Comments on: jQuery.com DOS Attacks

By: Vlad

Vlad — Mon, 22 Oct 2007 16:00:46 +0000

from http://tools.ietf.org/html/rfc4732
Eliminate Bad Traffic Early
Many DoS attacks are generic bandwidth consumption attacks that
operate by clogging the link that connects the victim server to the
Internet. Filtering these attacks at the server does no good because
the traffic has already traversed the link that is the scarce
resource. Such flows need to be filtered at some point closer to the
attacker. Where possible, operators should filter out obviously bad
traffic. In particular, they should perform ingress filtering.

By: Jeff

Jeff — Mon, 14 May 2007 19:05:17 +0000

Thank you for clarifying, John. It was just frustrating learning of this “article” where the hosting company was made to sound complacent and uninterested in helping the customer, when that is the complete opposite of what actually took place. Yes it was a big inconvenience for you guys to have to have moved your site. It was also an inconvenience for other customers that had to suffer because someone else on the server was getting repeatedly attacked. Due to the lack of a single complaint from any other customer on the server, I’d say we handled it as quickly and efficiently as possible, both times. It would have been negligent of us to not take immediate action in an effort to maintain server stability.

It’s an undesirable situation for everyone involved – you, the other customers, and us. In the end a business decision had to be made for the benefit and stability of our customers and our server. No hard feelings, nothing personal, just trying to maintain the high quality of service that we have always provided, and will continue to provide.

Anyone wanting to “warn” someone else about us should know that best efforts are made to assist every customer, even for an unmanaged service such as the VDS offerings.

I agree with putting this issue to rest. Best of luck to you all, and congratulations on your success. I am proud to be part of the company that hosted jquery.com on a server that had uptimes as long as 277 days without a single issue, requiring a reboot only for proactively installing a new kernel to address security updates (this is documented in our forums). Take care.

By: Thomas

Thomas — Mon, 14 May 2007 18:34:50 +0000

I’d also ask everyone to not immediately assume the hosting provider is at fault. We go to great lengths to help each and every customer. In this case our hands were tied.

@ Rey “and running during our previous hostâ€™s less than business-like termination of the hosting service”

its comments like the above which are unfounded and unnecessary.

By: Rey Bango

Rey Bango — Mon, 14 May 2007 18:01:23 +0000

@John: Ah okay. I’m glad that they gave you access to get the data off.

@Jeff: John has clarified what you meant by shared hosting and also the immediacy of your decisions.

Hopefully, this issue can be put to rest as there’s lots to be done with the jQuery library.

By: John Resig

John Resig — Mon, 14 May 2007 17:51:38 +0000

@Rey – for all technical purposes, a VDS is a “shared” hosting solution (multiple environments within a single machine). That’s what Jeff was referring to.

Unfortunately, in a situation like this it’s not always possible to provide “due notice” – since the attacks were occurring immediately. They did give me continued access to the server, to move information off – but since the direction of the attacks was undetermined, they had to shut down all, possibly-breached, services (such as the web server).

By: Rey Bango

Rey Bango — Mon, 14 May 2007 17:23:08 +0000

@Jeff: First to be clear, I’m not the account holder of the server. John is.

Next, I don’t consider a VDS to be shared hosting solution and from your website, neither do you. To quote from your own marketing material:

“A virtual dedicated server (VDS) acts like a dedicated server in every way â€“ while retaining the ease-of-use of virtual hosting. VDS costs far less than dedicated, but you get root access, your own mail server, your own IP number, and a lot more. It’s the choice for serious developers, ecommerce sites, or any other Web business that’s outgrown its shared hosting environment.”

The last sentence is a complete contradiction to your statement.

Finally, nobody on the jQuery team has either mentioned your company name nor publicly lambasted you. If anything, all of us have avoided mentioning the issue and focused on thanking folks for their support. What others not associated with the project find via their own initiative is their prerogative.

Irregardless of the circumstances, you shut down the jQuery site with no notice and shut out a number of people that are dependent on this open source project for their day to day work. If you had given John ample notice that the site needed to be moved, especially considering the past issues that you mentioned, I’m sure that he would’ve obliged, moved the site and helped alleviate your immediate concerns.

By: Jeff

Jeff — Mon, 14 May 2007 16:33:02 +0000

One other thing I’ll add:

===
@Nice: We werenâ€™t on a shared server.
Comment by Rey Bango â€” May 8, 2007
===

Yes, you were on a shared server. Oblivious to the server being hacked repeatedly for days at a time, oblivious about the service you had.

By: Jeff

Jeff — Mon, 14 May 2007 16:14:56 +0000

Not only can the web bring out the worst in people, it can also bring out misinformation (who’da thunk it?!)

The author of this article is apparently not a big fan of fact checking. The fact is that the customer’s server was hacked twice, and the attacks that occurred as a result affected all customers on the server for a brief period of time in both cases. Efforts were made to protect all customers on the server, including the server hosting jquery.com. Assistance was offered by the hosting company to determine the method of attack after the first attack. No response was given to the hosting company from the customer in regards to the aforementioned offering of assistance.

If a customer fails to maintain control over their server multiple times, resulting in attacks that can negatively affect performance of all customers on the server, then that customer will be asked to leave. One customer’s website and needs do not trump the needs of the customer base on the server as a whole.

The customer in this case was not shut off by the hosting company, immediate actions were taken in both cases to protect everyone on the server, and the customer was informed that he could keep his hosting services with us, but that the attacked site would need to find a new host.

If you are going to assume the role of a Linux system’s administrator, then you must do your duty to be one. It is not the hosting company’s fault that the customer’s server was hacked and DDoSd (not DoSd), nor is it the hosting company’s fault that the local system’s administrator (customer) failed to investigate the issue to patch the hole, resulting in the second attack which prompted the hosting company to inform the customer that the site would need to find a new home. Nice try shifting the blame on the hosting company with lies and misinfomation though.

By: Thomas

Thomas — Mon, 14 May 2007 15:37:55 +0000

To set the record straight

“our host didnâ€™t want to deal with the influx of traffic that was bombarding us, so they simply just kicked us out.”

Is not a true statement. John — really, I expected better out of you.

A true statement would be:

“My server was compromised not once but twice. In both instances someone setup an IRC server on my server which was the target of a decent sized denial of service attack – 350Mbps+.” “Additionally, since I was unable to determine how the attackers got in (twice), my host asked me to move this website elsewhere as to not further disrupt the service provided to other customers”.

By: Rey Bango

Rey Bango — Wed, 09 May 2007 17:20:44 +0000

@Marc: Thank you for the donation! :)

To all of the project supporters, thank you so much for your words of encouragement and continued support. Whether its jQuery, Prototype, Audacity, Gaim or any open source effort, its a shame that some people will do these things just for the sake of doing it.

Thanks again.

By: Eric

Eric — Wed, 09 May 2007 15:28:10 +0000

“John and the rest of the jQuery team are not likely to reveal the previous hosting provider. (Libel lawsuits, anyone?)”

I know the UK has easy libel laws, but in what country could revealing their previous provider be construed as libel?

By: ANBe

ANBe — Tue, 08 May 2007 17:27:07 +0000

Dos attack to JQuery -> despicable behaviour
Host company -> I think that they aren’t real professionals. The solution they provide to this problem was the easiest way. Anyone can do it.

By: Marc Grabanski

Marc Grabanski — Tue, 08 May 2007 16:04:28 +0000

“Quick, they are giving away free stuff and helping the community.. lets take them down!” -DOS Attackers

I donated. Go jQuery!

By: Nthalk

Nthalk — Tue, 08 May 2007 15:13:12 +0000

Tim, you appear to be right.

jQuery.com’s recorded IP in 2005-12-12 shows the following whois netblock:
http://whois.domaintools.com/209.8.234.21

CustName: SecurityMinded Technologies LLC. Dba Myriad Network
Address: 37 Pidgeon Hill Drive
Address: #106
City: Sterling
StateProv: VA
PostalCode: 20165
Country: US

My employer kicks ass for figuring out this sort of stuff.

By: Rey Bango

Rey Bango — Tue, 08 May 2007 13:41:03 +0000

@Nice: We weren’t on a shared server.

By: Nice

Nice — Tue, 08 May 2007 08:32:08 +0000

It doesn’t matter who that host was because *every* shared host out there is going to boot you off of a server if you’re the target of an attack. They can lose one customer to save a server of 100 customers, or lose 100 customers just to save one customer. DOS scenarios are what you discuss when purchasing a dedicated or colo server, not at some $9.99 cattleherding host.

By: TaL

TaL — Tue, 08 May 2007 07:42:14 +0000

Was the old hosting company “SecurityMinded Technologies LLC”??

By: Tim Cooijmans

Tim Cooijmans — Tue, 08 May 2007 07:09:35 +0000

It’s not libel if it’s true.

By: s

Tue, 08 May 2007 03:31:10 +0000

why should one attack a community site?,
recently javarss.com was also hacked…

sudhir
http://www.jyog.com

By: Michael Geary

Michael Geary — Tue, 08 May 2007 03:20:16 +0000

John and the rest of the jQuery team are not likely to reveal the previous hosting provider. (Libel lawsuits, anyone?)

Nonetheless, I am as curious as anyone else to know who they are! They certainly deserve a black eye. [sigh]