Monday, May 7th, 2007

jQuery.com DOS Attacks

Category: JavaScript, jQuery

The web can bring out the worst in people. Some idiots have been DOS attacking jquery.com, and their hosts offered such good service that instead of protecting them, they shut off their service and told them to move.

I have had to deal with DOS attacks at various companies, and have been very thankful that Contegix has worked with us to fix the issues and protect us.

Learning jQuery kindly stepped up to the plate.

jQuery Hacked

Posted by Dion Almaer at 11:28 am
34 Comments

+++--
3.1 rating from 23 votes

34 Comments »

Comments feed TrackBack URI

I can’t imagine why anyone would even bother DDOS attacking a web framework website. Just a waste of time if you ask me.

Were they on shared hosting before? If so then the attack probably wasn’t directed at them.

Comment by Philip Plante — May 7, 2007

Yeah, this weekend has been a giant party. We’re up on a new host now – depending on how the DNS is propagating, everything should be back to normal within a day or two (it’s already reset for some users, which is good).

Comment by John Resig — May 7, 2007

@Philip: It was directed at our server explicitly – our host didn’t want to deal with the influx of traffic that was bombarding us, so they simply just kicked us out. It’s made for a stressful weekend.

Comment by John Resig — May 7, 2007

Who was your host? Seems like a company we should all know to avoid at all costs.

Comment by Joe Boy — May 7, 2007

I wanted to thank jQuery team member, Karl Swedberg for his invaluable assistance in getting the jQuery.com site up and running during our previous host’s less than business-like termination of the hosting service.

Karl worked around the clock with John to ensure that the project’s main resources (eg: libs, plugins, et al) were accessible in some form to the community.

Thank you so much for your help and dedication to the project and the community, Karl.

Also, special thanks to Dion and the whole Ajaxian crew for advising the community of what occurred and helping to point them to our temporary location.

Comment by Rey Bango — May 7, 2007

I’d also be interested in knowing who the previous hosting company was. I can provide email if you’re willing to share, but not in public. I’d hate to be caught off-guard if it were one of the service providers I use, and frankly, I agree – this is something I would use to recommend against them to a friend.

Comment by Keith — May 7, 2007

Could you pls tell us which was the old host ? That can help us on our hosting service choices and warn other people.

Comment by zee — May 7, 2007

Yeah, that’s no way for them to behave. We’d be thankful for a heads-up

Comment by Branstrom — May 7, 2007

Welcome to the world. I’ve been getting DOS attacks on my site for the last 3 months. It seems that giving away free software makes you a target for some psychos.

PS. To the person who is attacking my site: I’m sorry that your life is so shit.

Comment by Dean Edwards — May 7, 2007

seems like a whole lot of panic over nothing.

Comment by odd — May 7, 2007

Are you sure you site was not digged somewhere… That’s the only type of DOS that actually works nowadays otherwise traffic/IP filters and ACs take care of traditional DOS attacks…

Comment by Bob — May 7, 2007

as a webhost, DOS attacks can be very expensive. How much was the jQuery site paying for the service? I ask because of the rash of budget hosts surfacing the past few years – just because you have a hosting service does not mean that it is managed and has all the features that an enterprise like GM, GE, Disney, etc. would have.

Comment by Karl — May 7, 2007

We’ve been going through the same junk for over a year with Dojo… it’s rather frustrating.

Comment by Dylan Schiemann — May 7, 2007

we’d like to know the previous host as well just in case. we don’t mind to upgrade to a more expensive plan so it justifies the work the host has to deal with DOS attack, but to kick someone off, that’s beyound me.

I can be reached through our support site, greatly appreicate it.

Comment by Liming Xu — May 7, 2007

John and the rest of the jQuery team are not likely to reveal the previous hosting provider. (Libel lawsuits, anyone?)

Nonetheless, I am as curious as anyone else to know who they are! They certainly deserve a black eye. [sigh]

Comment by Michael Geary — May 7, 2007

why should one attack a community site?,
recently javarss.com was also hacked…

sudhir
http://www.jyog.com

Comment by s — May 7, 2007

It’s not libel if it’s true.

Comment by Tim Cooijmans — May 8, 2007

Was the old hosting company “SecurityMinded Technologies LLC”??

Comment by TaL — May 8, 2007

It doesn’t matter who that host was because *every* shared host out there is going to boot you off of a server if you’re the target of an attack. They can lose one customer to save a server of 100 customers, or lose 100 customers just to save one customer. DOS scenarios are what you discuss when purchasing a dedicated or colo server, not at some $9.99 cattleherding host.

Comment by Nice — May 8, 2007

@Nice: We weren’t on a shared server.

Comment by Rey Bango — May 8, 2007

Tim, you appear to be right.

jQuery.com’s recorded IP in 2005-12-12 shows the following whois netblock:
http://whois.domaintools.com/209.8.234.21

CustName: SecurityMinded Technologies LLC. Dba Myriad Network
Address: 37 Pidgeon Hill Drive
Address: #106
City: Sterling
StateProv: VA
PostalCode: 20165
Country: US

My employer kicks ass for figuring out this sort of stuff.

Comment by Nthalk — May 8, 2007

“Quick, they are giving away free stuff and helping the community.. lets take them down!” -DOS Attackers

I donated. Go jQuery!

Comment by Marc Grabanski — May 8, 2007

Dos attack to JQuery -> despicable behaviour
Host company -> I think that they aren’t real professionals. The solution they provide to this problem was the easiest way. Anyone can do it.

Comment by ANBe — May 8, 2007

“John and the rest of the jQuery team are not likely to reveal the previous hosting provider. (Libel lawsuits, anyone?)”

I know the UK has easy libel laws, but in what country could revealing their previous provider be construed as libel?

Comment by Eric — May 9, 2007

@Marc: Thank you for the donation! :)

To all of the project supporters, thank you so much for your words of encouragement and continued support. Whether its jQuery, Prototype, Audacity, Gaim or any open source effort, its a shame that some people will do these things just for the sake of doing it.

Thanks again.

Comment by Rey Bango — May 9, 2007

To set the record straight

“our host didn’t want to deal with the influx of traffic that was bombarding us, so they simply just kicked us out.”

Is not a true statement. John — really, I expected better out of you.

A true statement would be:

“My server was compromised not once but twice. In both instances someone setup an IRC server on my server which was the target of a decent sized denial of service attack – 350Mbps+.” “Additionally, since I was unable to determine how the attackers got in (twice), my host asked me to move this website elsewhere as to not further disrupt the service provided to other customers”.

Comment by Thomas — May 14, 2007

Not only can the web bring out the worst in people, it can also bring out misinformation (who’da thunk it?!)

The author of this article is apparently not a big fan of fact checking. The fact is that the customer’s server was hacked twice, and the attacks that occurred as a result affected all customers on the server for a brief period of time in both cases. Efforts were made to protect all customers on the server, including the server hosting jquery.com. Assistance was offered by the hosting company to determine the method of attack after the first attack. No response was given to the hosting company from the customer in regards to the aforementioned offering of assistance.

If a customer fails to maintain control over their server multiple times, resulting in attacks that can negatively affect performance of all customers on the server, then that customer will be asked to leave. One customer’s website and needs do not trump the needs of the customer base on the server as a whole.

The customer in this case was not shut off by the hosting company, immediate actions were taken in both cases to protect everyone on the server, and the customer was informed that he could keep his hosting services with us, but that the attacked site would need to find a new host.

If you are going to assume the role of a Linux system’s administrator, then you must do your duty to be one. It is not the hosting company’s fault that the customer’s server was hacked and DDoSd (not DoSd), nor is it the hosting company’s fault that the local system’s administrator (customer) failed to investigate the issue to patch the hole, resulting in the second attack which prompted the hosting company to inform the customer that the site would need to find a new home. Nice try shifting the blame on the hosting company with lies and misinfomation though.

Comment by Jeff — May 14, 2007

One other thing I’ll add:

===
@Nice: We weren’t on a shared server.
Comment by Rey Bango — May 8, 2007
===

Yes, you were on a shared server. Oblivious to the server being hacked repeatedly for days at a time, oblivious about the service you had.

Comment by Jeff — May 14, 2007

@Jeff: First to be clear, I’m not the account holder of the server. John is.

Next, I don’t consider a VDS to be shared hosting solution and from your website, neither do you. To quote from your own marketing material:

“A virtual dedicated server (VDS) acts like a dedicated server in every way – while retaining the ease-of-use of virtual hosting. VDS costs far less than dedicated, but you get root access, your own mail server, your own IP number, and a lot more. It’s the choice for serious developers, ecommerce sites, or any other Web business that’s outgrown its shared hosting environment.”

The last sentence is a complete contradiction to your statement.

Finally, nobody on the jQuery team has either mentioned your company name nor publicly lambasted you. If anything, all of us have avoided mentioning the issue and focused on thanking folks for their support. What others not associated with the project find via their own initiative is their prerogative.

Irregardless of the circumstances, you shut down the jQuery site with no notice and shut out a number of people that are dependent on this open source project for their day to day work. If you had given John ample notice that the site needed to be moved, especially considering the past issues that you mentioned, I’m sure that he would’ve obliged, moved the site and helped alleviate your immediate concerns.

Comment by Rey Bango — May 14, 2007

@Rey – for all technical purposes, a VDS is a “shared” hosting solution (multiple environments within a single machine). That’s what Jeff was referring to.

Unfortunately, in a situation like this it’s not always possible to provide “due notice” – since the attacks were occurring immediately. They did give me continued access to the server, to move information off – but since the direction of the attacks was undetermined, they had to shut down all, possibly-breached, services (such as the web server).

Comment by John Resig — May 14, 2007

@John: Ah okay. I’m glad that they gave you access to get the data off.

@Jeff: John has clarified what you meant by shared hosting and also the immediacy of your decisions.

Hopefully, this issue can be put to rest as there’s lots to be done with the jQuery library.

Comment by Rey Bango — May 14, 2007

I’d also ask everyone to not immediately assume the hosting provider is at fault. We go to great lengths to help each and every customer. In this case our hands were tied.

@ Rey “and running during our previous host’s less than business-like termination of the hosting service”

its comments like the above which are unfounded and unnecessary.

Comment by Thomas — May 14, 2007

Thank you for clarifying, John. It was just frustrating learning of this “article” where the hosting company was made to sound complacent and uninterested in helping the customer, when that is the complete opposite of what actually took place. Yes it was a big inconvenience for you guys to have to have moved your site. It was also an inconvenience for other customers that had to suffer because someone else on the server was getting repeatedly attacked. Due to the lack of a single complaint from any other customer on the server, I’d say we handled it as quickly and efficiently as possible, both times. It would have been negligent of us to not take immediate action in an effort to maintain server stability.

It’s an undesirable situation for everyone involved – you, the other customers, and us. In the end a business decision had to be made for the benefit and stability of our customers and our server. No hard feelings, nothing personal, just trying to maintain the high quality of service that we have always provided, and will continue to provide.

Anyone wanting to “warn” someone else about us should know that best efforts are made to assist every customer, even for an unmanaged service such as the VDS offerings.

I agree with putting this issue to rest. Best of luck to you all, and congratulations on your success. I am proud to be part of the company that hosted jquery.com on a server that had uptimes as long as 277 days without a single issue, requiring a reboot only for proactively installing a new kernel to address security updates (this is documented in our forums). Take care.

Comment by Jeff — May 14, 2007

from http://tools.ietf.org/html/rfc4732
Eliminate Bad Traffic Early
Many DoS attacks are generic bandwidth consumption attacks that
operate by clogging the link that connects the victim server to the
Internet. Filtering these attacks at the server does no good because
the traffic has already traversed the link that is the scarce
resource. Such flows need to be filtered at some point closer to the
attacker. Where possible, operators should filter out obviously bad
traffic. In particular, they should perform ingress filtering.

Comment by Vlad — October 22, 2007

Leave a comment

You must be logged in to post a comment.