By Gregg Keizer, TechWeb.com
http://www.informationweek.com/story/showArticle.jhtml?articleID=187200875
Blue Security's chief executive last week denied that the server he
repointed at a TypePad blog earlier this week brought along a denial
of service attack that caused that blogging service, and others hosted
by Six Apart, to crash.
"When we changed the domain name server to point to TypePad, there was
no traffic flowing into our corporate server at http://www.bluesecurity.com "
said Eran Reshef, Blue Security's CEO.
"I'm one of the victims here," Reshef said.
The dispute over the whats and hows and whens of the incident, which
dropped Six Apart's TypePad, LiveJournal, and MessagePad blogging
services offline for approximately 8 hours late Tuesday and early
Wednesday U.S. time, was fueled Thursday by analysts who said Reshef's
story didn't add up.
Friday, Reshef acknowledged that some of his company's servers had
been subjected to a large denial-of-service (DoS) attacks for days,
but said those were operational, or back-end, servers, and not
connected to his anti-spam company's front door at http://bluesecurity.com.
Earlier, he had denied that any DoS wasunderway.
"I just discovered that today," he said.
"There was no DoS on the corporate server," when he repointed the URL
to a dusted-off blog on TypePad's blogs.com domain to get out the word
that the site was unavailable outside Israel, where Blue Security is
based.
Reshef had earlier said that a Russian spammer, dubbed "PharmaMaster,"
had bribed a worker at a "major ISP" to reroute Internet traffic so
that no page requests reached Blue Security's Web site from outside
the country. Friday, Reshef said that further investigation now led
him to believe that a "blackhole filter," a technology often applied
in DoS defenses, was maliciously used to block incoming traffic.
Reshef provided TechWeb with copies of Blue Security's Web logs that
showed a drop in access from locales outside Israel over an hour and
45 minute span. During the last 7 minutes of that log, only 28 percent
of the site accesses originated outside Israel.
"It wasn't the best decision to reroute traffic to TypePad," Reshelf
said. But he again defended the repointing, saying that if he had
suspected the attacker would follow Blue Security to the TypePad blog,
he would have done things differently. "I would have just put out a
press release," he said.
Reshef said that TypePad readers were able to add comments to the blog
for at least 30 minutes after Blue Security repointed its
servers. Blue Security redirected its site to TypePad at 11:20
p.m. (GMT) on Tuesday, May 2, he said. But comments were posted from
11:27 to 11:57 p.m., at which point the string broke, not to be
resumed for more than two hours. Six Apart said this week that the DoS
attack began at approximately 4:00 p.m. PDT (midnight GMT, May 3), or
about 40 minutes after Blue Security said their site was
redirected. "If the site [wwwl.bluesecurity.com] had been under attack
[when we redirected], packets would have reached TypePad within
minutes," Reshef said. That users were able to reach the blog and
leave comments proves that Blue Security did not drag an ongoing DoS
attack to TypePad and Six Apart.
But when asked if he had contacted Six Apart prior to repointing his
corporate site, or informed them that other company servers were
currently under attack at the time, he only answered "I'm not saying
this was the smartest move."
For its part, San Francisco-based Six Apart refused to divulge details
of the attack's timeline. "We're not pointing the finger at anyone,"
said Jane Anderson, a spokesperson for Six Apart. "No, we've not
contacted Blue Security, but we have been in touch with the FBI. This
[DoS] was a criminal event, and we intend to follow up."
One possible explanation for the mysterious drop-off in incoming
traffic to http://www.bluesecurity.com -- which was what led Reshef
and his company to redirect the URL to TypePad -- is that Blue
Security's own Israeli ISP shut down traffic to block a building DoS.
Todd Underwood, the chief of operations and security at Manchester,
N.H.-based Renesys, an Internet monitoring and routing analysis firm,
said Friday that it's possible that Blue Security's ISP used a
blackhole filter to stem an outside attack.
"It's entirely plausible that NetVision put a black hole filter in
place," said Underwood, "if they were seeing large numbers of packets
aimed at Blue Security and didn't want to drag the traffic all the way
from, say, New York."
NetVision, which has offices in Tel Aviv and Haifa, Israel, was not
available due to the time difference.
"No, I haven't talked with NetVision," said Reshelf, who confirmed
that NetVision was his company's ISP. "They haven't called us,
either."
Reshef said he and others at Blue Security had been too busy dealing
with the crisis this week to find out if NetVision had activated a
blackhole filter. He acknowledged, however, that it was a "possible
explanation."
"If that's what happened, and they haven't told us about it for four
days, then I will have to have a long talk with them," Reshef said.
Copyright 2005 CMP Media LLC
Greg Keizer (techweb@telecom-digest.org)