DDOS victim expelled from DH?


#1

One thing that I noticed in the announcement is the wording

Does that mean that if ever somebody got mad at you and DDOS’d the hosting provider, then DH would simply expel you as a customer even though you didn’t do anything? You’d not be the attacker, you’d be the victim.
Comments?


TorbenGB


#2

Here’s a comment: DDOS attacks are hard to defend against. If they can take down sites like Microsoft and SCO, you better believe that a small company the size of DreamHost will have problems dealing with it. If an attack against a single customer’s site brings down 50,000, and the answer is to nix the customer’s site, then that is what has to happen. As Spock says, “the needs of the many outweigh the needs of the one.” A company having DDOS attacks has a very serious problem, and one that is not easy to solve.

DreamHost has stated that they are upgrading equipment, so that they will hopefully be able to better withstand such attacks in the future. I believe that they will do so.

Also, as for ditching the single customer, I have to believe that DreamHost would not just “pull the plug.” I believe that they would try to help the customer find alternate accommodations. If someone finds out more about how DreamHost handled this customer, please post it here. Also important (at least to me) is what the customer did to be experiencing such an attack. Despite all the media coverage, a massive DDOS does take time, skill, and effort to pull off, and usually means a very upset person.

In my opinion, bottom line is that a site experiencing DDOS has to handle that type of problem on their own, and it will cost a lot more money than just a $80 a month or even a $500 a month business hosting plan.


#3

I fully respect DH’s need to protect the many from the few, and I think it’s right to do so. Any attack should be dealt with as quickly and as efficiently as possible. If it means pausing any number of the hosted sites, so be it. I’m not arguing against it.

What I’m merely wondering about is the decision to permanently stop hosting that website. How is that going to help? Apart from preventing a repeat attack to hit DH again, of course. The DDOS attack will hit DH’s network anyway until the surge is over, regardless of whether the site is actually there or not. I understand that the only permanent protection is to detach the domain name from DH’s network, meaning to stop hosting it, but that takes the usual days of global DNS propagation, right? How can it make a difference right when it happens?

I also don’t disagree with your points that the victim must have done something to “deserve” the attack, but on the other hand, DH goes as far as hosting a lot of content that would be objectionable to the average good person, so where do you draw the line?

I’m only hosting two small private sites, completely non-offensive, so I wouldn’t expect to get hit by DDOS myself. But what if? As somebody else mentioned, it only takes one script kiddie and one weekend to cause mayhem.


TorbenGB


#4

Its not as much a question to “remove” the site to stop the attack, just stop traffic towards the site/targeted host in question, and even then, a simple variation (variable targets in the same timeframe or scheduled sequence) would probably provide very small relief.
Its pretty easy to determine which networks/subnets are targeting you and dropping that specific traffic, the problem is that if the worm is still propagating this number of segments will possibly grow, which means that you’ll have to continuously add rules to drop certain traffic from these segments, and even then, if enough hosts are targeting you at high speed, the router/firewall in question will probably do nothing much else but dropping this traffic to its breaking point resulting in an effective denial of service, so you see, it’s a vicious circle.
The surge as you say, depends on the ports being scanned/used to propagate, determining this pattern will dead stop it on carrier level before it (hopefully) reaches any ISP, this takes time of course since every major carrier/ISP needs to update rules to effectively prevent such a cascade reaching “client” layer, that is why certain ISP’s are continuously blocking certain ports since they are known to be used by certain exploits.
As always, the balance between functionality and security is a hot topic, certain types of very sophisticated crafted packets combined with a careful encapsulation scheme has surprised many security experts to the point that even complexity can sometimes not guarantee security, at least to a certain degree.


#5

TorbenGB,

Hopefully, my sites are small and inoffensive too… I doubt that you or me will have to worry about our small, harmless sites. And I didn’t really mean that the dropped site necessarily did anything to deserve it, though you can’t rule out the possibility.

Permanently stopping hosting of that web site will do exactly what you said, which is avoid a repeat. It’s probably not fair, but what to do about it? Keep hosting it? Perhaps, but maybe at a vastly more expensive rate.

DDOS is vicious. I think darkman provided an answer to how it really works.

It would be neat to know the facts of this situation.


#6

Thanks for the technical details. It’s really sad to think of all that expertise and skill being put to such uses. Think of what good could be created with skills like that! Sad…


TorbenGB


#7

Currently, we are blocking all access to the IP that was under attack which probably has 20-40 sites on it. Yes, this makes all of those sites unavailable. In cases like this, we do sometimes have to sacrifice sites for the greater good. Does this mean that the attacker got what they wanted? Probably. However we still have to keep the big picture in mind.

Would we kick a customer just because their site was under attack? Unlikely unless it were causing us long term problems and sustained attacks, in which case we might have to ask them to leave. That said, we may well have to temporarily prevent access to a site or sites under attack as mentioned above.


#8

np :slight_smile:
But I’m not sure that it takes much engineering nor expertise, most of these are basically an adaptation of existing code, lets say a patched up version based on empirical data collected from previous runs or so called variants inclined to either be more stealthier, cary other payload and such.
Starting from scratch isn’t a problem either, there are enough construction kits out there that will provide a solid framework right out of the box, however, a simple rewrite/reorder won’t cut it because of heuristic and extrapolations of known signatures or malicious code/payload. (hence why some application installation procedures ask you to disable antivirus proctection)
Any success of these new spawns are based on either known flaws of “certain” :wink: operating systems and/or people with the “we’ll patch this later” attitude who don’t think it will happen to them.
Nevertheless, its indeed a sad way of passing time, and can become an expensive hobby if caught.