Thread

Hiya,

Don’t know if this has been mentioned yet but today (UK morning time around 9-12) I tried to get on to the EE site but it would not load. I then tried the forums and nothing there. Then I tried Ellis Lab and nothing there. I then tried some sites that I’m pretty sure you have hosted with Engine Hosting such as Veerle? That didn’t show up either.

Have you experienced a problem today or was it just the connection from the UK to America. I tried on 4 different computers and 3 different internet connections so pretty sure that it wasn’t anything I was doing.

Just wondering that’s all.

Best wishes,

Mark

EngineHosting was hit by a big denial of service attack.  Things were really slow or unreachable during that time.  Probably what you were witnessing.  Saw it on a client site this morning.

Jamie

Really…a DOS…How did you find that out?
I didn’t notice any slow downs but one client was having trouble getting emails…guess everything from his clients was being bounced…don’t know if it’s related or not though.

It was announced on the EngineHosting CP.  But I got the initial info from Nevin.  One of my larger clients is news oriented and they were a little distressed about it as it was publish time for one of their sites.  So I had contacted him directly.

Jamie

Ahh, the CP. I rarely go there. Didn’t they use to have those kind of notices under support right on the home page?

Wanted add a note in a bit of defense towards Nevin in case anyone thinks this is something a different host could have prevented. 

DOS attacks by their nature don’t do anything a server can protect against.  They are just making requests to the server like a normal person does when they go to a site.  They just make tons of them, in a very short amount of time, typically from a great many different computers.  Not a simple thing to defend against and not something that can be defended against in anticipation. 

Nevin and his people took care of it pretty dang quickly.  I’ve had hosts respond much more slowly and less effectively then he did.

Even big organizations are vulnerable to this kind of attack.  I even remember a stock exchange being hit a few years ago resulting in huge losses of money when people couldn’t make timely trades.

Jamie

I don’t actually remember if those were on a front end page somewhere before.  I know Nevin has said they are working on a way to be able to better alert people of issues and progress in solving them when even their own servers are hit by something as was the case this time I think.

Jamie

I’ll do a “here here” to Nevin and EngineHosting also. A client sent a support ticket in this afternoon (email filtering problem) and Laurie had it resolved and responded within 20 minutes (maybe even less) with a fairly detailed explanation. Can’t beat that.

Maybe EngineHosting should be twittering…;)

Twittering…What’s that? Same as Powncing?
😉

Wanted add a note in a bit of defense towards Nevin in case anyone thinks this is something a different host could have prevented. 

DOS attacks by their nature don’t do anything a server can protect against.  They are just making requests to the server like a normal person does when they go to a site.  They just make tons of them, in a very short amount of time, typically from a great many different computers.  Not a simple thing to defend against and not something that can be defended against in anticipation. 

Nevin and his people took care of it pretty dang quickly.  I’ve had hosts respond much more slowly and less effectively then he did.

Even big organizations are vulnerable to this kind of attack.  I even remember a stock exchange being hit a few years ago resulting in huge losses of money when people couldn’t make timely trades.

Jamie

Actually that’s not true. Large datacenters have DDoS mitigation in place (there is hardware and software specifically written to circumvent this) that when attacks happen they move the site behind protection.

JT,

You very well may know something more than me on this topic.  I’m certainly not an expert.  😊 

With my limited knowledge, having done some network testing (quit the job about a year ago), some of it specifically focused on network vulnerabilities, I can’t imagine that any such solution would be even close to fool proof.  I would suspect that there would be two parts to it.  One would be to have servers to fall back on that in the short term would simply be able to handle more requests (something I believe Nevin already does).  Second would be some sort of router system able to filter out requests coming from various ranges of IP Addresses so that the servers don’t use up all their cycles answer spurious requests.  I don’t know that Nevin has something like that but I suspect he does.  In fact he already filters out requests that are not necessary.  Try pinging a site hosted by EngineHosting and you will see that you will never get a reply.

However, neither of those things solve the overall issue, being that a DOS attack is going to look feel and behave basically the same as being slash dotted.  Simply denying all tightly spaced requests isn’t going to be a viable solution since that has the same effect of putting the sites offline.  So the end result is a human or a smarter piece of software than I’ve ever seen needs to observe the incoming traffic and recognize the legit traffic from the bad stuff and place filters accordingly.

I imagine some Cisco marketting speak for the executives might make it all sounds like it can be as easy as flicking a switch.  But having been there in a data center with racks of switches and routers.  I can’t imagine it actually works like that.

Jamie

Cisco Guard is just one solution, but they most certainly do manage DDoS attacks and allow normal traffic to run barely noticing it. But you’re saying DOS and then describing DDoS attacks. They are two very different things. DDoS is distributed. A DoS is a single source attack.

This gives a basic overview of what Cisco Guard does.
http://www.cisco.com/en/US/products/ps5888/index.html

I’m also pretty sure that engine hosting has plans in place to manage this. At what level I don’t know, but the datacenter that is supplying the upstream bandwidth most likely has this in place. Virtually all large datacenters (co-tell hotels) do.

And this is hardly something that’s just hype. You should read up on it.  Priced around $65,000.00 they are very good at what they do. I’ve used the solutions at both ThePlanet and EV1 multiple times. Business continuity is an enormous market.

Wow,

Just wondered what had happened and have started a post talking about things such as routers and switches. Way past my head!! :-D

Is there any way to find out who the malicious little spotty kids are? I always come to the EE forums in the morning to get my morning kick (almost sounds like a drug EE!) and couldn’t get on. My day at work was not as good from there on in I can tell you.!! :-(

Best wishes,

Mark

Hi all.  Actually details were posted to our clients via our control panel, but the bottom-line is denial of service attacks happen in many ways.  There is no “single cause” and no single answer.  We do have edge of network denial of service protection systems in place, but in this case it was a bit of a combination of efforts.  In the end here is a break down of events, without too much detail as we are still working on the investigation.

Initially it looked like an external attack was first though to be the issue, and possibly related to a number of amplification type attacks.  Send a large amount of traffic to a target and a larger amount gets pushed back out to a different target system, but in the end.

a) a clients site was broken into because of an outdated script (not EE), they then implemented within the clients account a denial of service script, and a remote control script to allow it to be triggered whenever they wanted to use it to launch at attack, likely using a number of systems with the same script in place.

b) the script was triggered at approx 2:35am central time at a remote target, our border systems throttled outgoing traffic back because of the sheer amount of traffic was outside of “norms”.  At the same time on duty and Sr staff (including myself) were woken up by internal and external monitoring systems because of the border system tripping the threshold to throttle traffic that was “abnormal” and because of performance issue or full timeouts on clients sites as seen by our monitoring systems.  Investigation into the issue started at that time.

c) The script was possibly triggered by more than one person and outside of the outgoing bandwidth at a remote target, the script was also targeted at two internal clients on other clusters.  This has the effect that the attack traffic was at full Gigabit ethernet speed traveling through our load balancers as traffic between servers within the clusters is all routed through the load balancers.  Because of how traffic is routed, along with the sheer amount of traffic, at this point what looks to be both incoming and outgoing, each issue needed to be investigated in order.

So in the end once the DoS script was identified in a specific clients account access to that clients site was disabled, the sites on those systems were moved to separate clusters while we fully investigate the infected systems.  Reviewing audit logs, only that clients account was modified, and all files were still under their UID and GID information which were the only privileges available to them on the systems.

Steps were taken on our border IPS systems to now allow access to that or similar scripts again, traffic throttling was removed from the outbound traffic from the affected cluster, and with the removal of the internally targeted DoS attack traffic all other systems returned to normal instantly as well.

Because of the multiple layers of attack in this case it was much harder to track than if the script was simply aimed at a remote site and that was it.

Please keep in mind that downtime issues can affect anyone, like Tuesday as well Craigslist, Technorati and Yelp to name a few, including all of Six Apart’s Sites (livejournal.com, typepad.com, sixapart.com, etc.) and others were all offline.  This was because of a power outage in San Francisco and it seems the backup generators did not come online, and either the UPSs did not work either. In Sixapart’s case their systems were not shut down safely before the battery systems ran out of power because in the case of Livejournal.com they were down for 7 hours today, give or take a bit.

Edit: a better power outage link

So needless to say Tuesday July 24th was not a good day across the Net at all for big and small sites alike.

PS:  Yes I posted this at almost 4am central US time.  As you can imagine there has been little sleep in the past 48 hours around here. 😊