Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Is there a widespread DOS attack of ISPs going on?

[LML]

Hello all,
New to your forum and hoping someone can enlighten me. I host several of my clients with Hostsave, which had adequate services for their needs. Reasonably fast load times, easy access for me, ability to manage various aspects without being a server-tech-guru, running on unix and having a cgi-bin. All was good with the world, although their support via email simply sucks, they did answer questions better on their non-toll-free phone system after you waited on hold for 20 minutes or so. Anyway, it was a reasonable service for the money.

Until .....
About 2 weeks ago, I got a message from my client that one of the sites was loading slowly. I checked it out and found that the host had buried a news message that they were under a severe DOS attack. (you had to click on the login screen in order to see the message from the host). Since then, they said that they are not the only ISP affected, that they have notified the FBI, that they are receiving 3million packets per minute instead of the usual 1600. It took service for the site and email down to a crawl for about a week. Last week the service was much better, but still obviously weaker than normal. Calls to their support office and via email left me somewhat puzzled about status. I notified them that I was receiving strange emails via a feedback form script that I do not use and they said, "yeah, we know about that, but we don't think it is a serious issue". While an IT friend said that someone is trying to hack through a script that the hosting company has mapped to all the various accounts hosted with them (it is formmail.pl). I asked them to remove or modify the script and they said they would not at this point in time. I looked through the raw server logs and found the IP number of the person(s) trying to hack the script and provided that infomation to Hostsave. They were underwhelmed with the suggestion that they look into it.

Now... I have just received a very angry note from one client claiming service has been out for days. I have not seen it down, but I wonder if there is a backbone server out affecting one region? My question is this .... is this DOS attack widespread? Is anyone else feeling this? (I heard it was affecting the UK and US) I need new hosting ASAP and am unsure how to find one with better hack-security.

Help?
Thanks.
LML

[darksoul]

I admin servers in 8 datacenters in us and haven't heard
anything about this.

[LML]

Hmmm. Thanks for the reply. That's a bit troubling.

These were the latest message I've had from the hosting company about this attack:
..................
IMPORTANT UPDATE:
4:00 PM, PST, May 30, 2003 - Denial of Service (DOS) Attack Update - Website and mail performance issues have been largely stabilized by upgrades we have implemented to our network. This DOS attack is a broad one impacting numerous service providers, and you may experience periodic slowness as a result. Our team remains focused on minimizing the impact of this attack until it can be completely stopped, and continues to work toward restoring all services to full capacity. We will provide periodic updates as the situation changes. Again, thank you for your patience.

**Important Update**
6:00 PM, PST, May 23, 2003 - This message serves to reassure you that while it may be a holiday weekend, our team of engineers remains at work, focused on resolving the issues relating to the Denial of Service (DOS) attack and service interruptions to our website and mail services. We will provide updates as information becomes available. Again, thank you for your patience.

11:30 AM, PST, May 23, 2003 - The Denial of Service (DOS) attack against our systems has further intensified, continuing to impact the performance of our website and mail services. The intensity of the load we process on a normal day is approximately 1,600 packets per minute. We are currently processing in excess of 3 million packets per minute. Our engineering and systems administration teams continue to take steps to further harden our network and provide increased availability, but these are temporary solutions. We are taking drastic steps to resolve this issue at its source and appreciate your patience as we work toward a solution to stop this malicious attack.

4:30 PM, PST, May 22, 2003 - We have learned that the Denial of Service (DOS) attack aimed at our systems since Tuesday, May 20, was not isolated to our network, but is a widespread DOS attack affecting a large number of Internet Service Providers (ISPs). Rest assured that the appropriate authorities have been notified and are working to identify the source of the attack.
......................
Anyone else have any info?
-LML

[bitserve]

Well it's probably true that a lot of ISPs get DOSed every day, but I wonder how they determined that the exact one that was targeting them was targeting others. They should at least mention the names, IMHO.

[sprintserve]

Well, if it is formmail.pl, and your host is using Cpanel, and they are not willing to upgrade the servers, then they are clearly at fault. There's a spamming exploit with the script that was discovered just last week (twice). Perhaps someone was spamming badly from the servers and creating problems for the authentic traffic. They may also mistakenly think that the traffic hitting the servers to use the script is a ddos.

In any case, a DDOS attack is not likely to last for 2 weeks.

I may not admin servers in 8 data centers, but we haven't heard any issues on the ground, nor did our servers in several data centers seems to be affected.

Lastly assuming it is a DDOS attack, it is likely that it is just targetted at your server (and not the data center) There's a difference to that, thought 2 weeks is a long time.

[LML]

Thanks for the feedback. It is indeed formmail.pl that they have made available and it is Cpanel. They will not change it although I have asked them.

Okay, now that I know what to think of them, I am convinced 100% that I'm moving a few clients and my own site off of their servers asap.

I've looked at two companies that advertise in this forum, but have not had success in finding the info I need yet.

Has anyone dealt with OkiHost.com? Their online chat support isn't turned on, the phone number for the company goes to a generic spint email message, and the AIM numbers that they also provide are not currently turned on. So, I can't figure out how to ask about their plans, although they look good on their site. They haven't returned my call or emails yet. (a couple hours have passed)

Has anyone dealt with Dot5Hosting.com? I like their offerings, but their control panels look extraordinarily complicated for their reseller program. (I'm not a programmer, but I can generally get by in an easy control panel system). I used their online support chat box but had too many questions to make it possible for the person to give me answers very well. I tried calling their phone number, but got an answering machine. They haven't returned my call or email. (Maybe an hour has passed)

Anyone know of a decent reseller situation? I only need to host about 6 - 10 domain accounts right now. Unix hosting. CGI Bin, SSI needed. Speedy connection, and reasonable bandwidth desired. Actual space needed somewhat small, less than 20mb per domain. An easy to use control panel for a non-technical administrator (me!) would be a big PLUS!