Hosting company GoGrid suffered a distributed denial-of-service attack Monday afternoon that affected approximately half of its thousands of customers, co-founder David Hecht said on Tuesday.
The DDoS attack hit Monday afternoon, slowing customers' Web sites, creating latency issues, and making clients' Web sites inaccessible, Hecht said.
Although GoGrid was able to stabilize the situation by late Monday afternoon, getting most of its customers' sites back online, the company faced a decision whether to stay on course with a scheduled maintenance later that night or reschedule for another date.
The maintenance, which required GoGrid to take its portal down and troubleshoot support queries over the phone, was designed to expand its capacity, deploy minor bug fixes, and add additional improvements to the service.
In its notice to customers, GoGrid stated:
In the end, the decision was made to proceed with the maintenance because this capacity expansion had been planned for several months and would give us more flexibility in ensuring low utilization across our infrastructure. In hindsight, this may have been a poor decision because the maintenance took longer to complete, and the maintenance window had to be expanded by several hours.
On Monday night, GoGrid spent hours rebooting its servers and developing a long-term game plan to solve the ongoing issue, but by morning, the company continued to be inundated with customer calls that their Web sites were not reachable from certain parts of the Internet.
GoGrid determined that the problem apparently was centered on a routing issue, with some of its networks failing to properly announce GoGrid routes. The routing issue was resolved late Tuesday morning.
The company is continuing to investigate the issue and asks its customers to run a traceroute to their servers' IP address and report it to GoGrid's support staff, should they encounter connectivity problems.
Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.
(Credit: Arbor Networks)
Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.
The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.
Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."
In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."
One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.
While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.
Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.
The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.
But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."
(Credit:
Arbor Networks)
Two Europeans, one of whom is English, have been indicted by a U.S. federal grand jury in connection with a 2003 distributed denial-of-service attack that is the focus of a major FBI investigation.
The two men, who are not in custody, were indicted as part of the FBI's Operation Cyberslam, initiated in 2003 following a series of crippling distributed denial-of-service, or DDoS, attacks on a large Los Angeles vendor of digital recorders. The attacks effectively knocked that business offline, along with other private and government bodies, for two weeks, resulting in losses ranging from $200,000 to more than $1 million, according to the FBI.
Operation Cyberslam is the first successful investigation of a large-scale DDoS used for a commercial purpose in the United States, the FBI said.
In 2004, two U.S. residents were charged with masterminding the attacks. The two Europeans indicted last week are accused of carrying out the attacks, and they face up to 15 years in prison, if convicted on charges of conspiracy and intentionally damaging a computer system, according to the U.S. Department of Justice.
Lee Graham Walker, 24, of Bleys Bolton, England, was indicted on Thursday, along with a German 25-year-old named Axel Gembe. Gembe is believed to be the programmer behind Agobot, a well-known worm used to create botnets that can be used in DDoS attacks or for other purposes, such as relaying junk e-mail.
The attacks were allegedly ordered by Saad Echouafni, a native of Morocco who was the owner of Orbit Communications. Paul Ashley, a business associate of Echouafni, was then responsible for contacting Walker and Gembe to carry out the attack, the Justice Department said. Ashley pleaded guilty in 2004 and has already served two years in an Ohio prison for his part in the conspiracy.
Echouafni, also indicted in 2004, is being sought by the FBI, which said he should be considered armed and dangerous.
Walker and Gembe allegedly used a botnet they had created together to carry out the attacks. According to the indictment, the two arranged the attacks over Internet Relay Chat (IRC), also using IRC to discuss ways of making their botnet code more damaging to Web sites.
The particular technique used in the attack was allegedly used to direct a flood of synchronization packets to the target Web sites. The botnet used was also capable of directing large amounts of malicious HTTP traffic, according to the Justice Department.
Matthew Broersma of ZDNet UK reported from London.
- prev
- 1
- next
