An Information Security Place

Email string between Matt Heaton (Bluehost CEO) and me on the DDos.  Not a lot of info, but here it is (start at the bottom):

 

It was directed at one specific IP, not a domain name.  The IP was a shared IP with over 800 domains on it so it was not possible for us to just block the incoming traffic to that IP.

Thanks,

Matt Heaton / Bluehost.com

On Oct 5, 2006, at 11:53 AM, Michael R. Farnum wrote:

Matt,

Thanks for the reply.  Did the attack appear to be directed at a certain site that you host?  Was it directed at a certain IP or an IP range?  I understand if you can’t divulge information, but I want to gather as much info as possible.

Thanks,

Michael

---

From: Matt Heaton [mailto:matt@bluehost.com]
Sent: Thursday, October 05, 2006 11:57 AM
To: m1a1vet@infosecplace.com
Subject: Re: Recent DDos on Bluehost

There isn’t really much to know.  We mitigated most of the attack even though it looked horrible from many customers side we had blocked upwards of 80% of it.   The entire attack was a total of more than 8000 ips all originating in asian countries with Japan, and Taiwan being the majority of the attack.  It was sending more than 800,000 packets every 5 minutes and consuming more than 350 Mbit of bandwidth.  It was a HUGE attack.  I hope this helps.

Thanks,

Matt Heaton / Bluehost.com

On Oct 5, 2006, at 6:02 AM, Michael R. Farnum wrote:

Matt,

I couldn’t get to my website (infosecplace.com – hosted at Bluehost) because of the DDos on one of your servers yesterday.  My website is a blog dedicated to Information Security, and I would love to write about this incident.  Is there any way you would be willing to share some non-confidential information on the incident so I could have kind of an “exclusive”?

Not sure how this squares with this email from Bluehost support:

We are currently experiencing a DOS attack on this server, and so we have blocked a portion of the internet from being able to access the server. If you are in one of the IP octets that were blocked then you will not be able to access the server because our router is blocking you. Once the DOS attack stops you will be able to continue accessing your site.

Obviously I am not working from Asia, so I don’t know why I would have been blocked.  So I think that explanation was bogus at best and just meant to keep people off their backs.  So my site was definitely down to more than just me.  But that’s what support lines do, right?  Obviously, they didn’t know they were dealing with a man of superior intellect and a keen sense of information security!!!  Right….

Vet

So McAfee is buying Citadel.  These guys have got the right idea.   If McAfee can integrate this into  their NAC solution to a point where the desktop has automatic patching when it is sent to a remediation zone, then I will recommend McAfee to everyone.

Furthermore, I still cannot understand why in the world other NAC providers don’t buy a Citadel and integrate it into their NAC solution.  I asked for this CONSTANTLY when I was in security operations, and no one had it.  I cannot be the only guy asking for this. 

Vet

It looks like at least one server at bluehost.com was DDos’ed yesterday.  Bluehost.com hosts my website, so I was unable to reach my site for most of the day.  They said that the site was up, but they had to block large segments of the Internet from which the attack was coming, so I guess I was on one of those segments.  If you couldn’t get to infosecplace.com yesterday, then you were also on one of those segments.

I am trying to get some details about the attack and will let you know if I get any details.

Vet