|Site Update: Denial of Service|
|Opinion - Looking Glass|
|Wednesday, 09 September 2009 20:00|
Fairfax, VA, USA. TS-Si.org sustained and defeated a Distributed Denial-of-Service (DDoS) attack designed to prevent access by our users and disable certain site features.
The confirmed attack destination was the article entitled Classic Transsexual and its associated comments.
TS-Si does not tolerate interference in its operations. The external sources have been blocked and repair efforts completed. We are in the process necessary to impose punitive remedies on the perpetrators.
This column provides a description of the attack and its aftermath. Unfortunately, what should be a straight forward technical situation of interest to law enforcement became politicized. Fueled by an unsavory cultural conflict, the aftermath mentioned below demonstrates an overall deterioration in civil dialogue and plain common sense.
This situation has plenty of precedents. Following our phase change in 2004 from a private list to a web site, the predecessor domain to TS-Si.org published its first test article in May of that year. We have grown substantially since that time, combining original texts, reprints, and collaborative pieces to serve our readership.
We set up the site fully aware of the need for security, given the subject matter and focus on people born transsexual. We weathered all sorts of physical attacks on the site, mainly from sources that identified themselves as transgender-oriented who disagreed with our position on the subject, or from pornographers interested in "teaching us a lesson" of some sort.
There are all kinds of motivations behind such behavior. Industry-wide analyses have shown that once financial and partisan political actions are subtracted from the mix, what is left has a lot to do with very dark psychological states. The targets of attacks aren't even very important to the act. Perpetrators attack most sites, including TS-Si.org, because they enjoy it. They are bullies, plain and simple.
In our case, the presence of "transsexual" is a convenient but phony rationale — an excuse. We have heard from colleagues at sites that deal with cancer, child abuse, fund raising for homeless war veterans, you name it — they too have been attacked over nothing more than the desire of a twisted someone, somewhere to inflict pain and "teach a lesson".
We deal with these things on a constant basis. Most often, the public is unaware of the struggle but there are times when one of them reaches the awareness of our users. This has been one of those cases. We are very sorry that our visitors were inconvenienced. We have taken steps to further elevate our defenses and prevent a recurrence (or, at least, minimize the impact).
The Launch Site
The source of the attack was a pornography site under management by a group known for spamming to achieve a larger customer base. They also launch hostile actions against sites, or certain individuals that appear on those sites, on the basis of what appears to be personal animus. I will not disclose the identity of the site to protect an ongoing investigation by law enforcement authorities (here in the US and abroad).
The effect of the attack on TS-Si.org was amplified by being distributed through another group of sites. A DDoS involves targeting the site from multiple external systems. The perpetrator in this case acted as a single source that turned subservient servers into zombies that did the actual accesses.
The zombies were from a collection of online poker sites, led by "twoplustwo", a "dot com" site with very high traffic and a highly active forum. I have not included the full URL because of the known adware and malware threats.
The owner of the domain is a company in Henderson (Nevada, USA), within the Los Vegas metropolitan area. It is administered from a location in Pittsburgh (PA, USA), with resources here and abroad.
A particular forum thread on that site, Things that have always bugged you, was the first to relay the access requests. It was wired to launch repetitive accesses to the TS-Si.org web page, which was then followed by requests from other threads and allied sites. The individual implicated in this effort has been identified and cited for his actions.
On 5 September 2009, TS-Si.org was subjected to a Distributed Denial-of-Service (DDoS) attack in an attempt to make the site unavailable to its users.
A DoS attack is a blunt instrument: it launches repetitive requests to access a web site's resources in an attempt to render the resource unavailable to its intended users. Certain high-profile cases that make the news are those intended to cripple financial or social networking sites.
This method of attack can also be used to attack personal web sites or groups that fit the perpetrators' notions of an undesirable presence on the web.
While the overall target was TS-Si.org, the specific destination was an article entitled Classic Transsexual and the accompanying comments. Ordinarily, the attack would have no more impact on that page than any other on the site, since a DoS attack primarily affects the server and overall site access, regardless of the specific page.
However, this attack pointed at a specific page address, which meant there were numerous page loads and (browser) renders that often conflicted with each other. We redirected resources to that point but it strained both the server software and the application that processes the comments.
Our servers processed 72.35 million requests for service during the few hours that led up to my first bulletin on the comment thread that an attack was underway — at 2009-09-05 09:26:11 EDT(US).
Since such an attack can overload a server, the system configuration can lose its alignment as it actively resists the intrusion. A number of things went wrong but were handled on the fly as our protections activated to deflect the intrusion. The facility that handles visitor comments appended to articles was affected, particularly difficult because it is highly visible to our visitors (more on this, below).
We could have taken the site offline and restored a backup fom an earlier time period, but that would stimulate even more charges of comment deletion and unfair treatment. Moreover, we would still have the problem of server/application misalignment. We decided to risk repairs on the fly. We have some very good people in our support network.
TS-Si Actions During The Event
Our system-level processes protected the site and kept it available to visitors, albeit it with reduced performance and services. The visitor service most affected was our facility for posting user comments. The settings for system software and the application were misaligned. The comment threads were limited in size and extent (i.e., number of comments per article).
During our clean up period after the attack, we reduced the number of active allowable comments per article — any article — throughout the site to reduce server load and work on the misconfiguration issue. We did not want to inconvenience our users too much, so we selectively disabled some of the comments.
As I stated in one of my site updates posted to the Classic Transsexual column, we started with most of the comments by our principals, Sharon Gaughan and Lisa Thompson, joined later by some others. We only did what was necessary, but recognize that the discussion flow was seriously affected. The only alternative was to unpublish all of them.
In any event, and as promised at the time, all comments have been restored to their orginal state and position in the comment thread. No comment or personal information has been compromised in any way during this process. You can continue to comment anywhere on the site in complete confidence and we encourage you to do so.
I could stop the account of the attack right here except for the unsavory cultural conflict that erupted in its wake. We did choose to stay online and selectively unpublish some of the comments. Those actions were taken as evidence by Susan (SA-ET) of a deliberate attempt to embarrass Susan, as discussed in the post entitled Allies and a Recent Skirmish at the Enough Non-sense blog.
Some of the people who posted comments on Susan's post speculated on everything from TS-Si's conspiratorial intentions through recyled accusations of bad faith through our alleged transgender sympathies. After much consideration, I decided that a point-by-point refutation of these scurrilous charges would provide them with unjustifiable publicity. The original comments on Classic Transsexual have been restored. That will suffice for now.
I did leave several comments on Classic Transsexual that set forth my personal position on issues (and, where appropriate, those of TS-Si). One of my comments may be worth a second look, given the context of this column. The excerpt is below, nearly verbatim, with only minor editing for clarity:
Quod Erat Demonstrandum
NoteSusan (SA-ET) has published an addendum to the Enough Non-sense essay mentioned in the last section:
My attention has been called to THIS EDITORIAL. TS-Si contends their site was the subject of a Denial of Service attack which lead to certain comments being temporarily ”unpublished” in an effort to maintain TS-Si’s site integrity. This information was not available to me at the time I published the above.
Based on the circumstances, I choose to accept TS-Si’s explanation…and openly apologize to them for the insinuations made in my essay.
I will update this column, as appropriate, with additional information, as I did in the original comment thread.
|Last Updated on Wednesday, 12 January 2011 11:48|