Golf huge attack / down

[GatorBrent]

golf.websitewelcome.com has been under attack for the majority of the day and is still under attack. The sites being attacked is waking-the-dead-online.me.uk (england's largest soap opera) I was told it's bigger than "days of our lives" there.



The site have been suspended, but the attack is still going on.


We can't block the attack and the datacenter can't either. This is the worst attack we have seen to date!! With everything shut down the box is still overloaded and dieing. At any given second there are over 13k bots attacking. At this point the only thing that can be done is to wait it out.

We have no idea how long it will continue for. It could be minutes, it could be hours.


Please do not contact us regarding this issue. We will keep this thread up to date with any information at all.

[Parafly9]

Isn't their some kind of contingency for this type of situation, like a duplicate on a nother server we can switch to or something. I hope this gets fixed soon I have quite a few clients who may be turning on their computers right about now.

[Hoggs74]

Is there any update to this situation yet?

[kingcobra]

If you can't prevent it and the server is dying place us on a new server.

Seems the most plausible thing to do.

We don't want to have to re do every thing we have done.

It takes a long time to get the sites up and the trust of your users, and then get your self back in the search engines.

We await a response.

Prevention is better than the cure,
But the cure will do for now !

www.ringtone-3g.com
www.r3g-mobile.com
www.flogitfriends.com

[Parafly9]

Seems to be up again, is this for good now or are we sitll having problems? Are their refunds for downtime?

[Serra]

Quote:

Originally Posted by kingcobra

If you can't prevent it and the server is dying place us on a new server.
Seems the most plausible thing to do.

If you don't mind your sites not working, sounds like a wonderful idea. If a site is moved to a new server, then all of the supporting materials need to be converted. Everyone with an SSL certificate or fixed IP would need to be manually resetup. If anything was different on the new server, then some sites would stop working.

Also, it would take 24-48 hours for the DNS to switch, so expect your sites to be down for up to two days. Is that really what you want?

[Parafly9]

Ugh, down again. I'm not a technical guy but couldn't there be some kidn of backup for redundancy where it instantly switches on failure of one server? Doesn't this exist on big websites?

[GatorRobin]

Parafly9

There's no way to instantly switch to another server because attacks are directed to an IP. If you move everything to another server and keep all the settings, then you're still going to have the same IP and the attack would not be stopped as Serra mentioned.

Changing the base IP of the server is the only way to bypass the attack which is what was done and it takes a few hours for the new IP to propagate through the world to all ISP's.

I know this is very frustrating when something like this happens but every provider has faced it, even Microsoft. And when the attack is this HUGE, even MS can't stop it.

I'm not one that is actively working on this, but I saw your post and wanted to try and provide some further information during this time.

I'm sure Brent or someone will be posting other updates soon so keep checking back.

[TeeJa]

Quote:

Originally Posted by Parafly9

Ugh, down again. I'm not a technical guy but couldn't there be some kidn of backup for redundancy where it instantly switches on failure of one server? Doesn't this exist on big websites?

Quick answer to this is $$$$$$$.
You sure would not like the large amount of money extra you would have to pay each month.

[kingcobra]

Serra what we really want is to have a reasonable response to a reasonable question.

Plus some hosts send emails to customers affected to their secondary address (offsite) and also have a list of working and non working servers.

You're a big company with lots of customers, all we want to know is, what investments are you putting into your business to protect your customers business.

[Hoggs74]

all of my sites are still down.

[Parafly9]

Mine are up again;

I think the question becomes, what caused this and was it preventable by hostgator? I dont'really understand the technicalities but I did have my site hosted by another company for some time ( 2 yrs) and we never had "attack" issues. They had other downtime issues, but like the other poster said, I would like to know the root of this and waht hostgator does to prevent this again. This makes me very worried about continuing service even though I just moved to hostgator 2 months ago.

[PsiPro]

No, this was not preventable by hostgator.

The only way to possibly prevent these types of attacks are to use load ballanced servers, which is the redundancy you all are talking about. You are also talking about a multi thousand dollar set-up. At the rate we pay for our sites we do not pay for this redundancy.

The problem is that the attacking computers are targeting the domain name / IP of the computer, therefore changing to anothe box will just move the problem.

kingcobra: Hostgator dosn't manage the servers themselves, they are manged by The Planet Datacenter... Thank god, they can give general protection far better then if hostgator ran their own datacenter.

Since little information as to the nature of the attack was posted, I'm assuming its was DDOS attack? Essentially that means thousands, possibly millions of computer infected with a virus "attacked" the server, and the server just stops, you can read more by asking google was a DDOS is.

HostGator could not hav prevented this, they can only do damage control and wait it out.

You asked what can be done to prevent this in the future? Well not alot, if The Planet and Hostgator cannot set up a block to stop this specific attack (becasue they are attacking a core service) then it would hinder the functionality of the server to block the attack route. Some security may be addalbe, but all they can do is inform the feds and they will have to deal with it.

[dema]

For those curious about what a DDoS entails, I read an interesting article from a couple of years back that followed the sotry of a (extortion-driven) DDoS attack on a company. Check it out here.

In short (which that article most certainly is not) a DDoS is an incredibly hard thing to fight and prevent. You will never find a host that can really guarentee you full protection from a DDoS, and as an HG staff member noted, this kind of thing happens to the biggest of um. If your sites really are back up, I would be damn impressed with HG's speed on the issue.

A search on /. for 'DDoS' will reveal a number of similiar articles, but the one I mentioned stands out a very well written and detailed account of how complicated and hard to combat these things are.

[Serra]

Quote:

Originally Posted by Parafly9

Ugh, down again. I'm not a technical guy but couldn't there be some kidn of backup for redundancy where it instantly switches on failure of one server? Doesn't this exist on big websites?

Actually, this type of backup redundancy is totally possible and very easy to setup. However, it would cost you twice as much as you are paying now, plus some.

The way YOU would set this up is to setup your namesever to point to a company that monitors your website, when it goes down, they will automatically switch your dns to point to your backup server. This is called failover technology. (http://www.netriplex.com/solutions/c..._packages.aspx) If you replicate your data fairly often (for dynamic sites) then to the consumer, there would be no downtime.

This is a fairly common practice.

Why doesn't HG just do this themselves? Because the cost would be huge, over twice what everyone is paying now and with the firewalls and tripping point hardware that HG uses, these types of attacks should be rare.

If your site going down is a problem, then get off the shared hosting and move to semi-dedicated. Fewer sites on the semi server mean less possibility of downtime from attacks, if the attacks aren't directed at you or purchase another hosting plan at HG or another retailer and setup failover DNSs.

There is little that HG can do to stop this or help the problem. Changing the IP for the server would mean that ALL sites would go down. If they did that, it would be very simple to bring down sites because all someone would have to do is attack for a few minutes and the system would attempt to switch the IP, thus a small attack would bring down a server for hours.

They could move the attacked site to a new machine, but the DNS would take time to resolve to the new machine, so that would mean attacks would continue for hours. Those attacking directly via IP would not be stopped unless the IP was changes, as above.

[chaloupe]

My question here is why this server in particular and not another one?

Because of script, 777 files permissions? or they have just chose one for fun?

Maybe with a response to this, I can prevent...(try to because it seems that you cannot prevent those) attack. There should be a reason why they attack this server and not another one.

Tx

[Serra]

Quote:

Originally Posted by Parafly9

Mine are up again;

I think the question becomes, what caused this and was it preventable by hostgator? I dont'really understand the technicalities but I did have my site hosted by another company for some time ( 2 yrs) and we never had "attack" issues. They had other downtime issues, but like the other poster said, I would like to know the root of this and waht hostgator does to prevent this again. This makes me very worried about continuing service even though I just moved to hostgator 2 months ago.

Actually, it is just bad luck on your part. One of the sites on your machine is being attacked, which kills your machine, but there are lots of people on HG's system that are totally uneffected. I've never had an attack and its been months since anyone attacked any of HG's sites. Plus, this isn't an attack against HG, just one of their clients.

Read the post on tipping point. It shows what HG IS doing to prevent attacks: http://forums.hostgator.com/showthread.php?t=2187

[Serra]

Quote:

Originally Posted by chaloupe

Maybe with a response to this, I can prevent...(try to because it seems that you cannot prevent those) attack. There should be a reason why they attack this server and not another one.

It is a dDoS (Distributed Denial of service) attack against one specific website, just whatever server that site was on. The problem is, it is so effective that it is bringing down the whole server instead of just one site.

[chaloupe]

Thanks for response Serra.

ok sorry if I post again with almost the same question but ask differently,

So why this webiste (instead of why this server)? script, 777 permission, they have uploaded and .exe,,,or DDOS attack can be so much different thing that I am asking stupid questions?

This forum is very interesting!

[quietFinn]

Quote:

Originally Posted by chaloupe

Thanks for response Serra.

ok sorry if I post again with almost the same question but ask differently,

So why this webiste (instead of why this server)? script, 777 permission, they have uploaded and .exe,,,or DDOS attack can be so much different thing that I am asking stupid questions?

dDos attack comes from outside, it's not anything running in the server.

And why to attack a website...? Hard to know... I know there are people who have access to literally thousands of bots, usually they are controlled by commands in an IRC channel. And the reason to start this kind of attack can be just an argument
I was in a (quite small) IRC network, and we got dDoses quite heavily, and the reason was that one of our admins had some kind of argument with one of the "bad guys"

[PsiPro]

DDoS is different from Dos (The OS...sorta).

A simple and easy way to think of a DDoS attack is that lots of people ask for yourserver.com/index.html alot of times and bring the server to its knees.

premissions of 777 are a different type of security hole, and is of little importance when compared to DDoS

As was stated above, these attacks typically come from people who need to show off their |33t skills, are bored, or are just plain distructive. They targeted a website hosted on the same server you are being hosted on. Dosn't have to do with you, its the other site. As was said in the first post. Apparently the site that was targeted was a major name in the UK. Major names make for Major targets.

[Serra]

Just as a side note, HG isn't the only one with problems today. ALL of my sites on LunarPages have been down all day, including one eCommerce site. So everyone has problems at one time or another. Of course, all my LunarPages clients are calling me asking about their sites.

It looks like most of LunarPages went down today. Also, I'm having trouble contacting people on Central Florida RoadRunner as well. The address is not resolving! Very strange day on the net today.

Update: LunarPages lost power for the Wilshire buildings server floor. ALL of their sites hosted at the Wilshire building are still out. They have no power for the whole floor!!! At leaset ALL of HG isn't down.

[PsiPro]

If you look at the power center for ThePlanet, it would be a catistrophic failure if the power grid in that building went down.

[Serra]

Quote:

Originally Posted by PsiPro

If you look at the power center for ThePlanet, it would be a catistrophic failure if the power grid in that building went down.

When I was working for a large insurance company running mainframes we had UPS backups and backup generators on your system. One day, the UPS shorted out, exploded and destroyed everything in the power room. (released the halon too) Backup generators couldn't get power to the mainframe because the wires were all fried. The whole building went down.

Needless to say, mainframes, unlike PCs can't be power cycled! It took 24 hours for the power company and our electricians to rewire the power room and another 12 hours to bring the mainframe back online.

I'd would have said that our power supplies were fairly redundent, but a well placed explosion knocked them all out.

[PsiPro]

Totally true. I think the plant has multiple power centers that alone can handle the building, too lazy to check right now.

I wouldn't have enjoyed being in that room when all hell broke lose, but i would have liked to have seen the aftermath.