Go to previous post:
Enemy flag.

Go to Electrolite's front page.

Go to next post:
“You know, I don’t think you’re here just for the huntin’.”

Our Admirable Sponsors

October 17, 2003

Collateral damage. As several friends and readers emailed us to observe, we were down for several hours yesterday evening, due (it eventually transpired) to a denial-of-service attack on a site hosted by Hosting Matters, the company that provides bandwidth and server space to our own host. I noticed plenty of other blogs turning up absent as I updated my RSS reader during this time; I suspect many of them were down for the same reason.

Here’s a graph of the DOS, and here’s Hosting Matters’ own announcement about the attack, if you’re curious about the details. [08:20 AM]

Welcome to Electrolite's comments section.
Hard-Hitting Moderator: Teresa Nielsen Hayden.

Comments on Collateral damage.:

Erik V. Olson ::: (view all by) ::: October 17, 2003, 09:30 AM:

The 64MB question -- who were they trying to silence?

I can't tell the scale of the attack -- it was large enough to saturate a T-3 connection, but how much larger, I can't tell.

I really wish we had a better answer to DDoS attacks.

Erik V. Olson ::: (view all by) ::: October 17, 2003, 09:32 AM:

Oops, read the text and the graph, Erik -- they clearly state they peaked at 150Mbps. That's a rather large attack.

Someone's annoyed somebody mightily.

Kevin J. Maroney ::: (view all by) ::: October 17, 2003, 09:45 AM:

Or just annoyed someone with a lot of bandwidth at his disposal.

Jon Meltzer ::: (view all by) ::: October 17, 2003, 10:33 AM:

>Who were they trying to silence

So, were any right-leaning blogs affected?


Esme ::: (view all by) ::: October 17, 2003, 10:41 AM:

>So, were any right-leaning blogs affected?

Instapundit is also hosted by Hosting Matters.

Al ::: (view all by) ::: October 17, 2003, 12:38 PM:

By all indications the attack was directed at the Internet Haganah. Aside from Instapundit there were countless blogs down, Hosting Matters and their resellers (Blogomania, etc.) are quite popular with webloggers and a total of more than 3000 sites were affected.

Kevin Andrew Murphy ::: (view all by) ::: October 17, 2003, 01:05 PM:

Hmm. Well, it appears that Internet Haganah is in the game of taking down other people's websites, by their own admission:

With close to three hundred terrorist-affiliated sites taken down and a vast amount of research about the use and abuse of the internet by the supports of Islamic extremism generally, you get a whole lot of bang for your buck with Internet Haganah.

What does it take to be branded "terrorist affiliated"? Simply not agreeing with them, and putting up a website like the continually up-and-down http://www.slider17.com/?

May the ghost of Patrick Henry take over their servers, and ditto with the people who launched this salvo.

Erik V. Olson ::: (view all by) ::: October 17, 2003, 02:06 PM:

By all indications the attack was directed at the Internet Haganah.

Really? Let's look it up.

eriko ~ ->nslookup haganah.org.il

Non-authoritative answer:
Name: haganah.org.il

eriko ~ -> whois

OrgName: Hurricane Electric
Address: 760 Mission Court
City: Fremont
StateProv: CA
PostalCode: 94539
Country: US

NetRange: -

Traceroute shows upstream to be wcg.net, now WilTel.net.

Now, a known Hosting Matters site.

eriko ~ -> nslookup www.nielsenhayden.com

Non-authoritative answer:
Name: nielsenhayden.com
Aliases: www.nielsenhayden.com

eriko ~ -> whois
Hosting Matters HOSTI-NETBLK-1 (NET-63-247-128-0-1) -
Hosting Matters HOSTI-NETBLK-1 (NET-63-247-128-0-2) -

Traceroute shows HM's upstream to be AT&T. If they were trying to DDoS haganah.org.il, they missed by a full Class A and then some.

In other words, I don't buy it.

And it took me all of five minutes to find out that haganah.org.il was on a completely different subnet than hostingmatters.com. Furthermore, he.net, who owns that netblock, appears to be located in Fremont, California, with colos both there and in San Jose, CA. Hosting Matters has offices in Jacksonville, FL, and their servers are in New Jersey. So they missed by a class A and nearly 3000 miles.

Mitch Wagner ::: (view all by) ::: October 17, 2003, 05:51 PM:

My web site and blog are still down. Harrumph. Anybody know why that might be? Any relation to the DOS attack? I'm not getting a response out of Blogomania, which is the company that hosts my web site on Hosting Matters servers.

Erik V. Olson ::: (view all by) ::: October 17, 2003, 06:54 PM:

Hmm. Maybe your nameservers are hosed. Let's see...

Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS.HMDNS.NET
Name Server: NS2.HMDNS.NET
Updated Date: 16-oct-2003
Creation Date: 14-oct-2002
Expiration Date: 14-oct-2004

Or maybe you need to reup the registration. Tucows almost always will "hold" the domain for a bit, which is why the expiration date is now 16-Oct-2004. Other reasons -- you've moved the domain to a new registrar, and they haven't gone live with it, or there's a dispute involved, so they're not deleting the record yet.

Since REGISTRAR-HOLD means you don't get into the zone file, it means there effectively is no mitchwagner.com

mailbox: ~ -> nslookup

> server ns.hmdns.net
Default Server: ns.hmdns.net

> ls mitchwagner.com
$ORIGIN mitchwagner.com.
@ 15M IN A
blog 15M IN A
ftp 15M IN A
localhost 15M IN A

Hm. Your listed nameservers still have you though. However, is morpheus.hmdnsgroup.com -- I'll bet this is where sleeping domains point.

Mitch Wagner ::: (view all by) ::: October 17, 2003, 07:18 PM:

Thanks Erik. I tracked down the problem -- turned out my registration was expired. Re-upped now and I'm told I can expect my domain to return to life within 24 hours.

Reasons for my confusion:

* Because this happened about the same time as the DOS attack, I thought the problem was caused by the attack. As far as I can tell, this was just a coincidence.

* I thought blogomania, my hosting company, was going to renew the registration for me. As a matter of fact, I thought that they handled the registration initially, although now that I think of it: maybe not.

* I don't remember receiving a notice that the domain was expiring. Or actually I do kind of vaguely remember receiving it, but I assumed it was more of that junk mail that Network Solutions sends out when in fact your domain is NOT in any immediate danger of expiring. Big letters: YOUR DOMAIN WILL EXPIRE SOON!!!!! Fine print says: Domain expiration date:

* NetSol did not list me as the owner of the domain, but DID list the domain as expiring in 2004.

* Or it could just be that I am a blithering simpleton.

Andy ::: (view all by) ::: October 18, 2003, 03:58 PM:

Little Green Footballs also was caught up in the DOS which made me laugh because those wacky LGF commentors used to stage their own DOS attacks against sites they didn't care for like IndyMedia.