April 28, 2006

Distributed Denial of Service Attack

Hatched by Dafydd

There was a DDoS attack on Hosting Matters today. I wasn't trying to get on at the time, so at first, I had no idea we had been caught in the crossfire... twice!

(Or maybe the second time was when they were transferring domains to other servers; I don't know.)

Did anybody here have difficulty getting onto this site? Our SiteMeter is a little lower than normal today, but I don't know if that is related.

The attack originated in Saudi Arabia, and the target was a blog called Aaron's CC (which I've never read)... but it also hit Power Line, Instapundit, Hugh Hewitt, Captain's Quarters, Michelle Malkin, and lots of other fry like Big Lizards. My pal Stacy (that is, the brilliant and beautiful technician who always fixes problems when I mess something up on Big Lizards) explains:

Today, 11:46 AM This morning at approximately 10:00 AM Eastern time, we noted a sudden abnormal surge in traffic to the network.

Shortly thereafter, our upstreams confirmed that one of the servers within the network was the target of a massive DOS attack.

We worked with the NOC and the upstreams to further identify the target and steps were taken to isolate that target from the rest of the network.

Recovery on all segments except that target segment is complete. The target of the attack will not be brought back online and will be removed from the main network in the event they are the target of future attacks, so as not to negatively impact other clients.

We are currently working to address clients who may be on that same segment of the network to bring them back online.

Stacy - Hosting Matters, Inc.

(Hat tip to Michelle Malkin, who hates me, I think. She never links, she doesn't write... oy, such a gantseh makher, she should go in good health.)

One hopes the problem is (finally) resolved.

Isn't there some diabolically clever way to finally lick this problem of DDoSes once and for all? Maybe some sort of really, really fast switch that can actually handle millions of sockets at once, just checking to see if there is a DDoS-like pattern... and if so, shunting the offending pings into the bit bucket and the real pings on to the server?

Hatched by Dafydd on this day, April 28, 2006, at the time of 9:04 PM

Trackback Pings

TrackBack URL for this hissing: http://biglizards.net/mt3.36/earendiltrack.cgi/713


The following hissed in response by: NewEnglandDevil

Industrial Engineering Professor Nong Ye at Arizona State University is working on exactly that problem.

Her work is highlighted in the Spring 2006 "Full Circle" - Engineering News at the Ira A. Fulton School of Engineering at ASU. It is not online yet, but will be published here: http://www.fulton.asu.edu/fulton/news/publications.php when it is.

"For the past nine years, Ye has been developing this new tactic, identified as attack-norm separation, to provide more efficient and accurate attack detection and identification. Although existing methods strive to prevent cyber attacks through prevention, detection and reaction, these processes have limited protection and suffer performance deficiency."


"Given the rate of detection inaccuracy, ye decided to employ scientific principles that are adept at managing both signal and noise data. With the attack-norm separation model, Ye can separate the characteristics of attack (cyber signal) and norm (cyber noise) data, allowing the least amount of relevant data to detect attacks efficiently and accurately. Ultimately, this data separation will allow Ye to build a mathematical or statistical model that can accurately detect attacks in real-time."

Thought you would like to know that. Happened to see it while reading my alumnus magazine.


The above hissed in response by: NewEnglandDevil [TypeKey Profile Page] at May 3, 2006 8:44 PM

The following hissed in response by: Dafydd ab Hugh


Excellent! Tell Ye to keep it up...!


The above hissed in response by: Dafydd ab Hugh [TypeKey Profile Page] at May 3, 2006 9:34 PM

The following hissed in response by: cdquarles


Can you say IPv6 :). Seriously, though, the Internet was designed to ensure message delivery as long as a reachable path along the store and forward, packet switched route could be found. When designed, all nodes were implicitly trusted (DOD/contractor/allied academic sites and you could count them on your fingers when the system was first turned on and the links were 110 baud, IIRC). IOW, security was never considered (or downplayed as a risk) at the time of its design. A DDoS can't happen to a circuit switched network (aka POTS). You can DoS a circuit switched network, though.

A related side effect of the initial design decisions was the failure to anticipate the advent of the network connected personal computer, even though the first programmable calculators and personal computers were being designed and produced. The DDoS is a side effect of the sheer number of connected nodes with high speed links these days.

All useful systems are exploitable by parasites. It is inherent in the success of a useful system that you get parasites. Whether you are talking about ecosystems, biological organisms, human societies, electronic systems, or electronic virtual ecosystems. Just as TANSTAAFL, there ain't no such thing as an unparasitized successful system.

The above hissed in response by: cdquarles [TypeKey Profile Page] at May 18, 2006 1:24 AM

Post a comment

Thanks for hissing in, . Now you can slither in with a comment, o wise. (sign out)

(If you haven't hissed a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Hang loose; don't shed your skin!)

Remember me unto the end of days?

© 2005-2009 by Dafydd ab Hugh - All Rights Reserved