The Glade 4.0

So Westeros.org (a fan site for the "A Song of Ice and Fire" book series, and the HBO TV series based on the books "Game of Thrones" was apparently brought to its knees by msnbot spiders that Microsoft's search engine uses to crawl the web for data to use in its Bing searches.

I'd not heard of the issue, so I read up on it some, and apparently the msnbot spiders are so poorly coded, that they often ignore the robots.txt file that web servers have that guide the bots and indicate which parts of the site to index and which parts to ignore. Not only they, they repeatedly query files that do not, and never have, existed on the server. The Westeros.org server was apparently being hammered by 200 http requests every second by the bots.

Essentially Westeros.org was the victim of a DDoS attack, initiated by Microsoft, and they aren't the first victims.

Unless there's some fairly heavy db lookups going along with the qps, and maybe some data manipulation, a couple hundred qps shouldn't be all that straining on a modern system. Looks like they were running apache 2.2.3 on a Red Hat system, now they're running nginx.

Also, if it was all MSN-related, that's not a DDoS. It's just a DoS.

_________________

Well, it depends on how you define it. It is multiple systems, different sources, using multiple bots to attack a system. True, all the systems are owned by MS, but I don't think that precludes it from being a DDoS.

Regarding 200 qps not being that much, it depends. For a commercial server it would be nothing. Amazon likely has hundreds of servers that can handle 100k requests per second without sweating. But for a fan forum (any idea how many requests per second gladerebooted could handle)? It was likely running near capacity already with the GoT series starting up again, and this was enough to push it over the edge.

Yeah, it pretty much does. When you can filter a single /14 and take care of your problem, that's not distributed.

Commodity hardware should be able to handle 200 qps. I'm not sure how you think Amazon is set up, but it is probably far different than you are imagining. You hit their anycast load balancers first. Any single Amazon httpd server isn't getting swamped with 100k queries per second, they're probably not even breaking 100 queries per second. But that has more to do with the fact that they're serving up pages that need to perform multiple sql pulls, not just slinging it out of ram.

_________________

Just poor phrasing on my part. I didn't mean to imply that any single server was getting 100k queries per second; I meant collectively (and that is just a wild guess...no idea what their actual capacity is).

And I don't think the fact that it is easier to filter out the attacks than your typical DDoS attacks changes the distributed part of DDoS in this type of attack.

Give me about a week to collect data, and I can ballpark it.

Yes, that's the whole point of D'ing a DoS attack, to provide additional resiliency in the face of attempted mitigation.

_________________

Are you saying that each letter in the acronym has a distinct meaning?

_________________
Buckle your pants or they might fall down.

That's just crazy talk. By that token, one would think that there was Intelligence in the CIA, or that the FBI did some Investigating instead of swooping in with assumptions...

Or that the IRS was a Service to the people or something...

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

Which this does. It is only moderately more difficult to block such an attack, but that is mainly because it is unintentional. Essentially your argument seems to be that because it isn't a very good DDoS attack, it isn't a DDoS attack.

Again, no it doesn't. Let me demonstrate.

Contrast this against the filter necessary to mitigate an attack whose sources are spread amongst 2k non-aggregatable netblocks, and you can see the difference.

My argument isn't that it isn't a DDoS because it wasn't very good, it's that it's not a DDoS because it's not a distributed DoS. While the number of sources, whatever that number may have been (bingbot has hit my server from 5 unique sources in the past 9 days, by way of comparison) could be considered distributed in certain circumstance, in this one, it's not.

_________________

So, wait. It's not distributed because you only had to block out 262k host addresses to block the actions of a few hundred bots, max?

I'm comfortable for allowing that there is a spectrum of efficiency and efficacy to DDoS attacks, and with that allowance, conceding that any DoS coming from more than one source can be said to be distributed.

Certainly, though, arbitrarily assigning an "aggretable" netblock isn't indicative of a DoS attack not being distributed. I can slap a 0.0.0.0 255.255.255.255 firewall rule down and stop any DDoS attack cold, but that doesn't mean it's an acceptable or practical defense.

So, I suppose, one way to approach this conversation is to ask, just how broad does the subnet (or rather, wildcard, I suppose) mask have to be in your firewall rule to qualify an attack as "distributed?"

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

I think if you can interpret the MSN bots' actions to be a DOS (it's not really an attack as there was no intent to deny service), then it should be fine to interpret a DOS from multiple hosts within a single subnet to be distributed.

On a tangental note, we were "attacked" by some poorly coded webcrawler sometime late last year, which repeatedly tried to index some nonexistent webpage on the board. I don't think it was multiple hosts though.

_________________

I understand what you are saying, I just think you are wrong. You are using your own definition for a DDoS. You are saying it isn't a DDoS because it isn't a DDoS. That isn't an argument. The fact that the attack comes from sources that are in a single aggregate block, is completely irrelevant. It is still distributed across multiple systems. I'm curious what exactly your definition of a DDoS is.

Mookhow, it's still a DDoS, it is just an unintentional DDoS. I don't believe intent is necessary to satisfy the definition.

A small correction, I'm not sure if I misread, or if they changed the story, but it says that westeros was hit with "hundreds of requests per minute", not 200 requests per minute.

First, a /14 isn't actually large. Second, if I had the sources, I could have made the filter a lot tighter, I'm certain.

Now, a DoS doesn't immediately become distributed when you have 1+n sources (where n is any nonzero positive integer), no matter how large or small n is. It requires diversity of netblocks, source ASNs, transit paths, etc. If you're attempting to mitigate an incident on a single firewall, you're close enough to the destination that whether it's a distributed denial of service, or just a denial of service is an entirely academic question. As a tangent, take two scenarios in which you are the target. In the first scenario, a single host is sending traffic and spoofing the source IP, setting from randomly generated IPs using the whole table. In the second scenario, diverse hosts are sending traffic spoofing the source IP to a single identical address. From the target's viewpoint, that second one is easier to filter, although it's actually the DDoS. Now back out a bit, where is the provider seeing the traffic enter their network? Is it coming through multiple peering/transit links, or just one? Going further toward the source (if possible), how many providers are seeing the traffic? How many ASNs are involved? You actually need to clear the diversity bar to classify an attack as distributed. When you're looking at a single ASN, and a single netblock, and probably a single Microsoft uplink, that's not clearing the bar.


Hopefully I've addressed your first point.

Mookhow only addressed intent in order to classify it as an "attack", i.e. malicious.

Per minute? Then that was a retardedly misconfigured web server, since that's only 4-16 requests per second.

_________________

Well, shuyung, I suppose I'm speaking from the perspective of people who *don't* work for ISPs. Which, I imagine, comprise the bulk of the world, and even a significant majority of network engineers/admins.

When you're not an ISP, how many peering connections/transit links it's coming from is rather academic, isn't it? You've got your own network's firewalls to configure, and no control or absolute knowledge about the path it's taken to arrive at your network's border. You've got a handful of connections to your ISP if you're an organization that concerns itself with high availability over budget, and... so the only information about the source you really are likely to have is IP and whatever your ISP is willing to share with you when and if you call them up to work on conserving bandwidth on the link you've got to them, no?

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

Sure. And that's why we get such thinking as "if it comes from more than one host, it's distributed". The classification of and techniques for dealing with distributed denial of service are really only relevant to a relative handful of networks. But more letters are attractive, I guess.

_________________

Ugh...apparently I can't type. "hundreds of requests per second"

We get such thinking, because that is how it is defined. Your argument still essentially comes down to "It's not a DDoS attack because it's not a very good DDoS attack."

The "diversity of netblocks, source ASNs, transit paths, etc" just go into determining how sophisticated the DDoS attack is, or how difficult it is to defend against.

Maybe we need some qualifiers..

how about 'Super Mega Distributed Denial Of Service Attack' ?

By whom? Whose definition are you operating from? It looks like you're trying to argue your definition against mine, and I suspect that only one of us is in position to actually have a handle on it.

_________________

A DDoS attack is not a particularly technical term. It's a common, almost vernacular phrase referring to an attack made by many compromised computers against a single target. As such, referring to Microsoft's Bing making a DDoS is somewhat metaphorical, relying on comparison to Bing's spiderbots as trojans. That said, I'd think Aegnor is correct, at least metaphoricly. It's a very poorly distributed DDoS, but it is several "compromised computers" making an attack against another target. The fact that they're only distributed across a single Class A subnet (likely even less than that) doesn't mean they aren't distributed...it's just that they're not distributed very far.

_________________
Well Ali Baba had them forty thieves, Scheherezade had a thousand tales
But master you in luck 'cause up your sleeves you got a brand of magic never fails...
...Mister Aladdin, sir, What will your pleasure be?
Let me take your order, Jot it down -You ain't never had a friend like me
█ ♣ █

Actually, you'd be quite wrong in that assumption, but thanks for the condescension. It isn't my definition versus your definition. It is every definition I've ever read or heard versus your definition. It definitely seems like you've
reached the point of no return on this argument, so I don't think any evidence or argument can get through your defenses. I could list a hundred different definitions from a hundred different sources, and I doubt it'd make a dent.

It's not condescension. I deal with malicious traffic regularly, and interface with peers across the Internet who do the same. There are none I can think of who would classify this as a DDoS. It's much the same as the term "hacker". For the vast majority of you it's a pejorative because it's been misused, by people probably much the same as your hundred different sources that are defining DDoS, sufficiently widely to convince the ignorant. The main problem with the rough consensus of the ignorant is pretty much the same as all the free legal advice you can get on the Internet from those who gleefully declare "IANAL"; it sounds good.

Oh, and Talya? Read up on classful and classless addressing.

_________________

Not to be argumentative, shuyung, but I think you're jumping down throats here unnecessarily. A definition that requires you be one of a few thousand people on the planet to know whether it's satisfied or not is.. well, it's not very useful, IMO. It seems to me that you and your peers have narrowed the definition as shorthand for the subset of DDoS attacks you guys most concern yourselves with, and that's fine -- but I don't think it's fair to say that narrows the definition universally, nor should it necessarily.

To point out that the people disagreeing with you aren't just a few crackpot hobbyists, amateurs, or low-ranking professionals who are confused, I just went and found a few sites and organizations who have published articles including working definitions of distributed denial of service attacks. I'm sure you've heard of these organizations, and I think they rank at least some consideration, even from you.

Bold mine in the following:

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

This is just typical Glade symantics arguments. Everyone is Right and Everyone is Wrong.

Which is fine with me...

And since I get to be right/wrong too, my only issue with all of this is that we are categorizing bad spider/crawler/bot programming as an 'attack', which to me implies some malicious intent.

I'm pretty sure that isn't the case here.