14 June 2005
Having worked in computer security I have always expected some random attempts to "hack" into my websites. I expect the odd entry in my weblogs from someone randomly trying exploits. The fact that most of the exploit attempts are for Windows exploits and I run a Linux based server confirms to me that these are random acts performed by script kiddies with little or no intelligence about what they are doing.
Last week however I detected a attempted Denial of Service attack (DOS) against www.firstaidquiz.com which is hosted on this webserver. The difference with this attack is that the perpetrator actually knew what the site he/she was targeting. The website provides a quiz and a number of games that help teach or reinforce the lifesaving skills of first aid. The website is run for the benefit of the community, it does not receive any financial support and does not make a charge or earn any profit. It's just run as a community service. Whilst the site is not a "registered" charity, like many not-for-profit sites it adheres to the principles that charities do, but without the inconvenience of the paperwork and bureaucracy that are a legal requirement of registered charities. Although attempted hacks target the server without success they are most likely to be automated scripts and the perpetrator had never even seen what the site is about. This person however did go onto the website and made a conscious decision to launch a DOS attack against the machine.
A Denial of Service (DOS) attack is where an attacker attempts to prevent a site from working. It often works by trying to use up all the computer resources, or bandwidth of the server. In this case the attempt was to create a large number of simultaneous sessions to use up the computer's resources. Whilst the attacker succeeded in using up some of the machine resources the only person impacted by the attack was him/herself. The server was under a light load at the time and no other users were affected, although potentially this could have been disruptive to users of the site. The problem with DOS attacks is that they are very hard to protect against. Whilst some types of attacks can be reduced by making changes to the code or to the configuration of the server if a large enough attack occurs the only way to keep the website up is to pump lots of money into bigger faster servers and network connections. Even the big companies with lots of financial backing still become victims of successful DOS attacks including: Google, Yahoo and Microsoft.
Unlike the other script kiddies this person actually knew what site they were attacking. They probably didn't care what the site was, but it was obvious that this is a non-commercial website. I see this as similar to physical vandalism against a charity which also happens on a regular basis. The technique may be different, but the net result is the same. It prevents the charity from carrying out it's work; it puts costs (financial or otherwise) on the organisation to rectify the problem and means that resources that should be channelled into the public good are instead focused on dealing with the vandalism. In my case time and effort that could have been used for improving the site and adding new features for people to enjoy and learn from has now been spent on trying to prevent this happening again, it also means that more processing is required for the anti-DOS code that has been introduced meaning that performance may be worse for visitors (especially during busy times), and potentially this could have financial implications if a faster server is needed to counteract this problem.
The attack appears to originate from a Broadband Easynet Customer.
I have now added the new code to reduce the risk of this happening again. Unfortunately any anti-DOS code also has the potential to block legitimate users. Hopefully the settings mean that this is extremely unlikely, but I will be monitoring it closely. I already receive emails whenever any suspicious activity occurs.