q.queso.com/archives/001917
the cause was a "sophisticated distributed denial of service attack" against the sites. Digging a little deeper, though, it doesn't look like this is a particularly accurate description of what happened -- but instead of this being a case of the folks at Six Apart trying to cover up some internal issue, it instead looks like they're being far too gracious in not revealing more about another company, Blue Security, which appears to have been responsible for the whole disaster. An explanation of this requires a slight bit of background. Blue Security is a company which has recently garnered a little bit of notoriety on the net due to its unorthodox method of attempting to control the problem of spam email.
PC World publshed a reasonably good summary of Blue Security's antispam efforts; a charitable way of describing the method would be to say it attempts to bury spammers in unsubscription requests, but a more accurate description would be that the service performs outright denial-of-service attacks on spammers, and does so by convincing people to install an application (Blue Frog) on their computers which launches and participates in the attacks.
com, an attack which was effective enough to knock that web server offline for most of yesterday. OK, so why is any of this information -- about a company completely unrelated to Six Apart -- important background?
This effectively meant that the target of the attack shifted off of Blue Security's own network and onto that of Six Apart, and did so as the direct result of a decision made by the folks at Blue Security. So, returning to my original point: saying that Six Apart's services were taken down as the result of a "sophisticated distributed denial of service attack" is an incredibly gracious statement that only addresses about 10% of the whole story.
I know that ultimately, the denial-of-service attack came from the spammers themselves, but it was specifically redirected to the Six Apart network by Blue Security, and I hope that they get taken to the cleaners for this one.
html (and linked to your pages from said chunk)--- I am wondering how YOU feel about having a back-up or alternate blog on a totally different service. There have been times in the past when blogspot has done "housecleaning" and deleted good blogs that they "thought" were spam or had been abandoned. Have you had many outages with your blog service provider?
May 3, 2006, 8:37 PM Personally, if I'm hosting content that I have a feeling is going to be a huge blockbuster for some reason, and generates thousands or millions of hits, I'd post to a service -- like LiveJournal -- that I don't have to admin or maintain. I pay for the service, and there's no limitations in the contract they place me under that say "You can not redirect traffic our way under ondition of $foo". I would expect that BlueSecurity's thoughts were similar: "Our (Network|Hardware|Setup) can't maintain this traffic level, but we pay for hosting through another service that can. Clearly, we should use that service, for which we're paying , to its fullest." Additionally, simply changing where the domain pointed wasn't all of the problem: The DNS servers, based on my experience, seemed to be under a malicious attack, since they weren't responding to pings at all. I could be wrong, and that could simply be a failure due to excessive NS lookups (I guess) but it seems unlikely: The servers *were* attacked, regardless of the reason for it, and the fact that BlueSecurity was involved does not change the fact that the abusive behavior was directed towards SixApart. Additionally, LiveJournal at least used to have portions in their ToS regarding identifying users. Identifying troublemakers on your network, especially when they are commercial in nature, is a great way of asking for a lawsuit, so I certainly don't blame SixApart for being vague. Lastly, the biggest thing that DDoS type people want to see is their name in lights. Posting about "Spammers attacking bluesecurity" is only likely to make them redouble their efforts. In the past, most communication about DDoS situations with LJ have been kept relatively quiet so that people don't feel like they're achieving their goal. Obviously this is not nearly as possible when you're down for four hours, but not putting the BlueSecurity name into the status announcements just makes sense.
May 3, 2006, 10:39 PM Note that after reading a couple more links, it does seem likely that BlueSecurity did this knowing that they were under a DDoS attack, and knowing that the attack would be redirected, even if they weren't exactly sure how: in that case, it seems that they would be in violation of the Terms of Service which prevents users from intentionally impairing the usability of the service to other users. However, I still maintain that such a decision could in some cases be made in ignorance of the possible damage it could cause. I don't know enough about the situation to say whether that was the case here. I just like to play devil's advocate, for the most part.
May 3, 2006, 11:39 PM something I'm pretty damn sure isn't part of the TypePad service agreement. Since when does Typepad care about blogs they host following the agreement? Basically, you have to create a PR nightmare for them to get them to dump the offenders.
They are fighting for us the battle against the spammers who currently rule the Internet. They have a great service for protecting email addresses from spam. They even had a big success recently: many spammers stopped sending spam to the Blue community. Apparently, one spammer got mad and started attacking all the systems of Blue Security, taking down any ISP in the way. We should find the spammers and get the control on the Internet back to our hands!
May 4, 2006, 4:59 AM Oh boy do you show your ignorance of this affair. I understand your nose is out of joint a little, but your rhetoric is way off the mark. Bluefrog is not a DDOS service, or it would have folded long ago. Instead of blaming Blue Security for your outage, you should be pointing at the spam crews who are actually performing this action.
May 4, 2006, 4:59 AM jm, I think Blue Security guys are pretty busy today. However, if you have any questions about how bluefrog works, or what it does, I'll stick around a bit and try to help. I am a bluefrog member, not staff, but I've been with BF (or BS) for about 6 months, so I'm pretty familiar with the program.
May 4, 2006, 5:02 AM First of all, I agree with most posts here that there is no way that Blue Security would intentionally do this. For every spam you get, the spammer gets a "remove me" email back at them. It's not an attack, it's 100% reasonable and 100% legit. When you get an email from a person, they can't argue that you should not answer it, just because it's spam. Sadly enough, the Blue Frog software doesn't work with POP3 email, only web services, so I can't use it - but when there's a version for outlook or thunderbird, I'll definetly install it.
May 4, 2006, 5:07 AM Neko, BlueFrog doesn't send any emails. The user agent occasionally posts opt-out requests at websites that are selling the things that you have been spammed for. These opt-outs are not simultaneous, and not high-volume.
May 4, 2006, 5:11 AM Oh, that's all a little harsh isn't it - wanting BlueSecurity to fold? Yes, i'm a BlueSecurity user, and I like the idea of their project. And yes, I agree changing their DNS records to TypePad possibly wasn't the best idea - but they (BlueSecurity) wanted a way to be able to communicate with their users over what was happening, a blog was a logical choice. During the first 24 hrs of the attack, when BlueSecurity's website didn't work at all, I very much wanted some kind of update on the situation, and so I was quite happy to see the Blog be put up. As I don't work with BlueSecurity, or have any contact with them other then being a user, I can't speculate on their reasons for changing their DNS records to TypePad, perhaps they thought since TypePad is considerably larger, it would handle the DDoS attack without any problems? Perhaps they thought the spammers would stop attacking once BlueS...
|
http://csua.com/feed/