I wrote about DDoS attacks, and my website got DDoS attacked

Hippo wide

I would like to apologise to readers who may have found that their regular grahamcluley.com fix has been disrupted since last Sunday, after my site suffered a significant distributed denial-of-service (DDoS) attack.

A denial-of-service attack sees online criminals attempt to make a website inaccessible by clogging it up with unwanted traffic. It's what happens when 15 hippos are let loose in the lobby of a hotel, and they all rush to the revolving doors at the same time. Nothing can move.

However, the good news is that nothing gets breached in a denial-of-service attack. No data is stolen, no webpages defaced, no accounts broken into. It's just that you can't reach a particular website any longer.

Which is a problem if it's the website from which you access your email, or if you run an online store. But it's less of an issue if you just have a blog where you talk about computer security.

At first it wasn't completely clear to me that I was the intended target of the attack, and I thought it was possible that the attackers were targeting one of my web host's other clients, and I was merely collateral damage.

But it later became apparent (after I moved my website to an IP address that no other site was using, and the attack started up again) that for some reason the DDoS attackers really wanted to silence my site.

There is inevitably going to be speculation that the attack against my site is connected to the DDoS blackmail attacks attributed to the "Armada Collective" gang recently.

I cannot confirm if that is the case, but I can say that the attack was "unusually large", and saw thousands of attacking sources stretching my web host's upstream network infrastructure. I'm told that the attackers used multiple attack vectors and different techniques - including UPnP reflection, DNS reflection, and TCP SYN flooding.

For the record - I never received any ransom demands, or communications from anyone claiming to be the attackers. I have to assume that the attack was personally motivated, rather than done in the pursuit of cash.

In the early hours of Wednesday (when I really should have been sleeping so I could wake up nice and refreshed for my talk at Future Decoded) I put systems in place to better mitigate my site from DDoS attacks with help from the great teams at Pressidium and CloudFlare.

Going forward, more steps will be taken to harden the site to ensure that it remains online. My signing-up for CloudFlare was a decision I made at 4:30am - the plan I'm on isn't free, and I'm not sure if it's ideal. But for now, it works. I'm open to other suggestions.

But I'm sticking with Pressidium for their managed WordPress hosting. Their support team has been incredibly helpful to me at all times of the day and night.

As far as I can see, the site has been performing well since Wednesday (apart from a few hiccups which were misconfiguration mistakes I made rather than DDoS-related). If you spot any quirks on the site please do feel free to get in touch with me so I can investigate.

Sorry again that my site went down the plughole for a while. I can't promise that it won't ever happen again, but I'm more prepared than ever to fight off future attacks.

Update December 2015: I now use Incapsula to mitigate DDoS attacks and other internet threats against the website, and have turned off CloudFlare.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

13 Responses

  1. Theo Ccupier

    November 13, 2015 at 9:56 am #

    Surprised they didn't use WordPress Pingback "reflection" attack, as that would have been very ironic! ;-)

    However, joking aside all reflection attacks (NTP, DNS, SNMP, UPnP, etc.) are very effective as they fill up the data pipe very quickly and efficiently and overwhelm border routers/switches and firewalls, leaving the web server untouched but unreachable. As they also use UDP, it means that the attackers can spoof the source IP so that it appears to be yours, not theirs; hence the "reflection".

    DDoS attacks are very much in vogue (along with RansomWare), so not surprised your site got hit; but not sure why they targeted you as you do good, and don't sell anything (well, not directly, apart from your blogging/speaking services).

    Maybe their attack was because you are trying to educate and share attack methods used?

    P.S. Nice analogy by the way, hippos in a hotel lobby, who'd have thunk it ;-)

    • coyote in reply to Theo Ccupier.

      November 13, 2015 at 9:44 pm #

      UDP[1] is irrelevant to IP spoofing; IP address is network layer (3) and UDP is transport layer (4). An example DoS attack that relied on IP spoofing where the transport layer was irrelevant: Smurf was ICMP/IP only – and it obviously did spoof (hence sending echo requests to a broadcast address with the source IP as the target so that they are flooded with replies from many hosts). Fraggle was Smurf with a UDP twist[2]. And on that subject, nowadays most border routers (and other network devices, certainly those administered by somewhat competent people) don't respond to broadcast addresses in such a way.

      As for the hippos, it reminded me of a travel agency (or was it a hotel ?) that went … belly up for their lacklustre security.

      [1] Also, DNS does use TCP although it is true it also uses UDP. But as noted, UDP and IP spoofing are unrelated.

      [2] Directly from the author, TFreak in fraggle.c :

      "This is basically smurf.c with a udp twist. There are _many_ interesting
      things you can do with this program, I suggest you experiment with it."

      (not that I suggest anyone experiment it outside a controlled lab and he actually questioned the ethics of the smurf family at some point)

  2. Karl

    November 13, 2015 at 10:29 am #

    I like the browser detection feature when first launching the website.
    However, my RSS feed for your site is now broken.

    • Graham Cluley in reply to Karl.

      November 14, 2015 at 12:58 am #

      Thanks for letting me know.

      I'm not experiencing a problem, and when I validate the RSS feed, it says no problems
      https://validator.w3.org/feed/check.cgi?url=https%3A%2F%2Fgrahamcluley.com%2Ffeed

      However, at least one other reader was in touch with me with a similar issue. Can anyone else shed some light on this?

      • coyote in reply to Graham Cluley.

        November 14, 2015 at 2:03 am #

        I don't have the problem either, FWIW. However, I *do* have delays with it. Before it would be fairly snappy but now it takes some seconds to load initially (off-site articles load instantly but the next applies to local articles). But I've had this with the website more generally for some time (since you've changed providers (?) a while back). Yet the loading of the RSS feed is noticeably slower now. At least some times. Which makes me think it is much like the checks with the website proper. I think the thing to remember is 'broken' is very ambiguous and not helpful when trying to track down a problem. So what is *broken* ?

        Doesn't load ? If that's the case, have you given it 5-10 seconds to load ? More information is always helpful (no matter how silly you think it might be it very often isn't – this is a very common and equally as frustrating thing that is neglected in bug reports; the more information the better!). What browser do you notice this in might not be all that relevant but it too might offer some insight to the problem.

  3. Bob

    November 13, 2015 at 1:16 pm #

    I don't always get the browser detection feature Karl – it depends how you're connected to the internet. Cloudflare tends to view VPNs and/or TOR connections as suspicious (because of their anonymity) and subject them to extra scrutiny. For legitimate users this 5-second delay is a minor inconvenience but for DDOS attacks it significantly reduces their efficacy.

    I've never heard of Pressidium but moving towards a managed WordPress platform is the way forward IMO because there are a slew of updates and security patches that need applying and having them done automatically by the hosting provider enhances security. (WordPress is notoriously insecure but are the most popular platform by smaller companies and blogs).

    I'm surprised anybody targeted this site specifically as you'd think the 'Aramada Collective' would WANT publicity about their antics. Maybe it was a case of mistaken identity or perhaps they're testing the waters; hopefully Cloudflare will stop them in their tracks if they try again.

    I'd be interested in hearing how you get on with both services Graham: value for money, security, ease of use, available optons etc. just so that I've got a bit more information when I next get asked to recommend a provider.

    • Graham Cluley in reply to Bob.

      November 14, 2015 at 12:56 am #

      I have used both WP Engine and Pressidium for managed WordPress hosting. Both are excellent in my opinion, and I would highly recommend them.

  4. drsolly

    November 13, 2015 at 3:39 pm #

    You know you're on the right track when the Bad People attack you.

    • coyote in reply to drsolly.

      November 13, 2015 at 9:49 pm #

      And if you're a Bad Person and Good People attack you, I suppose you're also on the right track. Whether Bad People attacking a Bad Person is a positive or not is up to debate, I suppose, much like Good People attacking a Good Person.

  5. Alex

    November 13, 2015 at 3:43 pm #

    I'm no expert on DDoS attacks or protection but I did come across Project Shield from Google a while back when researching available protection options.

    The user base already shows journalist and security analyst so may be of use to you https://www.google.com/ideas/products/project-shield/

    • Graham Cluley in reply to Alex.

      November 14, 2015 at 12:55 am #

      Thank you. I'm not sure if they would accept my site but there's no harm in applying, right?

      • Alex in reply to Graham Cluley.

        November 14, 2015 at 5:01 pm #

        I suppose you could put yourself down as independent news, go for it!

  6. Abalt

    November 13, 2015 at 4:30 pm #

    I bet it was Buble. ;)

Leave a Reply