Fairfax, VA, USA. TS-Si.org sustained and defeated a Distributed Denial-of-Service (DDoS) attack designed to prevent access by our users and disable certain site features.

The confirmed attack destination was the article entitled Classic Transsexual and its associated comments.

TS-Si does not tolerate interference in its operations. The external sources have been blocked and repair efforts completed. We are in the process necessary to impose punitive remedies on the perpetrators.

This column provides a description of the attack and its aftermath. Unfortunately, what should be a straight forward technical situation of interest to law enforcement became politicized. Fueled by an unsavory cultural conflict, the aftermath mentioned below demonstrates an overall deterioration in civil dialogue and plain common sense.

Background

We set up the site fully aware of the need for security, given the subject matter and focus on people born transsexual. We weathered all sorts of physical attacks on the site, mainly from sources that identified themselves as transgender-oriented who disagreed with our position on the subject, or from pornographers interested in "teaching us a lesson" of some sort.

There are all kinds of motivations behind such behavior. Industry-wide analyses have shown that once financial and partisan political actions are subtracted from the mix, what is left has a lot to do with very dark psychological states. The targets of attacks aren't even very important to the act. Perpetrators attack most sites, including TS-Si.org, because they enjoy it. They are bullies, plain and simple.

In our case, the presence of "transsexual" is a convenient but phony rationale — an excuse. We have heard from colleagues at sites that deal with cancer, child abuse, fund raising for homeless war veterans, you name it — they too have been attacked over nothing more than the desire of a twisted someone, somewhere to inflict pain and "teach a lesson".

We deal with these things on a constant basis. Most often, the public is unaware of the struggle but there are times when one of them reaches the awareness of our users. This has been one of those cases. We are very sorry that our visitors were inconvenienced. We have taken steps to further elevate our defenses and prevent a recurrence (or, at least, minimize the impact).

The Launch Site

The source of the attack was a pornography site under management by a group known for spamming to achieve a larger customer base. They also launch hostile actions against sites, or certain individuals that appear on those sites, on the basis of what appears to be personal animus. I will not disclose the identity of the site to protect an ongoing investigation by law enforcement authorities (here in the US and abroad).

The effect of the attack on TS-Si.org was amplified by being distributed through another group of sites. A DDoS involves targeting the site from multiple external systems. The perpetrator in this case acted as a single source that turned subservient servers into zombies that did the actual accesses.

The zombies were from a collection of online poker sites, led by "twoplustwo", a "dot com" site with very high traffic and a highly active forum. I have not included the full URL because of the known adware and malware threats.

The owner of the domain is a company in Henderson (Nevada, USA), within the Los Vegas metropolitan area. It is administered from a location in Pittsburgh (PA, USA), with resources here and abroad.

A particular forum thread on that site, Things that have always bugged you, was the first to relay the access requests. It was wired to launch repetitive accesses to the TS-Si.org web page, which was then followed by requests from other threads and allied sites. The individual implicated in this effort has been identified and cited for his actions.

Attack Sequence

On 5 September 2009, TS-Si.org was subjected to a Distributed Denial-of-Service (DDoS) attack in an attempt to make the site unavailable to its users.

A DoS attack is a blunt instrument: it launches repetitive requests to access a web site's resources in an attempt to render the resource unavailable to its intended users. Certain high-profile cases that make the news are those intened to cripple financial or social networking sites.

This method of attack can also be used to attack personal web sites or groups that fit the perpetrators' notions of an undesirable presence on the web.

While the overall target was TS-Si.org, the specific destination was an article entitled Classic Transsexual and the accompanying comments. Ordinarily, the attack would have no more impact on that page than any other on the site, since a DoS attack primarily affects the server and overall site access, regardless of the specific page.

However, this attack pointed at a specific page address, which meant there were numerous page loads and (browser) renders that often conflicted with each other. We redirected resources to that point but it strained both the server software and the application that processes the comments.

Our servers processed 72.35 million requests for service during the few hours that led up to my first bulletin on the comment thread that an attack was underway — at 2009-09-05 09:26:11 EDT(US).

Since such an attack can overload a server, the system configuration can lose its alignment as it actively resists the intrusion. A number of things went wrong but were handled on the fly as our protections activated to deflect the intrusion. The facility that handles visitor comments appended to articles was affected, particularly difficult because it is highly visible to our visitors (more on this, below).

We could have taken the site offline and restored a backup fom an earlier time period, but that would stimulate even more charges of comment deletion and unfair treatment. Moreover, we would still have the problem of server/application misalignment. We decided to risk repairs on the fly. We have some very good people in our support network.  

TS-Si Actions During The Event

Our system-level processes protected the site and kept it available to visitors, albeit it with reduced performance and services. The visitor service most affected was our facility for posting user comments. The settings for system software and the application were misaligned. The comment threads were limited in size and extent (i.e., number of comments per article).

During our clean up period after the attack, we reduced the number of active allowable comments per article — any article — throughout the site to reduce server load and work on the misconfiguration issue. We did not want to inconvenience our users too much, so we selectively disabled some of the comments.

As I stated in one of my site updates posted to the Classic Transsexual column, we started with most of the comments by our principals, Sharon Gaughan and Lisa Thompson, joined later by some others. We only did what was necessary, but recognize that the discussion flow was seriously affected. The only alternative was to unpublish all of them.

In any event, and as promised at the time, all comments have been restored to their orginal state and position in the comment thread. No comment or personal information has been compromised in any way during this process. You can continue to comment anywhere on the site in complete confidence and we encourage you to do so.

Aftermath

I could stop the account of the attack right here except for the unsavory cultural conflict that erupted in its wake. We did choose to stay online and selectively unpublish some of the comments. Those actions were taken as evidence by Susan (SA-ET) of a deliberate attempt to embarrass Susan, as discussed in the post entitled Allies and a Recent Skirmish at the Enough Non-sense blog.

Some of the people who posted comments on Susan's post speculated on everything from TS-Si's conspiratorial intentions through recyled accusations of bad faith through our alleged transgender sympathies. After much consideration, I decided that a point-by-point refutation of these scurrilous charges would provide them with unjustifiable publicity. The original comments on Classic Transsexual have been restored. That will suffice for now.

I did leave several comments on Classic Transsexual that set forth my personal position on issues (and, where appropriate, those of TS-Si). One of my comments may be worth a second look, given the context of this column. The excerpt is below, nearly verbatim, with only minor editing for clarity:

(1) We did sustain a Distributed Denial of Service (DDoS) attack that took several hours to resolve. The server never did go down altogether, but took some damage.

(2) As I pointed out in an earlier comment near the end the discussion, we took some damage to our server system configuration. One of the results was a destabilization of the commenting facility. We had to unpublish some of the comments. Not wanting to inconvenience our users, I unpublished most comments by Lisa Thompson, Sharon Gaughan, and another person who understands the need. We did this to stay within a ceiling we set on comment entries while we worked out a permanent solution.

The current limit is set for "50" comments per article. If necessary, I will unpublish some more comments while we work on the problem. Once resolved, we will readjust the ceiling to accomodate a much larger comment thread.

(3) We have not yet fully resolved the issue but expect a fix in the next few days. When that happens, we will restore all comments in the thread — as pledged in my updates on the problem.

(4) We practice transparency on this site, which is why I posted a series of updates to keep readers appraised of the situation.

(5) Since our founding, this site has been subjected to all manner of attacks from external sources in an attempt to disrupt or eliminate our operation. We seldom report publicly on such things, feeling it would be an unnecessary distraction. In this case, the DDoS effects were visible to our users and we felt it necessary to provide an explanation. We will do a wrap-up at a later date.

(6) The most recent stimulus for my comment here is an entry by Susan (SA-ET) that cites Lisa Thompson, discussing her and TS-Si. I have appended the passage for your review. [cf. Note]

Posted by Susan (SA-Et): She has since deleted the comment she made that lead me to respond in that manner. She also deleted a second baiting comment. That’s the TS-Si way of controlling opinion…bait with a an insulting, asinine comment, and then delete the baiting comment after one responds. Baiting someone on your blog with a comment and then deleting the baiting comment to make the person who addresses it look bad is pubescent child behaviour. I don’t participate in that kind of crap, and no doubt there will be no one who questions TS-Si about why she deleted her two baiting comments after I responded.

Once again, please note: Lisa Thompson did not delete any comments. I unpublished some of them to avoid further crashes of the commenting facility. As stated during the attack, we will republish them when I am satisfied the system issues are fully resolved.

Quod Erat Demonstrandum

Ms. Sharon Gaughan is the Co-Founder, VP, and Executive Director of TS-Si, Inc. She also serves as the Managing Editor and columnist for the TS-Si website.  Ms. Gaughan's signed articles contain her own opinions and do not necessarily convey an official position of TS-Si, its partners, or affiliates.

 

Sharon welcomes your comments. You can use the public form below or send private correspondence via her TS-Si Contact Page. We will not divulge any personal details or place you on a mailing list without your permission.

Add this page to your favorite Social Bookmarking websites.

To create link towards this article on your website,
copy and paste the text below in your page.

<style type="text/css"><!--.quote {width:400px; padding: 6px; border: solid 1px #456B8F; font: 11px helvetica, verdana, sans-serif; color: #222222; background-color: #ffffff}.quote a {font: 13px arial, serif; color: #003399; text-decoration: underline}.quote a:hover {color: #FF9900; }//--></style><div style="float:left;padding:5px;"><img src="http://ts-si.org/images/stories/BinaryCodeDenialService.jpg" width="125" alt="" /></div><div class="quote"><a href="http://ts-si.org/looking-glass/19456-site-update-denial-of-service.html" target="_blank">Site Update: Denial of Service</a><br />Wednesday, 09 September 2009<div align="right" style="width:400px"><p style="text-align:right;"><a href="http://ts-si.org/" target="_blank">TS-Si.org</a></p></div></div>

Preview :

Site Update: Denial of Service
Wednesday, 09 September 2009

TS-Si.org

Comments (6)

Subscribe to this comment's feed

Show/Hide comments

..., You did a wonderful job dealing with the attack. I

09 September 2009     

You did a wonderful job dealing with the attack. I barely would have noticed the issue. Sites are slow or down all the time. Yours did better under attack than some do in the normal course. It is unfortunate that you were criticized for taking modest temporary actions affecting the comment page to keep the discussion going. But, then, no good deed goes unpunished! Next time, feel free to delete my comments. You will only save me embarrassment!

dianakat

..., Dear Sharon and Lisa, Thank your for this update a

09 September 2009     

Dear Sharon and Lisa, Thank your for this update and for your honesty and trust in disclosing the entire DDoS event. And thank you, too, for making good on your earlier promises, and for maintaining the integrity of TS-Si in the process. It's always discomfiting to hear about the failings of some people that lead them to perpetrate hate crimes - and let's call this attack on TS-Si what it truly was...a hate crime - but it's good to hear that they were largely unsuccessful. I'm sure everyone who visits this site and benefits from it, regardless of how much or how little, are in agreement: we're sorry it happened, but we're happy you survived! While there will always be personal differences among your readers and commenters, the one common denominator we all share is that your website provides a forum for everyone, with relevant news and science articles, educational enrichment, support, and topics for debate all freely offered within a framework of acceptance and tolerance rarely found in such abundance elsewhere. Bless you all for enduring, for your silent fight, and for your candid disclosure. Kudos!

Kelly

Thank you, Diana, It has been a difficult period, but we

09 September 2009     

It has been a difficult period, but we are now stronger at the broken places. You said Next time, feel free to delete my comments. Um, actually, I did. As described in the column, it became necessary. At first, I restricted the unpublication actions to Lisa, me, and you (in turn). It was only near the end of the process that we did another person. After that, in tandem with code and configuration fixes, we rapidly returned to service. In the by the way department, consider this. This morning, Mark - an associate - put up some dummy test messages to test the fixes. I received over 70 emails from people who had subscribed to the comment feed, wondering if we were making progress and offering their support. I love our visitors. Well, most of them anyway.

Sharon S. Gaughan

Thank you, Kelly, We are more determined than ever to ke

09 September 2009     

We are more determined than ever to keep on keeping on. Wow, does that phrasing ever date me! Now if only I can find where I left my barette under all of this rubble.
Sharon S. Gaughan

..., I'm glad you had the blocks in place and were able

10 September 2009     

I'm glad you had the blocks in place and were able to remain "on-line" throughout the attack. Congratulations. If you ever need another volunteer for comment removal, don't hesitate, I'll just mumble to myself ( a life time habit my Mother use to tell me* ) but I promise no bad words. Pamela *She said when I was quite small and told to do something, I would mumble something under my breath, but do what I was told; took her a while to finally catch me mumbling "I Don't HAVE To"; she thought a swat on the butt cured me, nope I just quit saying it out loud .

Pamela Dunn

Thank you, mumbles (er, Pamela), We are in this for the

10 September 2009     

We are in this for the long haul and must expect an occasional attack on our convoy. The attack wasn't about us, but a manifestation of predatory delusions in the shark pack. You said: If you ever need another volunteer for comment removal, don't hesitate, I'll just mumble to myself (a life time habit my Mother use to tell me*) but I promise no bad words. I will keep that in mind while we work to ensure we withstand further attacks without inconvenience to our users. Of course, what I say here does not necessarily communicate everything that is on my mind.

Sharon S. Gaughan

Show/Hide comment form

Name

Email

Website

Title

Comment

smaller | larger

I have read and agree to the Terms of Usage.

Add Comment