From November 9 to November 19 two of our domains were unter attack by cyber-criminals. Due to a Distributed Denial-of-Service attack (DDoS) involving thousands of remote controlled zombie computers directed from a secret control centre, some of our sites were inaccessible for several days.
First we received an automated warning email from our webhost, which gets triggered if a certain amount of traffic per hour is exceeeded. I started blocking IP addresses of hosts with an excessive number of connections using iptables in Linux, but could not keep up: The server became unreachable. I was left with no choice but to pull the emergency brake, i.e. to replace the IP address of the server with a non-routable IP address such as 127.0.0.1 (loopback address).
I then moved the affected website to a backup server and reenabled it there. The new server was running a later Linux kernel than the old one. If you get DOSed, make sure you have Linux kernel 2.6, which is more suitable for reconfiguration to make it more resilient against such attacks.
After a number of days, other hosts names on our server that had not been disabled were also added to the list of attack targets.
As a result of the tweaks on the new server the sites stayed up most of the time, but the bandwidth usage was tremendous. During one hour the attacking bots generated more than 31 GB of traffic. On that peek day the traffic on that server came to 152 GB, even though we added over 4000 different IP addresses of attacking hosts to the blocklist.
Clearly, anyone who doesn’t have an unlimited traffic allowance for his hosting account would be in trouble with such huge numbers, even if the machine and operating system were able to keep up. Once they exhaust their monthly allowance they would either have to start paying for extra Gigabytes or the server gets disconnected, or the network speed gets throttled down, which would make the site virtually unreachable.
After 10 days the attacks started winding down. By that time we knew where the control center of the botnet was located. It was hosted by a company called AbdAllah Internet Hizmetleri in Turkey. Its upstream provider is TurkTelekom. The IP address range used by the hoster is listed by anti-spam site SpamHaus.org as being used for “Ukrainian/Russian cybercriminal hosting”.
During or shortly after the attacks against our servers, the same botnet also attacked the following sites:
This target list ranges from an anti-spam website (ours) over an evangelical church site to sites related to adult videos.
Distributed denial of service attacks are a mortal danger for any website. There are few effective countremeasures, except load sharing with many fast servers connected via fat data pipes, but even that is no match for some of the largest botnets such Storm. Attacks are used to intimidate, to silence or to extort “protection money”. Victims have little hope of getting effective help from law enforcement.
What needs to happen? First of all, the number of infected computers needs to decrease. Unsecured broadband hosts that come under criminal control are a public menace. Webhosts need to take effective action against botnet control centres. Unlike the actual bots, which are mostly running Windows XP, most of the botnet control centres run on Linux servers in data centres. Hosters must not turn a blind eye to this. If they do that because of money from criminals then their upstream providers must disconnect them.