Deerfield Hosting, Inc.

High Performance Web Hosting

The Slightly Technical

A Denial of Service Attack

by

 

Online Security

On Friday, October 21 an exceptionally large attack was launched which affected a huge number of sites on the Internet.   Some prominent sites were affected including PayPal, Amazon, NetFlix and Twitter.  No sites we host were affected, although some sites using PayPal as a payment gateway did have some trouble.

To get some sense of the scope of the attack, you can take a look at downdetector.com and Threat Post.  This incident has yet again pointed out that security on the Internet is a mess.

You may have unwittingly participated!

As is usual with slightly technical information, the news media reports of the incident were roughly 75% factually inaccurate.  It is exactly the general ignorance of security which enables this kind of attack so this is unfortunate.  It’s not difficult to understand what happened and how you may have participated.   If you are among those people who often use the acronyms, DR, TL, get a clue.  Didn’t Read; Too Long isn’t a reasonable attitude in this case.  If the Internet is to continue to be useful, we all need to take some responsibility for it.  That’s just how it works.

How the Attack Works

When your computer (or phone or any Internet capable device) wants to connect to a web site or other service on the Internet, the first step is to get the numerical address of the service.  It’s basically a 3 step process.  It gets the address by using what is called DNS, Domain Name Service.  There is a centralized repository which exists for the purpose of translating domain names (paypal.com, netflix.com, amazon.com, etc.) into numerical addresses.  The first step is to query the repository for a list of servers which have the wanted address.  In step 2, your device uses the domain name to connect to one of those servers and get the numerical address (called the IP address).  The last step is using the address to connect to the service.

In many cases, the news media reported that web sites and services were hacked or were not functioning.   This is sloppy reporting and is not correct.  Sites and services were not even attacked.  What was attacked was DNS service.  This means for example that while NetFlix was up and running with no trouble, a lot of people couldn’t find out where to connect to it.  They couldn’t get the address using the DNS system.

As I write this, a very large DNS service provider dyn.com continues to be under attack.  For many sites a quick fix was put in place, adding DNS service based with other providers.  The DNS system is very resilient.  When your machine can’t get an answer from one DNS server, it will try the next and the next until it either gets an answer or the list of servers to try runs out.  By extending their DNS server lists, many sites and services were able to quickly restore availability.  But that isn’t the end of the problem.

The attack is a distributed denial of service attack.  Essentially, the service provider is flooded with so many requests for service that it can’t answer them all quickly enough.  The usual way to deal with attacks like this is to identify the source as an attacker and then ignore any further connection attempts from that address.  The problem is volume.  Each connection attempt has to be read at least to the point where the source address is found and that address compared to a list of addresses to ignore.  This takes resources.  As the list of blocked addresses gets longer, the time it takes to check it also gets longer.  For technical reasons, when you double the size of the list, the time it takes to do a lookup more than doubles.  The increase is at best logarithmic.

cropped-6575

 

In a DDOS attack,  resource availability at the service provider is usually the biggest problem, but it can get worse.  As it was in this case, the volume can be so great that there is not enough space on the wire (bandwidth) for all the data coming in.  There isn’t enough left to use for answers.  The service is hosed.

This attack is being perpetrated by what is called a bot net.  The participating devices are running compromise software called Mirai.  A bot net is a collection of compromised computers being controlled remotely and acting in concert.  By some estimates, more than a million devices are compromised in this way.  This is the distributed part of the attack. By instructing potentially tens of thousands of devices to do DNS requests at the same time and keep doing them, huge amounts of traffic can be generated.

Who is Behind the Attack

No one knows who is controlling the botnet(s) doing this attack.  Some news reports are quoting “authoritative” sources who are giving definitive answers.   It doesn’t take a great depth of technical understanding to see that there can’t be a general definitive answer.   Anyone who says otherwise is unequivocally wrong.  There are sometimes some clues and the dumbest botnet operators get caught.  The smarter ones use a chain of compromised computers to issue their orders.  You would have to solve every compromise in the chain to lead back to someone.  That’s nearly impossible.

Some people have been making the case that attacks like this are state sponsored.  That may well be part of a larger picture.  The article contains some misinformation, but Bloomberg has some theories and a bit more analysis.

Some security people such as Brian Krebs believe that this problem is just getting started.  If you can’t pull up that link, the likely reason is that it is currently under attack.

The outlook for stopping this activity in the short run is bleak.  There are simply too many vulnerable devices and the compromise is too easy to pull off.  Your local service provider is probably failing to do their part.   At Deerfield Hosting we have long had countermeasures in place.  We often speak with customers who have, unfortunately, been affected by them.

If you have a vulnerable device (such as a router or a security camera from Best Buy), complain to the vendor and manufacturer.   If you have a device which still has the factory password and you can change it, change it!   The Internet is a peer to peer network.  That means almost no matter where you think you are, you are everywhere.  So are the criminals.  They will find it.

It wouldn’t be out of line to complain about the sloppy reporting.  Service providers (like Time Warner and Comcast) generally make no effort to block outbound attack traffic, inform customers that they are compromised or help their customers avoid getting compromised in the first place.  They should be doing these things.  They can afford it.  It’s cheap.   It wouldn’t be out of line to complain to them that they are not.

The problems are endemic to the entire Internet and need to be addressed broadly.   That means all of us.

Expecting someone else to keep us safe is not realistic.   It’s no different than not leaving the keys in your car when you’re out shopping.  It’s common sense.

Your Domain and Google Search

by

We are often asked about the results when a domain name is typed directly into a Google search box. It’s helpful to understand a little bit about how Google searches work. It’s a gigantic topic and we’re only dealing with one small corner of it here.

What Google tries to do first is find things other people have searched for. When you click on a particular result, they record the click. The idea is that since you clicked on it, the description probably was a match for what you wanted. Next time a similar search is done, your click tends to move that result up to a higher position.

Next, people often make typing mistakes and Google attempts to correct them. In theory, this saves the customer from wasting time and needing to re-type and saves Google from wasting resources on bad searches.

It gets a lot more complicated than that, but that’s the beginning of how it works.

When you type a domain name into a search box, Google is likely to recognize it as a domain name. But the same logic will be applied, with results you may or may not like. I was just asked about the domain name miniatureangels.com. Google returned, “Showing results for miniature-angel.com” – NOT what was wanted. Apparently that’s a popular site.

Unfortunately there is nothing to be done about this. We sometimes hear from customers who are upset that something like this is happening to them. There isn’t anything magical or mystical going on and it wouldn’t matter where or how your site is being hosted. Website content may have some effect. It has nothing to do with hosting at all.

I tend to regard typing a domain name into a search box as a dumb thing to do. After all, if you are looking for the web site for a domain there is no need for a search. Just go there. The trouble is, huge numbers of people where introduced to the Internet by simply sitting down at a computer with a Google search box in front of them. They typed in what they wanted and found it and that is the end of that. The principles of least thought and least resistance have coincided and that is what they will do evermore.

Our customer who owns miniatureangels.com wants to replace that with miniatureangelsfarm.com. Probably a good idea.

Domain Registrations and Name Servers

by

It’s simple. A domain registration has the sole function of specifying DNS servers.  In order to find services provided for your domain name, a number called an IP address is required.  DNS servers map names to these numbers.  The DNS servers have entries like:

BaileysKarate.com -> 216.185.152.158
www.BaileysKarate.com -> 216.185.152.158

They give out this information when asked.

DNS servers are controlled by hosting companies so that they can provide services on IP addresses they chose. Customers register domains and set the DNS servers as instructed by their hosting company. When they switch hosting companies, they can modify their registration to use the DNS servers from the new company. And that is really all there is to that.

To change hosting providers, all you have to do is log in to your account with us or where ever you bought your domain name and change the DNS servers it is set to use. Nothing needs to get transferred. It’s just a settings change which is very easy to do.

Of course this assumes that you have access to and control your domain registration. Sometimes hosting companies subsume control to make it much harder for their clients to leave them. That’s a subject for a different post.  At Deerfield Hosting, we always register domains in our customers’ name.  If you paid for your domain registration, you should control it!