The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Sun Nov 24, 2024 8:56 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 33 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Sun Apr 08, 2012 7:31 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 11:05 am
Posts: 1111
Location: Phoenix
So Westeros.org (a fan site for the "A Song of Ice and Fire" book series, and the HBO TV series based on the books "Game of Thrones" was apparently brought to its knees by msnbot spiders that Microsoft's search engine uses to crawl the web for data to use in its Bing searches.

I'd not heard of the issue, so I read up on it some, and apparently the msnbot spiders are so poorly coded, that they often ignore the robots.txt file that web servers have that guide the bots and indicate which parts of the site to index and which parts to ignore. Not only they, they repeatedly query files that do not, and never have, existed on the server. The Westeros.org server was apparently being hammered by 200 http requests every second by the bots.

Essentially Westeros.org was the victim of a DDoS attack, initiated by Microsoft, and they aren't the first victims.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Apr 08, 2012 8:21 pm 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
Unless there's some fairly heavy db lookups going along with the qps, and maybe some data manipulation, a couple hundred qps shouldn't be all that straining on a modern system. Looks like they were running apache 2.2.3 on a Red Hat system, now they're running nginx.

Also, if it was all MSN-related, that's not a DDoS. It's just a DoS.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Apr 08, 2012 9:32 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 11:05 am
Posts: 1111
Location: Phoenix
Well, it depends on how you define it. It is multiple systems, different sources, using multiple bots to attack a system. True, all the systems are owned by MS, but I don't think that precludes it from being a DDoS.

Regarding 200 qps not being that much, it depends. For a commercial server it would be nothing. Amazon likely has hundreds of servers that can handle 100k requests per second without sweating. But for a fan forum (any idea how many requests per second gladerebooted could handle)? It was likely running near capacity already with the GoT series starting up again, and this was enough to push it over the edge.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Apr 08, 2012 10:29 pm 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
Yeah, it pretty much does. When you can filter a single /14 and take care of your problem, that's not distributed.

Commodity hardware should be able to handle 200 qps. I'm not sure how you think Amazon is set up, but it is probably far different than you are imagining. You hit their anycast load balancers first. Any single Amazon httpd server isn't getting swamped with 100k queries per second, they're probably not even breaking 100 queries per second. But that has more to do with the fact that they're serving up pages that need to perform multiple sql pulls, not just slinging it out of ram.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Apr 08, 2012 10:52 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 11:05 am
Posts: 1111
Location: Phoenix
Just poor phrasing on my part. I didn't mean to imply that any single server was getting 100k queries per second; I meant collectively (and that is just a wild guess...no idea what their actual capacity is).

And I don't think the fact that it is easier to filter out the attacks than your typical DDoS attacks changes the distributed part of DDoS in this type of attack.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 09, 2012 9:25 am 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
Give me about a week to collect data, and I can ballpark it.

Yes, that's the whole point of D'ing a DoS attack, to provide additional resiliency in the face of attempted mitigation.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 09, 2012 11:09 am 
Offline
Manchurian Mod
User avatar

Joined: Fri Sep 04, 2009 9:40 am
Posts: 5866
Are you saying that each letter in the acronym has a distinct meaning?

_________________
Buckle your pants or they might fall down.


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Apr 09, 2012 11:14 am 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Corolinth wrote:
Are you saying that each letter in the acronym has a distinct meaning?

That's just crazy talk. By that token, one would think that there was Intelligence in the CIA, or that the FBI did some Investigating instead of swooping in with assumptions...

Or that the IRS was a Service to the people or something...

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Apr 09, 2012 3:02 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 11:05 am
Posts: 1111
Location: Phoenix
shuyung wrote:
Yes, that's the whole point of D'ing a DoS attack, to provide additional resiliency in the face of attempted mitigation.


Which this does. It is only moderately more difficult to block such an attack, but that is mainly because it is unintentional. Essentially your argument seems to be that because it isn't a very good DDoS attack, it isn't a DDoS attack.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 09, 2012 4:14 pm 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
Again, no it doesn't. Let me demonstrate.
Code:
ipv4 access-list BLOCK-MSN
 10 remark Retarded MSN spiders
 20 deny tcp 65.52.0.0 0.3.255.255 <target netblock> <wildcard mask> eq www
 30 remark Permit the rest
 40 permit ipv4 any any

Contrast this against the filter necessary to mitigate an attack whose sources are spread amongst 2k non-aggregatable netblocks, and you can see the difference.

My argument isn't that it isn't a DDoS because it wasn't very good, it's that it's not a DDoS because it's not a distributed DoS. While the number of sources, whatever that number may have been (bingbot has hit my server from 5 unique sources in the past 9 days, by way of comparison) could be considered distributed in certain circumstance, in this one, it's not.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 09, 2012 4:38 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
So, wait. It's not distributed because you only had to block out 262k host addresses to block the actions of a few hundred bots, max?

I'm comfortable for allowing that there is a spectrum of efficiency and efficacy to DDoS attacks, and with that allowance, conceding that any DoS coming from more than one source can be said to be distributed.

Certainly, though, arbitrarily assigning an "aggretable" netblock isn't indicative of a DoS attack not being distributed. I can slap a 0.0.0.0 255.255.255.255 firewall rule down and stop any DDoS attack cold, but that doesn't mean it's an acceptable or practical defense.

So, I suppose, one way to approach this conversation is to ask, just how broad does the subnet (or rather, wildcard, I suppose) mask have to be in your firewall rule to qualify an attack as "distributed?"

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 09, 2012 5:27 pm 
Offline
God of the IRC
User avatar

Joined: Wed Sep 02, 2009 7:35 pm
Posts: 3041
Location: The United States of DESU
I think if you can interpret the MSN bots' actions to be a DOS (it's not really an attack as there was no intent to deny service), then it should be fine to interpret a DOS from multiple hosts within a single subnet to be distributed.

On a tangental note, we were "attacked" by some poorly coded webcrawler sometime late last year, which repeatedly tried to index some nonexistent webpage on the board. I don't think it was multiple hosts though.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Apr 09, 2012 8:38 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 11:05 am
Posts: 1111
Location: Phoenix
shuyung wrote:
Again, no it doesn't. Let me demonstrate.
Code:
ipv4 access-list BLOCK-MSN
 10 remark Retarded MSN spiders
 20 deny tcp 65.52.0.0 0.3.255.255 <target netblock> <wildcard mask> eq www
 30 remark Permit the rest
 40 permit ipv4 any any

Contrast this against the filter necessary to mitigate an attack whose sources are spread amongst 2k non-aggregatable netblocks, and you can see the difference.

My argument isn't that it isn't a DDoS because it wasn't very good, it's that it's not a DDoS because it's not a distributed DoS. While the number of sources, whatever that number may have been (bingbot has hit my server from 5 unique sources in the past 9 days, by way of comparison) could be considered distributed in certain circumstance, in this one, it's not.


I understand what you are saying, I just think you are wrong. You are using your own definition for a DDoS. You are saying it isn't a DDoS because it isn't a DDoS. That isn't an argument. The fact that the attack comes from sources that are in a single aggregate block, is completely irrelevant. It is still distributed across multiple systems. I'm curious what exactly your definition of a DDoS is.

Mookhow, it's still a DDoS, it is just an unintentional DDoS. I don't believe intent is necessary to satisfy the definition.

A small correction, I'm not sure if I misread, or if they changed the story, but it says that westeros was hit with "hundreds of requests per minute", not 200 requests per minute.


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Apr 09, 2012 9:51 pm 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
Kaffis Mark V wrote:
So, wait. It's not distributed because you only had to block out 262k host addresses to block the actions of a few hundred bots, max?

I'm comfortable for allowing that there is a spectrum of efficiency and efficacy to DDoS attacks, and with that allowance, conceding that any DoS coming from more than one source can be said to be distributed.

Certainly, though, arbitrarily assigning an "aggretable" netblock isn't indicative of a DoS attack not being distributed. I can slap a 0.0.0.0 255.255.255.255 firewall rule down and stop any DDoS attack cold, but that doesn't mean it's an acceptable or practical defense.

So, I suppose, one way to approach this conversation is to ask, just how broad does the subnet (or rather, wildcard, I suppose) mask have to be in your firewall rule to qualify an attack as "distributed?"

First, a /14 isn't actually large. Second, if I had the sources, I could have made the filter a lot tighter, I'm certain.

Now, a DoS doesn't immediately become distributed when you have 1+n sources (where n is any nonzero positive integer), no matter how large or small n is. It requires diversity of netblocks, source ASNs, transit paths, etc. If you're attempting to mitigate an incident on a single firewall, you're close enough to the destination that whether it's a distributed denial of service, or just a denial of service is an entirely academic question. As a tangent, take two scenarios in which you are the target. In the first scenario, a single host is sending traffic and spoofing the source IP, setting from randomly generated IPs using the whole table. In the second scenario, diverse hosts are sending traffic spoofing the source IP to a single identical address. From the target's viewpoint, that second one is easier to filter, although it's actually the DDoS. Now back out a bit, where is the provider seeing the traffic enter their network? Is it coming through multiple peering/transit links, or just one? Going further toward the source (if possible), how many providers are seeing the traffic? How many ASNs are involved? You actually need to clear the diversity bar to classify an attack as distributed. When you're looking at a single ASN, and a single netblock, and probably a single Microsoft uplink, that's not clearing the bar.

Aegnor wrote:
I understand what you are saying, I just think you are wrong. You are using your own definition for a DDoS. You are saying it isn't a DDoS because it isn't a DDoS. That isn't an argument. The fact that the attack comes from sources that are in a single aggregate block, is completely irrelevant. It is still distributed across multiple systems. I'm curious what exactly your definition of a DDoS is.

Mookhow, it's still a DDoS, it is just an unintentional DDoS. I don't believe intent is necessary to satisfy the definition.

A small correction, I'm not sure if I misread, or if they changed the story, but it says that westeros was hit with "hundreds of requests per minute", not 200 requests per minute.

Hopefully I've addressed your first point.

Mookhow only addressed intent in order to classify it as an "attack", i.e. malicious.

Per minute? Then that was a retardedly misconfigured web server, since that's only 4-16 requests per second.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 09, 2012 10:01 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Well, shuyung, I suppose I'm speaking from the perspective of people who *don't* work for ISPs. Which, I imagine, comprise the bulk of the world, and even a significant majority of network engineers/admins.

When you're not an ISP, how many peering connections/transit links it's coming from is rather academic, isn't it? You've got your own network's firewalls to configure, and no control or absolute knowledge about the path it's taken to arrive at your network's border. You've got a handful of connections to your ISP if you're an organization that concerns itself with high availability over budget, and... so the only information about the source you really are likely to have is IP and whatever your ISP is willing to share with you when and if you call them up to work on conserving bandwidth on the link you've got to them, no?

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 09, 2012 10:19 pm 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
Sure. And that's why we get such thinking as "if it comes from more than one host, it's distributed". The classification of and techniques for dealing with distributed denial of service are really only relevant to a relative handful of networks. But more letters are attractive, I guess.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Apr 09, 2012 10:47 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 11:05 am
Posts: 1111
Location: Phoenix
Ugh...apparently I can't type. "hundreds of requests per second"


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Apr 09, 2012 10:56 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 11:05 am
Posts: 1111
Location: Phoenix
shuyung wrote:
Sure. And that's why we get such thinking as "if it comes from more than one host, it's distributed". The classification of and techniques for dealing with distributed denial of service are really only relevant to a relative handful of networks. But more letters are attractive, I guess.


We get such thinking, because that is how it is defined. Your argument still essentially comes down to "It's not a DDoS attack because it's not a very good DDoS attack."

The "diversity of netblocks, source ASNs, transit paths, etc" just go into determining how sophisticated the DDoS attack is, or how difficult it is to defend against.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Apr 10, 2012 1:44 am 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Maybe we need some qualifiers..

how about 'Super Mega Distributed Denial Of Service Attack' ?


Top
 Profile  
Reply with quote  
 Post subject: Re: Re:
PostPosted: Tue Apr 10, 2012 10:21 am 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
Aegnor wrote:
We get such thinking, because that is how it is defined. Your argument still essentially comes down to "It's not a DDoS attack because it's not a very good DDoS attack."

The "diversity of netblocks, source ASNs, transit paths, etc" just go into determining how sophisticated the DDoS attack is, or how difficult it is to defend against.

By whom? Whose definition are you operating from? It looks like you're trying to argue your definition against mine, and I suspect that only one of us is in position to actually have a handle on it.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Apr 10, 2012 11:52 am 
Offline
Oberon's Playground
User avatar

Joined: Thu Sep 03, 2009 9:11 am
Posts: 9449
Location: Your Dreams
A DDoS attack is not a particularly technical term. It's a common, almost vernacular phrase referring to an attack made by many compromised computers against a single target. As such, referring to Microsoft's Bing making a DDoS is somewhat metaphorical, relying on comparison to Bing's spiderbots as trojans. That said, I'd think Aegnor is correct, at least metaphoricly. It's a very poorly distributed DDoS, but it is several "compromised computers" making an attack against another target. The fact that they're only distributed across a single Class A subnet (likely even less than that) doesn't mean they aren't distributed...it's just that they're not distributed very far.

_________________
Well Ali Baba had them forty thieves, Scheherezade had a thousand tales
But master you in luck 'cause up your sleeves you got a brand of magic never fails...
...Mister Aladdin, sir, What will your pleasure be?
Let me take your order, Jot it down -You ain't never had a friend like me

█ ♣ █


Last edited by Talya on Tue Apr 10, 2012 11:55 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Apr 10, 2012 11:53 am 
Offline
User avatar

Joined: Thu Sep 03, 2009 11:05 am
Posts: 1111
Location: Phoenix
Actually, you'd be quite wrong in that assumption, but thanks for the condescension. It isn't my definition versus your definition. It is every definition I've ever read or heard versus your definition. It definitely seems like you've
reached the point of no return on this argument, so I don't think any evidence or argument can get through your defenses. I could list a hundred different definitions from a hundred different sources, and I doubt it'd make a dent.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Apr 11, 2012 9:13 am 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
It's not condescension. I deal with malicious traffic regularly, and interface with peers across the Internet who do the same. There are none I can think of who would classify this as a DDoS. It's much the same as the term "hacker". For the vast majority of you it's a pejorative because it's been misused, by people probably much the same as your hundred different sources that are defining DDoS, sufficiently widely to convince the ignorant. The main problem with the rough consensus of the ignorant is pretty much the same as all the free legal advice you can get on the Internet from those who gleefully declare "IANAL"; it sounds good.

Oh, and Talya? Read up on classful and classless addressing.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Apr 11, 2012 9:52 am 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Not to be argumentative, shuyung, but I think you're jumping down throats here unnecessarily. A definition that requires you be one of a few thousand people on the planet to know whether it's satisfied or not is.. well, it's not very useful, IMO. It seems to me that you and your peers have narrowed the definition as shorthand for the subset of DDoS attacks you guys most concern yourselves with, and that's fine -- but I don't think it's fair to say that narrows the definition universally, nor should it necessarily.

To point out that the people disagreeing with you aren't just a few crackpot hobbyists, amateurs, or low-ranking professionals who are confused, I just went and found a few sites and organizations who have published articles including working definitions of distributed denial of service attacks. I'm sure you've heard of these organizations, and I think they rank at least some consideration, even from you.

Bold mine in the following:
What is a distributed denial-of-service (DDoS) attack?
In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.

When this attempt derives from a single host of the network, it constitutes a DoS attack. On the other hand, it is also possible that a lot of malicious hosts coordinate to flood the victim with an abundance of attack packets, so that the attack takes place simultaneously from multiple points. This type of attack is called a Distributed DoS, or DDoS attack.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Apr 11, 2012 11:24 am 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
This is just typical Glade symantics arguments. Everyone is Right and Everyone is Wrong.

Which is fine with me...

And since I get to be right/wrong too, my only issue with all of this is that we are categorizing bad spider/crawler/bot programming as an 'attack', which to me implies some malicious intent.

I'm pretty sure that isn't the case here.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 33 posts ]  Go to page 1, 2  Next

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: Bing [Bot] and 131 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group