Using Nginx's 'geo' Module for the Aaron Configuration Block
by Elliot Speck on 13 May 2017
I’m the technical lead for a moderately sized booru, or imageboard, centered around a TV show. By moderately-sized, I mean it doesn’t get 4chan, reddit, or Facebook-tier traffic. We’re not small, by any stretch of the imagination. As a consequence, there’s a lot to manage. A lot of bugs, a lot of edge-cases, a lot of users. It’s an entirely volunteer-run effort, driven by a shared enjoyment of the show and its surrounding community. Comparative to some, I’m a very new member of the team. I joined in June 2016 and, thanks to technical chops, took over maintaining the server and its associated parts, working in tandem with the application development team; a small group of about three or four people. Being volunteer, we all work in our spare time. While some staff have ample, some have exceedingly little. This means that for the most part, everything is on a case-by-case basis and there’s no real time for things like grudges or even, realistically, remembering most users.
Then I met Aaron.
My first contact with Aaron began after he was suspended from the site for mass-downvoting images on the front-page of the site. At the booru, this is against the rules due to the plethora of options we provide for one to avoid seeing a certain type of content. The filtering functionality built into the site is some of the most complex and comprehensive seen anywhere, and we’re very proud of it. Mass downvoting, of course, affects the rating of the image and results in the potential that others who do enjoy that content may miss it. If a user continues to perform this action after being warned, they’re traditionally met with a 24-hour suspension. Suspensions from the site do not prevent a user from reading any content on the site (art, comments, or forums), merely prevents them from participating. They’re mostly used to strongly encourage users to cool off when they get too heated about things.
- We won’t sell your data
- We don’t give it away
- We don’t really care about your private life; it’s probably not interesting
About two hours later, the booru started having some serious availability problems. We’re running on pretty beefy, very modern hardware and we have a decent connection, hosted in the Iliad datacenter. It was abnormal, to say the least. At the time, I was at work talking about vSphere. As the workday drew to a close and everyone had gone home, I stayed behind at the office so I could work out what was going on with the server without adding another hour of delay to the resolution while I travelled home.
A quick look at the network graphs made the problem quite clear. Aaron had responded to being informed that things don’t work the way he believes incredibly reasonably like the well-adjusted individual he happens to be, and proceeded to packet the site for a while. At this point, the attack had gone on for about an hour.
Not one for subtlety, I’d received the following celebrations of prose from Aaron on IRC
having fun ;)
Site Performance Issues We are investigating some performance issues with the site and apologize for any inconvenience
Fair warning if my art is not taken down , and my profile deleted will only get worse fair warning that is all
The funny thing about IRC is that when you connect, others can see the IP address you connect from. The IP address used by Aaron when he messaged me on IRC matched the IP address he used on the booru and, given the context of the very one-sided “conversation”, it was quite obvious that he was the perpetrator of the attack. The motivation was odd, since he’d only received a 24-hour suspension from the site for breaking the rules twice.
An interesting thing about some people is that they’ll broadcast anything to the world. Aaron made sure that the whole world could find out that he owns a domain and, in his registrant info, his address and phone number. I gave the number listed in the registry - a cellphone number - a quick call to see whether or not I could just ask him nicely to stop. Unfortunately, went to message bank. Calling a few more times sent me to messagebank after varying lengths of time, indicating that he was actively denying the call. Unfortunate.
After a short while and a quick phone call to the network engineer of our internet service provider, our mitigation device kicked in and blocked the entire attack completely, returning traffic to normal levels. The devices are good enough that I actually don’t know whether or not the attack stopped or not. I’d imagine it might’ve stopped due to a few missed calls from an overseas number. Who knows?
On a whim, I added him on Steam as well to see whether or not he’d have a chat about breaking the law so flagrantly while playing Pony Island. He accepted after about an hour.
According to his Facebook profile, Aaron is about 39 years old. With him pushing 40, you’d be forgiven for being caught off guard for having your expectations of polite, reasonable discourse destroyed by an avalanche of homophobic slurs and borderline incoherence. Somehow, inexplicably, there is someone out there at 39 years old who can act like that and - I assume, based on the fact that they possess a residence and an internet connection - maintain a job. Perhaps reality is, though, that Aaron isn’t 39, and is probably somewhere in the realm of 19? No, his Facebook picture puts him squarely in the realm of possibility of being mid-to-late 30s.
The web server we use, Nginx, has a module called geo. This module allows you to redirect connections based on their IP address. I rustled up a quick page indicating that due to the actions taken, their connection to the site had been terminated. For good luck, the page sported the logos of various legal departments in the United States and contained references to the clauses within the United States Code that - in my non-expert opinion - had been violated. I ended up naming the configuration block for this “$aaron”. Consequently, we can now “aaron” anybody who decides the best course of action in response to hearing things they don’t like is packeting the site.
Shortly after this, the page went live. He hasn’t been back since. Honestly, I don’t know how or why this happened. Maybe it was a coincidence.