Over the July 4th weekend, cyber-terrorists launched a broad and ambitious attack on military and government sites in Asia, Europe and the U.S…. and on MyNewPlace.com. We assume that we were lower on their target list than the CIA and South Korea, but who knows?
The New York Times reports that the South Korean government stated that “an army of thousands of ‘zombie computers’ infected by the hackers’ program were ordered to request access to Web sites simultaneously, causing an overload that caused the sites’ servers to crash.”
Web ops folks refer to these as distributed denial of service attacks (DDOS). They attempt to overload a site’s servers and bring it to a screeching halt. A DDOS is difficult to track because the server requests are sent from a variety of IP addresses. In the graph below the eightfold spike in requests on one of our servers is evident:
When a single bot or crawler tries to disrupt a site’s operations, it’s relatively easy to identify it and deny it access. However, when these requests are sent from hundreds or thousands of sources, as is the case with a DDOS, it becomes more difficult to distinguish a sudden surge in Americans looking for apartments for rent from a malicious attack.
Fortunately, our IT team headed by John Shin is ever-vigilant, and never offline. Once they determined that a broad number of IP addresses were sending automated requests with malicious intent, they used an IP locator to determine from where in the world these requests were sent. As it turns out, the IP addresses were from Iran, China, Chile, Germany and The Netherlands. Since whoever launched the DDOS had been able to hijack IP addresses from ISPs around the world, we contacted the ISP the administrators with the most suspicious IP addresses (highest and fastest request volumes) to investigate further.
One ISP they contacted, Krypt, was very helpful in our investigation (thanks Krypt!). They were able to determine that the IP addresses all belonged to one customer and were able to shut them down. We, of course, also blocked those IP addresses on our end.
These type of attacks are every NetOps Admin’s worst nightmare, and are impossible to fully defend, or to proactively prevent… and, you don’t have to be the CIA or New York Stock Exchange to be targeted. The best defense is a seasoned and fully caffeinated Ops team. Was your site attacked as well? How did you respond?