|
|
|
|
|
|
|
|
|
|
|
|
|
|
Incident report: denial of service attack against ConnectedPhotographer.com (continued)
The solution was to change the IP address of the server for other Web sites and then update the DNS records to point to the new IP address. I did not do this for Connected Photographer, and that site remained intentionally offline through much of the weekend.
Key observations
The key observation was the ferocity of accesses. We were being hit by thousands of separate computers per minute, and I tracked more than 10,000 individual computers before the stage-one firewall died. Overall, I estimate somewhere above a million individual computers hit our servers in the space of a day or so.
The second key observation was that our first-line server was unable to withstand the load of such an attack. The only approach that seemed to work was to change the IP on the other sites, and kill the Web site being attacked. We then spent the next few days creating some new technology that sits between the firewall and our primary Web servers, managing and blocking the flow of these attacks. So far, it's working quite well and (knock on wood), I'm hoping it'll keep the wolves at bay, for at least a while.
Cost to us, of course, is we had a dead site for four days, because we couldn't bring it back online without the possibility of a reoccurance of such an attack until we'd put a barrier system in place. Although the attack was clearly spam oriented, it's still undeniably a distributed denial of service because service was denied.
Since we were able to sustain only about ten minutes of direct flow observation, and the attack lasted hours, I suspect millions of IP addresses are firing. Further, since Connected Photographer is a relatively minor site compared to, say, Google, I suspect each computer that fired on our server also fired on thousands of other servers.
Finally, because of the absolute ferocity of this attack, coming from so many computers, it took us a couple of days to engineer a robust defense. Our sites are merely informational. But were an attack like this to hit a server that was important to infrastructure, the damage could be devastating.
I recently wrote an article in Counterterrorism Magazine about how cyberterrorism can damage infrastructure. This week, we witnessed the power of such an attack.
Mick Moignard has been working and traveling with Lotus Notes since Release 2.0 in 1991. Mick is a DominoPower Senior Technical Editor and a Principal CLP with Unipart Expert Practices, a Lotus Advanced Partner in the UK. If you want to discuss anything to do with this article, or indeed anything else to do with Notes and Domino, contact Mick at Mick_Moignard@unipart.co.uk. Unipart Expert Practices will also happily discuss any opportunities you may have with any Notes and Domino application development or infrastructure projects you need help with. Unipart Expert Practices can be found at http://www.unipartep.com.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- Advertisement --
Learn Notes and Domino 8 at your place and pace!
Learn Notes and Domino in your office and/or home! TLCC's highly acclaimed distance learning courses for users, developers, and admins will enhance your career and your resume.
The many included activities and demos will make you a pro! Expert instructor help is a click away.
Click here to try a FREE demo course!! |
-- Advertisement --
Teamstudio Edition 25 has shipped
It's finally here! Now that Teamstudio Edition 25 has shipped, listen to our latest Tool Time audio program to find out what's changed. Updates to all your favorite Teamstudio tools will be discussed.
Plus, you'll get an introduction to Teamstudio Undo (formerly known as Teamstudio Snapper).
Tap here to get started! |
|
|
|
|
|
|
|
|
|
|
