total number of IPs
date ; wc -l $IP_FILE

# Create tempfile for "ipset restore"
echo 'tempfile for "ipset restore" ...'
TMP_FILE=$(mktemp)
while read -r ip; do
    [[ -n "$ip" ]] && echo "add $SETNAME $ip" >> $TMP_FILE
done < $IP_FILE

# Cleanup old rules (if existing)
echo "ipset cleanup ..."
iptables -D INPUT -m set --match-set $SETNAME src -j LOG 2>/dev/null
iptables -D INPUT -m set --match-set $SETNAME src -j DROP 2>/dev/null

ipset flush $SETNAME 2> /dev/null
while ipset list -name 2>/dev/null | grep -q "^${SETNAME}$"; do
    ipset destroy "$SETNAME" >/dev/null 2>&1
    sleep 0.25
done

# Exit here, in case of "stop" parameter
[ "$1" = "stop" ] && exit

# Create ipset
echo "ipset restore ..."
ipset create $SETNAME hash:ip family inet hashsize 131072 maxelem 1048576
ipset restore < $TMP_FILE ; rm $TMP_FILE
iptables -I INPUT -m set --match-set $SETNAME src -j LOG
iptables -I INPUT -m set --match-set $SETNAME src -j DROP

ipset list $SETNAME | grep "Number of entries:" -B 100

TeamViewer Alternativen Unauthorisierte Google Ads Abbuchung reklamieren (10,- EURO auf Kreditkarte/Debitkarte abgebucht)