Email string between Matt Heaton (Bluehost CEO) and me on the DDos. Not a lot of info, but here it is (start at the bottom):
It was directed at one specific IP, not a domain name. The IP was a shared IP with over 800 domains on it so it was not possible for us to just block the incoming traffic to that IP.
Thanks,
Matt Heaton / Bluehost.com
On Oct 5, 2006, at 11:53 AM, Michael R. Farnum wrote:
Matt,
Thanks for the reply. Did the attack appear to be directed at a certain site that you host? Was it directed at a certain IP or an IP range? I understand if you can’t divulge information, but I want to gather as much info as possible.
Thanks,
Michael
From: Matt Heaton [mailto:matt@bluehost.com]
Sent: Thursday, October 05, 2006 11:57 AM
To: m1a1vet@infosecplace.com
Subject: Re: Recent DDos on BluehostThere isn’t really much to know. We mitigated most of the attack even though it looked horrible from many customers side we had blocked upwards of 80% of it. The entire attack was a total of more than 8000 ips all originating in asian countries with Japan, and Taiwan being the majority of the attack. It was sending more than 800,000 packets every 5 minutes and consuming more than 350 Mbit of bandwidth. It was a HUGE attack. I hope this helps.
Thanks,
Matt Heaton / Bluehost.com
On Oct 5, 2006, at 6:02 AM, Michael R. Farnum wrote:
Matt,
I couldn’t get to my website (infosecplace.com – hosted at Bluehost) because of the DDos on one of your servers yesterday. My website is a blog dedicated to Information Security, and I would love to write about this incident. Is there any way you would be willing to share some non-confidential information on the incident so I could have kind of an “exclusive�
Not sure how this squares with this email from Bluehost support:
We are currently experiencing a DOS attack on this server, and so we have blocked a portion of the internet from being able to access the server. If you are in one of the IP octets that were blocked then you will not be able to access the server because our router is blocking you. Once the DOS attack stops you will be able to continue accessing your site.
Obviously I am not working from Asia, so I don’t know why I would have been blocked. So I think that explanation was bogus at best and just meant to keep people off their backs. So my site was definitely down to more than just me. But that’s what support lines do, right? Obviously, they didn’t know they were dealing with a man of superior intellect and a keen sense of information security!!! Right….
Vet
Michael,
I use BH too, I didnt notice if my site went down or not, but I dont remember If i even checked yesterday or not? lol
Maybe they threw an acl on just blocking a block of their own ips to everyone? Who knows
They should look into arbor peak flow or cisco anomaly guard / traffic anomaly detector, or enforce rate limiting/policing on their routers.. maybe even black hole filtering, but theyre probably too small for that stuff
i dont believe any ddos mitigation actually works 100% but we use arbor and cisco traffic anomaly guard ..they are great pieces of gear..and they do the job if needed..not 100% but theyre pretty good..