First time here? Check out the FAQ!

Inquiry about DDOS-like activity [closed]

  • retag add tags

Hi Team,

Today AWS alerted us of DDOS-like activity originating from our media download requests on November 5th. An example of the logs they provided below:

11/5/2021 14:11:04 1166638 GET /Property/P6/BCAR/322434/4/0/0/ab1fbf375fb1dcc3502f9883079d891d/7/f250aa55cf3e2b5735db07952ba4378b/322434-4.JPG 200 - rh-dip-media-downloader/1.0%20(MLS%20Listing%20Media%20Downloader;%20support%20at%20rockethomes%20dot%20com) Hit p94nF33uS93w8MwmbWIlj9Ys0utS8an5YfJazvKF7YcaDODqQg3Owg== https 349 0.022 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Hit HTTP/1.1 30304 0.006 Hit image/jpeg 1165745

If possible we would appreciate some additional information to help us resolve this behavior and stop the unneccesary requests to your system:

  • During what timeframe(s) were the DDOS-like behaviors seen?
  • For which MLS Feed(s) was the behavior seen?

  • Can we get any additional logs/examples of what Paragon was seeing during this timeframe(s)?

  • Can we get metrics around the requests causing the behavior? # requests within a 5-10 min period, etc
  • Any additional information that would help us identify the nature of the behavior that triggered this notification

Thank you

IHRTechServices's avatar
asked 2021-11-11 16:19:55 -0500
edit flag offensive 0 remove flag reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by IHRTechServices
close date 2021-11-15 09:40:17.469147


add a comment see more comments

1 Answer



Over the last week, we identified several IP's sourcing from AWS exhibiting DDOS behavior. Unfortunately due to a miscommunication with AWS, AWS's Abuse team included many more IP's than necessary in scope of their communication to AWS customers. Based on the logs you provided above, your source IP is not on our list of abusers. So I would like to apologize for the confusion.

Thank you.

vendorsupport's avatar
answered 2021-11-11 17:12:16 -0500
edit flag offensive 0 remove flag delete link


Thanks a lot for confirming this. Appreciate your response.

IHRTechServices's avatar IHRTechServices (2021-11-12 05:15:02 -0500) edit

One more follow-up question: Did Paragon block any requests for a certain period of time while investigating this behaviour? Thank you

IHRTechServices's avatar IHRTechServices (2021-11-12 08:43:04 -0500) edit

Yes, Paragon had to block the attack and it did create instability for some users depending on what resources were accessed. If you saw lack of communication from our servers then you were likely impacted. We are working with AWS and already took measures to prevent this type of activity in the future.

vendorsupport's avatar vendorsupport (2021-11-12 09:07:54 -0500) edit

Thank you for your response.

IHRTechServices's avatar IHRTechServices (2021-11-12 09:14:28 -0500) edit
add a comment see more comments