I have been paying close attention to the latest outage incurred by Hosting Matters and I believe we are on the cusp of mass hysteria by otherwise clear thinking individuals.

I am skeptical about a couple of things here; the first being the belief that there were two separate incidents on the Hosting Matters servers. I say this because I believe that one of their solutions may have involved re-ip’ing some servers that were within the same block as the targeted ip. This would cause more than one outage and there are likely others attributable to technical solutions being put in place by the server host.

I saw something like this in action at Captains Quarters as I needed two reconnects for each attempt to find the site through a relay. This means that I was likely getting cycled. i.e. my dns server already had the updated address while the relay did not. That may or may not be the case but it could be an explanation for multiple outages. There are no rules here.

Second, there are many types of Denial of Service attacks. The Hosting Matters attack is being blamed on cyber attackers from Saudi Arabia. A comment by AnonymousDrive on CQ hit the nail on the head in response to one of my comments (in red)

RE: Webloggin (April 28, 2006 10:40 PM)
Also, the Hosting Matters attack is being blamed on cyber attackers from Saudi Arabia. It seems a bit soon to have determined the source. The problem with DOS attacks is that the source may be quite different than what it appears at the onset. In any event we will likely see more of this in the future.

Yes on all counts.

Ths forensic signature may indicate hijacked robot servers with registered .sa netblocks, but that is not necessarily indicative of the nationality of the criminals furthering an exploit. It may be that Saudi could be unaware of the exploits or are none too eager to shut down the rogue machines because they actually agree with the mission. Or it actually could be Saudi nationals (or cohorts) abusing the net either with government permission or without it. It’s just too soon to know for sure.

(AnonymousDrivel contd.)

Presumably even packets could be forged to conceal a particular machine, but the entire chain of servers involved in an overseas exploit would be pretty difficult to conceal. This is probably a rented batch of robots where some digital mercenary has been hired to do some pointed attacks, or some activists in indeterminate numbers pooling a collection of unmonitored servers from academia are doing “homework”.
Welcome to the routine digital war which will get worse before it gets better. I hope that our government is investing heavily in our own domestic digital warriors.

Posted by: AnonymousDrivel at April 28, 2006 11:19 PM

Third, I have seen a lot of chatter in the Hosting Matters forum about stopping this attack at the .htaccess level. This leads me to believe that the attack may have specifically used trackback spamming or some kind of bot to overload the server. Webloggin incurred the same type of attack and subsequent outages last week. I could see the ip’s cycling so I am pretty sure that the source was different than what was being advertised in my logs. i.e. The attacker was using compromised machines from unwitting people who have known exploits that allow for DOS redirects. Thus ip blocking on my end could simply block innocent people.

It would be nice if Hosting Matters released a statement about the nature of the attack. People are jumping to all sorts of conclusions about what the attack was and from where it originated. They almost have a responsibility to do so yet I can imagine many varying business and technical reasons for why they wouldn’t.

I can think of many explanations. Most notably, it could be someone trying to make it appear as if there was a Cyber War attack from the Middle East. It could be a spammer or any other person looking to cause problems with the Internet and the message of certain bloggers.

Solutions

The following solutions are what can be done by the person with access to the server config. I must recommend that the host look into the problem because DOS attacks are best handled in combination with network and server side solutions. Some fixes at the server level will simply not be enough to stop the crushing load on a machine.

• In any event I spent hours on the ARIN and RIPE whois databases to identify and block all sources that originated from known spam origins like Russia and Bulgaria. This worked but not without a cost (which is the subject of a technical article).
• In most cases I tried to block questionable referrers and bogus user agents. A referrer is simply the place from which person is coming. A user agent is a signature that is left behind. Browsers have well known signatures so it is pretty safe to blocked signatures that couldn’t be attributable to any browser. Unfortunately hackers are on to this so this solution is limited. You must make sure not to block any service you use such as blogads. These services may hit your site programmatically and leave behind something that is not attributable to a browser.
• I also noted that the attacker was repeatedly targeting and cycling though pages and subdirectories that no longer exist on the target site. I blocked that access immediately.

Thi seems to have worked for now but not before I seperated the target of the attack from my other sites at the server level. This is unfortunate and costly. It is clear that the government needs to work on helping businesses come up with solutions for such problems.

Others Blogging on This Subject

• Randy Thomas - Further Evidence That The World is Ending
• Paxalles - http://paxalles.blogs.com/paxalles/2006/04/michelle_malkin.html
• Down With Absolutes - Bitches wanna be startin’ somethin’?
• Florida Cracker - DOS Attack
• Dean’s World - Cyber-Fascism
• Something… and Half of Something - More Cyber Terrorism from the Religion of Murder, Mayhem, Death and Destruction™
• Right Wing Nation - Another Attack
• The Tech in Black - The Internet Jihad
• Wizbang - Hosting Matters Experiences Hack Attack
• Captains Quarters - Still More Server Problems
• Star Fish Coffee - When providing a little help comes back to bite ya…
• Over Lawyered - Site outages
• Michelle Malkin - Another Cyber Attack