October 17, 2003
Here’s a graph of the DOS, and here’s Hosting Matters’ own announcement about the attack, if you’re curious about the details. [08:20 AM]
The 64MB question -- who were they trying to silence?
I can't tell the scale of the attack -- it was large enough to saturate a T-3 connection, but how much larger, I can't tell.
I really wish we had a better answer to DDoS attacks.
Oops, read the text and the graph, Erik -- they clearly state they peaked at 150Mbps. That's a rather large attack.
Someone's annoyed somebody mightily.
Or just annoyed someone with a lot of bandwidth at his disposal.
>Who were they trying to silence
So, were any right-leaning blogs affected?
Anyone?
>So, were any right-leaning blogs affected?
Instapundit is also hosted by Hosting Matters.
By all indications the attack was directed at the Internet Haganah. Aside from Instapundit there were countless blogs down, Hosting Matters and their resellers (Blogomania, etc.) are quite popular with webloggers and a total of more than 3000 sites were affected.
Hmm. Well, it appears that Internet Haganah is in the game of taking down other people's websites, by their own admission:
With close to three hundred terrorist-affiliated sites taken down and a vast amount of research about the use and abuse of the internet by the supports of Islamic extremism generally, you get a whole lot of bang for your buck with Internet Haganah.
What does it take to be branded "terrorist affiliated"? Simply not agreeing with them, and putting up a website like the continually up-and-down http://www.slider17.com/?
May the ghost of Patrick Henry take over their servers, and ditto with the people who launched this salvo.
By all indications the attack was directed at the Internet Haganah.
Really? Let's look it up.
eriko ~ ->nslookup haganah.org.ilNon-authoritative answer:
Name: haganah.org.il
Address: 64.62.241.109eriko ~ -> whois 64.62.241.109
OrgName: Hurricane Electric
OrgID: HURC
Address: 760 Mission Court
City: Fremont
StateProv: CA
PostalCode: 94539
Country: USNetRange: 64.62.128.0 - 64.62.255.255
CIDR: 64.62.128.0/17
Traceroute shows upstream to be wcg.net, now WilTel.net.
Now, a known Hosting Matters site.
eriko ~ -> nslookup www.nielsenhayden.com
Non-authoritative answer:
Name: nielsenhayden.com
Address: 63.247.131.52
Aliases: www.nielsenhayden.comeriko ~ -> whois 63.247.131.52
Hosting Matters HOSTI-NETBLK-1 (NET-63-247-128-0-1)
63.247.128.0 - 63.247.143.255
Hosting Matters HOSTI-NETBLK-1 (NET-63-247-128-0-2)
63.247.128.0 - 63.247.143.255
Traceroute shows HM's upstream to be AT&T. If they were trying to DDoS haganah.org.il, they missed by a full Class A and then some.
In other words, I don't buy it.
And it took me all of five minutes to find out that haganah.org.il was on a completely different subnet than hostingmatters.com. Furthermore, he.net, who owns that netblock, appears to be located in Fremont, California, with colos both there and in San Jose, CA. Hosting Matters has offices in Jacksonville, FL, and their servers are in New Jersey. So they missed by a class A and nearly 3000 miles.
My web site and blog are still down. Harrumph. Anybody know why that might be? Any relation to the DOS attack? I'm not getting a response out of Blogomania, which is the company that hosts my web site on Hosting Matters servers.
Hmm. Maybe your nameservers are hosed. Let's see...
Domain Name: MITCHWAGNER.COM
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS.HMDNS.NET
Name Server: NS2.HMDNS.NET
Status: REGISTRAR-HOLD
Updated Date: 16-oct-2003
Creation Date: 14-oct-2002
Expiration Date: 14-oct-2004
Or maybe you need to reup the registration. Tucows almost always will "hold" the domain for a bit, which is why the expiration date is now 16-Oct-2004. Other reasons -- you've moved the domain to a new registrar, and they haven't gone live with it, or there's a dispute involved, so they're not deleting the record yet.
Since REGISTRAR-HOLD means you don't get into the zone file, it means there effectively is no mitchwagner.com
mailbox: ~ -> nslookup
> server ns.hmdns.net
Default Server: ns.hmdns.net
Address: 216.118.72.3
> ls mitchwagner.com
[ns.hmdns.net]
$ORIGIN mitchwagner.com.
@ 15M IN A 63.247.131.196
blog 15M IN A 63.247.131.196
ftp 15M IN A 63.247.131.196
localhost 15M IN A 127.0.0.1
Hm. Your listed nameservers still have you though. However, 63.247.131.196 is morpheus.hmdnsgroup.com -- I'll bet this is where sleeping domains point.
Thanks Erik. I tracked down the problem -- turned out my registration was expired. Re-upped now and I'm told I can expect my domain to return to life within 24 hours.
Reasons for my confusion:
* Because this happened about the same time as the DOS attack, I thought the problem was caused by the attack. As far as I can tell, this was just a coincidence.
* I thought blogomania, my hosting company, was going to renew the registration for me. As a matter of fact, I thought that they handled the registration initially, although now that I think of it: maybe not.
* I don't remember receiving a notice that the domain was expiring. Or actually I do kind of vaguely remember receiving it, but I assumed it was more of that junk mail that Network Solutions sends out when in fact your domain is NOT in any immediate danger of expiring. Big letters: YOUR DOMAIN WILL EXPIRE SOON!!!!! Fine print says: Domain expiration date:
* NetSol did not list me as the owner of the domain, but DID list the domain as expiring in 2004.
* Or it could just be that I am a blithering simpleton.
Little Green Footballs also was caught up in the DOS which made me laugh because those wacky LGF commentors used to stage their own DOS attacks against sites they didn't care for like IndyMedia.
Hard-Hitting Moderator: Teresa Nielsen Hayden.
Comments on Collateral damage.: