Another Day, Another DoS

Disruption of Service (Graph)

Let’s face it – the world tends to be a very hostile environment and the internet is not much different.  From viruses and trojans to distruption of service attacks – it happens all day every day and it is only a matter of time before it affects you.  I have personally dealt with two DoS attacks in the last two weeks and both for very different reasons although the end result is about the same.

Last week the DDoS, or distributed disruption of service, attack was motivated entirely by financial gain for the attacker.  The attacker had previously attacked another hosting company called A Small Orange and had attempted to extort $7,000 from the company to stop the attack.  ASO did not bow to the demands of the attacker and simply worked to filter out the attack and return service to their customers.  While some of ASO’s customers were not satisfied, many times when a provider is put in this situation there is not much that can be done.

The attacker moved on from ASO to my company and sent a message to our sales department informing us that we were next.  The attack began about an hour later and peaked at about 4.5GBPS which is enough to  bring down most small data centers in their entirety however our data center SoftLayer Dallas was able to filter out the attack within 10 minutes to restore full service.  The attacker subsequently moved on to their next target which was VectorLevel who was hosted with Colo4Dallas at the time.  The attack at VectorLevel brought Colo4Dallas to it’s knees until the attack was null-routed at C4D’s upstream provider.  At the time of this writing Colo4Dallas’ web site was unreachable and as such I am not directly linking to it.

Fast forward a week and a half and another one of my servers was under a new attack from a new source.  This time the attack was not monetary and the goal was simply to take a particular site offline.  The target of the attack was a fairly popular forum that centers around firearms manufactured by a particular company.  The forum has information such as cleaning and maintenance of the guns and in my looking over the site is nothing apparently negative.  My guess is that whoever wanted to bring the site offline was more of a “pro gun control” type of person.

This attack was a bit more difficult to stop as it was smaller and “flew under the radar” of our automatic filtering systems but was still large enough to cause intermittent connection issues over the period of about two hours.  We worked to filter out the attack however whoever was administering this particular attack was doing a pretty good job of countering the counter-measures were putting in place to mitigate the attack.  Ultimately we were able to fully mitigate the attack after quite a bit of work and effort.

It seems that there are malicious people out there whose only goal is to cause harm and to disrupt the services of others.  If you do find yourself in a situation where your web site or hosting service is being disrupted by a DoS attack please do be patient with your provider and understand that there isn’t always something that can be done to fully mitigate the attack.  If your provider is able to restore full service to you within a fairly short period of time (less than 2 to 4 hours) you should consider yourself lucky as many DoS and DDoS attacks can last days if not weeks.

Share

12 comments

  1. Reminds me of a dos attack one of my hosts had about 2 years or so ago. they did not handle it as well as you or ASO how ever and it lasted for well over a week. The filter the host set up to try and stop it was not set up correctly and started blocking visitors to my site and even I got blocked more then once. Kept opening tickets to get people unblocked. After a week of that and almost having my site die from it I moved hosts.

  2. @Amy
    It is pretty common for a DDoS to bring down a provider for a week or more. It really depends on the capabilities of the data center and their network/hardware. Cisco Guard units are *not* cheap – you can get a refurbished one for around $20,000.

  3. A local web host here has some thing called watch guard, I am friends with the system admin and he says it works great.

  4. Amy :

    A local web host here has some thing called watch guard, I am friends with the system admin and he says it works great.

    I’m not familiar with it but the issue is that if your entire network is say 1gbps and you get a 2gbps attack it doesn’t matter how well your hardware or software can filter the attack because the pipe to your network is going to be flooded before it’s filtered.

  5. You do have a point there. I remember him saying some thing about being able to point the traffic back at the computer or network sending it in order to take the sender down.

  6. @Amy
    The problem with that is, if the source is 1,000 computers that have been compromised and turned into bots… It’s not going to do you any good to bounce the traffic back.

  7. This sucks. Bad couple of weeks for web hosting. They don’t seem to be letting up.

  8. @Blind Bandit
    Yeah, a bad couple of weeks indeed. This is 2 DDoS attacks in the period of a week and a half – to two different servers in our network.

    One of the attacks was easily filtered where as the other caused about 8 hours of intermittent downtime as the attack was HUGE and the attacker appeared to be actively monitoring it to counter our counter-measures.

  9. That’s horrible.

    With all that downtime does that count onto your 99.9% up time? Does it lower because of DDos or does it not count for a DDos attack?

    Good luck on future DDos attacks.

  10. Technically it wouldn’t count against the uptime as it’s not something within our control (just as an act of god would not be) and due to the fact that the server was online and the network was online it was simply overwhelmed. I did give some credits to a few that were particularly upset but it seems the only customers that get upset are the ones that aren’t paying much. 99.999% of our client base understands that this hurts us just as much if not more than them and that we keep things online as much as possible.

    I believe the excellent communication during the incidents helped keep our clients happy as they knew what was going on and what was being done about it.

Leave a Reply

Your email address will not be published. Required fields are marked *