Snooze Button Dreams
Snooze Button Dreams
Snooze Button Dreams
October 28, 2003
Here we go again
(Category: Other People's Stuff )

The Instapundit has pointed out what looks to be another DOS attack on Internet Haganah for Thursday. After using the handy dandy Arabic to English translator at Ectaco I must say that I agree with him. Loosely translated, the message says that 7PM on Thursday, October 30 is a favorable time for anybody who is available. It then gives details for Internet Haganah and their IP on all of their mirror sites.

So expect all of the Hosting Matters sites to go down around 7PM (time zone would be helpful) on Thursday.

UPDATE: From the comments comes good news for many blogs from Aaron at Internet Haganah -

Haganah is no longer hosted at HostingMatters. Trust me, I know, I'm the Director of Internet Haganah. HostingMatters ' network is not on the target list.
Posted by Jim | Permalink
Comments

I think that is CMT...

Central Moron Time.

Posted by: Paul at October 28, 2003 05:22 PM

Haganah is no longer hosted at HostingMatters. Trust me, I know, I'm the Director of Internet Haganah. HostingMatters ' network is not on the target list.

Posted by: aaron at October 28, 2003 06:41 PM

Good lucki Aaron. (Is there some kind of poison pill code you can insert that blows up in their faces when they contact your site?)

Posted by: Yehudit at October 28, 2003 07:51 PM

Not really. The DoS attacks they use to bring down his site are not sent to him, but rather to computers that don't check for forged source addresses and don't bother to trace anything back (and often don't even bother keeping activity logs). The DoS packets have HostingMatters servers as their source IP addresses, and were designed to make the "sucker" computers think they were receiving constant misshapen ping traffic from HostingMatters, to which they would respond with SYN packets... enough to clog the network and take HostingMatters offline.

The perpetrators could only be determined by convincing the "sucker" servers to share their system logs from during the attack, something they are loath to do... not only because most of the admins don't even know how to log their server traffic, but the few that do are too prideful to admit that their server was used to assist a DoS attack.

Posted by: Tatterdemalian at October 28, 2003 11:24 PM

Apparently you have to join the group to read the message. Any chance you might post the message here?

Posted by: serenity at October 29, 2003 07:05 PM

Crap. Looks like they closed the group. It was open when I looked at it.

Posted by: Jim at October 29, 2003 07:27 PM

well, now that he's at a new host, not sure if this is going to pan out today. but the mirrors might have a problem since they were named in the group, before it was closed.

Posted by: djspicerack at October 30, 2003 10:24 AM

"The DoS attacks they use to bring down his site are not sent to him, but rather to computers that don't check for forged source addresses and don't bother to trace anything back (and often don't even bother keeping activity logs). The DoS packets have HostingMatters servers as their source IP addresses, and were designed to make the "sucker" computers think they were receiving constant misshapen ping traffic from HostingMatters, to which they would respond with SYN packets... enough to clog the network and take HostingMatters offline."

This is an entirely incorrect assessment of the technical details behind not only the original DDoS attack, but the manner in which such attacks work. There was *no* ping traffic originating *from* our network to any destination - that would make us the attacker and not the host of the target. The linked message (prior to the group being closed) had no sites or IPs listed that were within our network, and quite clearly we suffered no issues related to the proposed attacks in that message.

Posted by: Annette at October 30, 2003 09:49 PM

Annette,

Tatterdemalian may not have been describing a classic DDOS attack or the type of attack that was implemented on HostingMatters. What he is describing is what is referred to as a Reflected Denial Of Service. You can forge an IP header and put the sender address as HostingMatters, then send the packet to Google or Yahoo or wherever. The server will respond to the sender (multiple times) with a SYN packet or even a NAK.

www.grc.com is a good place to learn about how this kind of thing works. I'm not an expert (by any stretch), but everythign I know I learned there!

Posted by: g at November 4, 2003 08:25 AM

Timberland Sale
Timberland Outlets
Timberland Work Boot
Timberland Boot
Timberland shoes

Posted by: timberland sale at September 15, 2009 07:13 AM
TrackBacks
TrackBack URL for this entry: http://blog2.mu.nu/cgi/trackback.cgi/5354
Irreconcilable Musings linked in Go to Yellow Alert - Shields up! on October 28, 2003 03:13 PM
Irreconcilable Musings linked in Go to Yellow Alert - Shields up! on October 28, 2003 03:18 PM
lingosphere daily linked in more DDOSes this week? on October 28, 2003 08:53 PM
Wizbang linked in New DDOS Attacks? on October 29, 2003 12:07 AM

This site sponsored by a Jew or two.

Powered by Movable Type 2.64 | This weblog is licensed under a Creative Commons License. | Creative Commons License