This update from reader Ken Barnes checks out... there appears to be another round of DoS cyber-attacks in progress against a number of prominent warblogs. I suppose it surprises no-one here that Hesiod at Counterspin posts to approve. Idiot.
The Attack
Instapundit is was down (but Instabackup is up and working!), ditto Citizen Smash (backup site here), LGF, Tim Blair, The Command Post, and Iran's blogfather Hossein Derakhshan.
UPDATE: Seems to be resolved now in some cases. At one point, it involved almost everyone at Hosting Matters... our blogson, LaughingWolf (backup site here), Daniel Drezner (backup), Jeff Jarvis, Vodkapundit, Pejman (Pejmanbackup), DailyPundit, Emperor Misha I (thoughts | future backup blog), etc. On the Left, team member and Latin America specialist Randy Paul of Beautiful Horizons points out that Calpundit, Talkleft, Matthew Yglesias, et. al. were also taken down.
Am I glad we recently moved to Bloghosts.com? Yup.
The Whole Story
As usual, one of our readers offers a complete briefing in the comments section, and Winds of Change.NET strongly encourages donations to help one of the main targets recover. If you want a good intel briefing re: who might be behind all this, then of course Dan Darling is your man. Great job, again... can the CIA just hire him already?
The Future
Dan and I agree: expect more of the same in future. There are many countries in which politically-motivated cyberattacks like this one will elicit indifference from the authorities and local network owners - or even attract active support. This isn't just an al-Qaeda vs. bloggers scenario, either. The government of Indonesia has used DDoS attacks in the past, for instance, to take down East Timor's entire Internet domain space. Does anyone really think they'll be the last ones to try something like that?
Unfortunately options like router-level IP block filtering and similar measures would support the freedom-haters in those societies, by cutting their people off from the support and ideas the Internet can bring. Paradoxically, our best offense is a good defense.
Arm Yourselves
As a service to the blogosphere, therefore, here are a few resources that can help you and your hosting providers understand the problem better and put some defenses in place:
* "What is a Denial of Service (DoS) attack? And a quick roundup of the different types of DoS attacks one must defend against.
* Here's a very complete set of resources on Denial-of-Service (DoS) attacks and how to combat them.
* SANS has a step by step guide to basic measures that everyone should have in place, in order to prevent DoS attack launches from within one's network. They also have a roadmap to defeating DDoS attacks.
* Network Magazine has a basic article covering Distributed Denial-of-Service (DDoS) defense and some links that can get you started. If you run Cisco equipment, this advisory is also recommended.
* Black Belt defenders should visit U. Washington Professor Dave Dittrich's DDoS page. Dave also has a very cool home page, and seems to have lots of useful stuff on cyber-security.
* Finally, on a lighter note, apparently blog servers were not the only machines targeted today by jihadists. And that information comes direct from The Source....
Further resources & recommendations gratefully accepted. Just use the comments section!
Heck of a thing to come home to. Would love to find out who is behind this as they have taken out my professional site with this dreck as well. Growllll.
As reported earlier on LGF, this attack is apparently directed against a site called Internet Haganah (though it has since moved) and other blogs located at Hostingmatters.com are targets only secondarily.
As DuHarb says, the DoS attacks (today's is the third since Friday) have all been targetted at one site (according to the good folks at Hostingmatters); the initial attempt to isolate the IP failed, for reasons I don't quite understand, but HM has since isolated a block of IPs and is assigning new addresses. Here's the explanation from the chat boards:
"The attacker is still going after the old clotho IP, even though that is no longer bound anywhere. Since it is still routed, however, the traffic still tries to get to the location where it is advertised (i.e., the Jacksonville facility). None of the upstreams appear to be equipped to deal with the attack, for whatever reason, and we'll reserve our commentary on that).
This is what we're going to do: since the attacked is still going after that old IP, we are requesting that Peak10 (via AT&T and Qwest, who advertise our routes) break out our /20 and start advertising the individual /24s instead, and then drop the /24 containing the target IP. What this means is that instead of advertising all of our IPs, from the first one to the last, they will advertise each block on its own, from 0 through 255.
What this also means is that we have to change the IPs on every server that is bound to an IP within the same block as the IP the attacker has targeted. This will involve about 25 servers, and at least one of our own nameserver IPs. We are headed to the NOC to do this right now. Peak10 is working with Qwest and AT&T to get the individual /24s readvertised with the exception of the affected block."
There seem to be two main sentiments expressed on the boards: "That's it, I'm outta here" and "Hey, it could happen to anyone." But if the reports about targetting Internet Haganah are true, it raises a question about hosts' continued willingness to host politically sensitive blogs - assuming such sites are more likely to be the targets of DoS attacks.
As a side note, I don't know whether Tim and the Command Post are on HM; I suspect that LGF and the Good Professor are hosted on the now-isolated block of IPs.
Have been over to the boards, and posted my support of HM on this. The point raised on hosting sensitive sites is a good one, but what makes a site sensitive in this day and age of hypersensitivity? Any site could be such in the land of the easily offended and PC-types. There are a lot of questions here, and no easy answers. If they can ever find out who is behind the DOS, and there is a way for each of us "collateral damage" types to go after them with civil actions, I will cheerfully do so. Criminal is nice, but civil lets the rest of us try to collect our pound of flesh and helps make a point about civil actions and civil discourse.
"There seem to be two main sentiments expressed on the boards: "That's it, I'm outta here" and "Hey, it could happen to anyone." But if the reports about targetting Internet Haganah are true, it raises a question about hosts' continued willingness to host politically sensitive blogs - assuming such sites are more likely to be the targets of DoS attacks."
So, the internet is going to become a wasteland of cooking recipe and porn sites? How about finding the perpetrators and throwing 'em in the hoosecow?
Thanks for the report, BTW. I also can't get to TNR Online, but that might be a different issue.
"There are a lot of questions here, and no easy answers."
Absolutely. I certainly wouldn't support hosts limiting their services, and I certainly would support throwing the book at the perpetrators of these sorts of attacks. Mine was just that - a question; it's not even clear that political blogs are any more likely to be the target of DoS attacks. Still, if this series of attacks was indeed politically motivated, and if it has a real impact on HM's bottom line, I think it's an issue to consider.
They are all good questions to consider, and we need to do so. This could have a significant impact on HM's bottom line if the whiners do pull out. While I can understand the frustration -- I do NOT like having my professional site and mail down right now -- I also have little respect for some of the tantrums I saw. The problem is not HM and their actions. The problems lie upstream with others who must act, and most of all with the individual or individuals behind this.
As for doing something constructive, I just copied Cardinal Puppylieu, er InstaPundit, and created an emergency backup site on blogspot: http://InstaWolf.blogspot.com. It at least gives me an outlet to vent through, and if things stay down to get some blogging out.
I don't think they are hosting Internet Hagana anymore (they can't while that DNS [as well as the old IP] is under DDOS attack). It's presently in limbo.
HM has done everything they can at their level. As Laughing Wolf said, a lot of the problem is upstream from them. And the blame should be placed right where it belongs -- on the jihadi script-kiddies who are attacking.
Blaming HM because it hosted Internet Hagana is a bit like saying 9/11 is America's fault for supporting Israel. ;)
Anyone have the URL for the Hostmatters forums? Are they up? My site's in the dark because of this, too, and I can't remember the direct URL for the boards.
Argghh! Guess I gotta get a backup site, too.
Here's their emergency forum.
Thanks Kathy! I bookmarked it this time. :)
Dave Dittrich is not a professor. He is a generally reasonble guy though.
It's important to note that the reason why these internet jihadis (apparently based in Malaysia and Europe) went after Internet Haganah is because Aaron has been very effective in getting terrorist web sites closed down. He's hurting them, and they have (correctly) identified him as an enemy. They use their sites for serious business -- command and control, planning, and communication between cells.
These attacks have not been directed against the blogosphere in general -- at least, not this time. As Joe says, DOS attacks like this will probably continue, and get worse, because the tools are readily available and it doesn't take a genius to use them.
My backup page can be found here. Spread the word.
Little Tiny Lies has also gone the emergency backup route, and can be found at *Analprobe He claims he was trying random names and this one worked...
"Seems to involve everyone at Hosting Matters..."
I know I'm small fry, but for the record my itsy-bitsy little blog, hosted by the good folks at HM, is up and running just fine.
Guess I wasn't on the cool kids' server.
They've got two blocks of IP addresses. One block was back up and running in short order. You are obviously on one of those servers.
I'm obviously not. Sniffle... Sob...
Heh. The gods must have taken pity on my sobs. My site's back up now. :)
Well, I am back up but can't log on to post yet. No biggie, as I am compiling a list of all the emergency blogs over on my emergency blog. If you have a mirror site, emergency blog, or whatever, leave a comment over at *Laughing Wolf in the post on emergency sites that will go up shortly, and I will get it added in to the list.
Kathy, don't cry. Here, here is a nice soft fur hankie for you, and a glass of single malt to help make things better...
Woo Hoo! I am back and fully back. If anyone other than Pejman and Steve have backup sites, let me know at *this post and I will see about putting together a full list of emergency backup sites. I will also be glad to share the list with others, so that you can post it as well.
I had a few words to say to the folks who either threw tantrums or didn't understand clearly what was at stake here. Sadly, some folks, with the evidence in front of their face, did not realize we are at war. Civil actions against servers in Malaysia won't work, but AT&T, Qwest, and Peak 10 all needed to be a bit faster on the uptake. Five hour downtimes isn't acceptable. They may be the avenue of (legal) counter-attack, but the last thing we want to do is have them start demanding greater net controls that could assist the forces of repression.
Ubu, a.k.a. Houblogger
I was a victim too. This is just crazy.
Big cheer for our resilient bloggers!
As an outsider looking in, I can't help but figure that it is not random that a Jewish site (Haganah) is attacked by a country (Malaysia) just as a Malaysian leader is attacking Jews in public speeches. I know that the PC from which this originated probably doesn't have a Malysian government serial number, but I have to conclude that if you are attacking Jews internationally, you will get no interference from Malaysian authorities. In the world of terrorism, this is the "safe haven" that our President Bush spoke of.
Question is, how should our government react? You guys understand this stuff at a level that I, and your Senator, just don't. Some timely guidance from the lords of the blogosphere may be just what our corporeal leaders need.
The tumult of vital ideas is the core of the Free West. They are attacking our heart, and we'd better take it seriously before they ramp it up to its full potential.
Dennymack
What I find hysterical is the islamicawakening chowderheads (that are trumpeting the Al Qaeda's technical ability at taking down hostingmatters.com) have a server that's about as secure as a Turkish jail. I took a quck look at the server, and I frankly almost laughed myself silly. Their DNS server (also ran on the same default Trinoo linux install as the server) allows Zone transfers without authentication, they have samba telnet, daytime, and a dozen other unecessary services running, plus not only does their Sendmail config return a banner, it kindly returns one that lets me know that they're running an unpatched version that's got multiple vulnerabilities.
On top of that, their version of OpenSSL (0.9.6) has a know exploit, and I'm pretty sure (I didn't hassle with checking) that their install of SSH does to.
Unless this thing is a honeypot (Which I doubt) these guys are complete idiots. They might as well run a default Windows NT install and IIS.
Sheesh. (People and glass houses and whatnot)
The outages lately have been tough on us baseball bloggers, what with this being peak season for traffic on baseball blogs.
Figures that Hesiod would think this was funny. What a tool. And he still can't spell.
Hosting matters forums on the 10/16 and 10/21 attacks
DOS Attack
Oct. 21 Update
It's not just Warbloggers. Ruminate This, Talkleft, Calpundit and Matthew Yglesias were also down.
I'd think it too early to ascribe any affiliation or motive to the hackers - other than the usual sociopath-dropout penchant for raising hell.
But dammit, I'm reduced to commenting about this on other people's weblogs rather than my own, as Hosting Matters is my patron, and my Movable Type interface is currently running slower than molasses, up an 89-degree incline in January. Gah!
I think I'm with Michael in this...as much as I'd like to think that we (warbloggers) matter enough to be targeted, I kinda doubt it.
Random acts of stupidity, or spillover from an attack aimed at a specific enemy - that seems the likely case.
A.L.
Stop this scourge against freedom of speech.
And for more freedom of speech go to Australian Politics at the URL listed above.
I think when he finally gets back up we should all send Aaron 25 bucks so he can mirror his sites. He is doing his part to keep our sorry butts from being blown up by terrorists.
It is the last we can do.
BTW I think a few of the people here think this is a game... Stop and think about it... These people want you dead. Aaron is trying to help stop them.
this is serious shit.
Think about it.
You don't have to wait until he's back up to send him the $25. There are several mirrored sites on free web servers which have PayPal buttons -- it looks like he's more than half way to the goal:
geocities 1
geocities 2
geocities 3
150m 1
150m 2
tripod 1
Internet Haganah was the primary target. Whomever the attackers are wanted to take down the podium, but took out the whole arena. I dropped Aaron $20 so as to mirror Haganah around the world.
It's unfortunate that people want to squash speech but lets be honest, Constitutional free speech is by far the most dangerous weapon to dictators, fascists and Islamists around the world second only to the able minded soul whose memories can never be eliminated.
While the Internet provides the Islamist a means to communicate, it also provides a means of the anti-Islamist to play the role of the eye in the sky and the eye on your mac address.
Two techinical notes:
Malaysia may not be the real source of the attacks; it could just be that due to its immature but very fast infrastructure it is a convenient location to compromise machines to do the dirty work of a DoS attack. And perhaps misdirection at the same time.
Splitting a /20 into /24s is not a general solution; I've not followed the "growth of the global routing table" issue for years, but for this approach to truly work it needs to increase that table (by 16, I think; read up on CIDR), and that won't scale.
Frankly, I think it will take either the backbones get serious about dealing with DoS attacks, and/or it'll take criminal and extra-legal measures to stop this.
You never know how much it means until you right click MT-it! and come up empty. Knock wood, something will be done to strengthen HM and the backbone from these types of attacks.