Forgot your password?
typodupeerror
Networking Security

Holiday E-Commerce DDoS Attack Hits EC2 Cloud 75

Posted by Soulskill
from the tis-the-season dept.
ARos writes "A holiday DDoS attack targeted a west-coast DNS provider, which is known for serving large-scale E-Commerce sites (including amazon.com and walmart.com). 'Neustar, which provides DNS services to high profile website addresses under the UltraDNS brand, said the flood of malicious traffic, just two days before Christmas, was directed at the company's facilities in San Jose and Palo Alto, and that the effects were mostly limited to California users.' CNet adds: 'In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon's S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon's lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.'"
This discussion has been archived. No new comments can be posted.

Holiday E-Commerce DDoS Attack Hits EC2 Cloud

Comments Filter:
  • Why? (Score:4, Insightful)

    by Brad1138 (590148) <brad1138@yahoo.com> on Friday December 25, 2009 @08:22PM (#30553554)
    Who is so damn board that they have nothing better to do than "attack" a web site? What feeling of accomplishment do they really get and/or what point are they trying to make? They need to get out of their mothers basement and do something with there lives.
    • by Shikaku (1129753)

      Who is so damn board that they have nothing better to do than "attack"

      ...Did Canada have a sudden rabies outbreak for beavers?

    • Re:Why? (Score:5, Funny)

      by palegray.net (1195047) <philip.paradis@p ... t ['ay.' in gap]> on Friday December 25, 2009 @08:46PM (#30553638) Homepage Journal

      Who is so damn board

      Hey, if I were made of wood I'd be angry too.

      • by Katchu (1036242)

        Who is so damn board

        Hey, if I were made of wood I'd be angry too.

        Some old broad, probably.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Plank-ton?

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Who is so damn board that they have nothing better to do than "attack" a web site? What feeling of accomplishment do they really get and/or what point are they trying to make? They need to get out of their mothers basement and do something with there lives.

      Step 1. DOS existing DNS server
      Step 2. Make rogue DNS server active, which returns URL's for phishing organization's transparent proxy.
      Step 3. Phish out all login, pw, and CC information.
      Step 4. Launder info or use to run fraudulent transactions.
      Step 5. Profit!

      The technical details vary, of course, as well as the specific mechanism. But in essence this is most likely what was being attempted... how successful it was remains to be seen. Or it could be any number of people, organizations, or governments that

      • by sopssa (1498795) *

        What? Do you understand how DNS works? How the fuck would you get root and other recursive DNS servers to connect to your server instead of the real one by merely bringing the real dns servers down? If the attackers would be able to intercept DNS traffic, it wouldn't matter if the real servers we're down or not. But that's a little bit harder to pull off than some kiddie dossing.

        • I wonder if it would be cost effective to pay someone to take out a major online retailer (esp at christmas) so as to get more traffic yourself (assuming you are a rival online retailer)?
    • Re:Why? (Score:5, Interesting)

      by AigariusDebian (721386) <aigariusNO@SPAMdebian.org> on Friday December 25, 2009 @10:13PM (#30553924) Homepage

      Ever heard of DNS cache poisoning? There really should be an investigation into this. One of the attack vectors is pretty simple - use a DDOS to slow down the response time of the real DNS servers of *.amazon.com, use a cache poisoning timing-based attack on some subset of DNS servers further down the chain (like for example at a medium-sized ISP) to replace the IP of Amazon servers with an IP of your specially prepared hijacking servers, a client goes to amazon.com, but get redirected to your server, you proxy their traffic (use a man-in-the-middle attack to defeat SSL or just use human-engineering for that) until they make a purchase and instead of proxing their credit-card info you just keep it for your self and transfer money to your accounts. Profit!

      Something like that could have taken place here, but you cann't know that until you analyse logs at Amazon and all the ISP DNS servers that could have beenaffected by this.

    • What feeling of accomplishment do they really get and/or what point are they trying to make?

      The ability to believably threaten to do it again in order to extort money.
      Or, given the timing, they may have been trying to make good on such a threat.

    • Re: (Score:3, Interesting)

      by tlhIngan (30335)

      Who is so damn board that they have nothing better to do than "attack" a web site? What feeling of accomplishment do they really get and/or what point are they trying to make? They need to get out of their mothers basement and do something with there lives.

      Money.

      Online gambling sites are constantly attacked by DDoS, because they have money, and their continued revenue relies on people being able to connect reliably to their servers. Thus, you can threaten to shut down a site or ask they pay $5000 or so to a

    • by ascari (1400977)
      Hmm. A competitor perchance?
  • A holiday DDoS attack targeted a west-coast DNS provider, which is known for serving large-scale E-Commerce sites (including amazon.com and walmart.com). 'Neustar, which provides DNS services to high profile website addresses under the UltraDNS brand, said the flood of malicious traffic, just two days before Christmas, was directed at the company's facilities in San Jose and Palo Alto, and that the effects were mostly limited to California users.'

    My book and blogger buddy in the Mid-Atlantic didn't n
    • by socsoc (1116769)

      and that the effects were mostly limited to California users.

      Perhaps because the Mid-Atlantic states are nowhere near California?

    • Re: (Score:3, Interesting)

      by shentino (1139071)

      Ok, here's a solution.

      Trace as many of the IPs as possible and let their owners know their computers have been jacked.

      Any of them don't do squat about it after X amount of time, confiscate their computer for knowingly aiding and abetting a criminal offense. Or something.

      Enough people get in trouble for not doing jack about their computers being infected and you can see vigilance going up.

      • by zill (1690130)
        No law enforcement agency in the country has the authority to do this.
        • by shentino (1139071)

          That has never stopped them from violating our civil rights anyway.

          My point was, if they're going to trample the constitution they may at least as well do something useful while they're at it.

      • Re: (Score:3, Insightful)

        by sopssa (1498795) *

        Ok, here's a solution.

        Trace as many of the IPs as possible and let their owners know their computers have been using BitTorrent.

        Any of them don't do squat about it after X amount of time, confiscate their computer for knowingly aiding and abetting a copyright infringement. Or something.

        Enough people get in trouble for not doing jack about their computers being used for copyright infringement and you can see vigilance going up.

  • Consider extortion (Score:5, Interesting)

    by grolaw (670747) on Friday December 25, 2009 @09:00PM (#30553700) Journal

    One reason for DDoS attacks is to prove that you can shutdown a site.

    The site will pay for protection from future attacks. The offshore gambling sites have been "victims" of these attacks according to Steve Gibson.

    • by bartwol (117819)

      But the only protection you can buy from them is their "commitment" to not attack again. That doesn't protect you from another attacker launching an attack, and if you're one who pays, then I'd say you've improved your chance of that.

      It seems that a technical defense is your only real defense, and "paid protection" is the resort of tomorrow's road kill.

      • by grolaw (670747)

        Just what do you think a "protection racket" is?

        • Re: (Score:3, Insightful)

          by bartwol (117819)
          Protection from the protector, *and* protection from his competitors (read: "territorial dominance").
          • by grolaw (670747)

            That's not a sentence. I have no idea what you want to convey.

            A "protection racket" is a form of extortion that has existed for thousands of years, if you include feudal states as large-scale "protection rackets."

            It may seem self-defeating to acquiesce to the extortion, but the costs are minimal compared to serious disruption of the business that a DDoS attack from a botnet.

            • by bartwol (117819)

              Thanks for explaining that.

              Do you think the traditional protection racket, as your chosen model, is sufficiently congruent to this case as to make a good argument for a website operator to pay a DoS attacker to not attack again?

              Let me re-phrase my question. Would YOU pay a [purported] DoS attacker to not attack again? (I need to differentiate here between that which you think a smart person such as yourself should do, as opposed to what you think is appropriate for the many stupid people such as myself.)

              • by grolaw (670747)

                The past has shown that the off shore gambling sites have paid repeatedly - and they remain profitable. The protection racket is a parasite that loses when it kills its host.

                • by bartwol (117819)

                  Would YOU pay a [purported] DoS attacker to not attack again?

                  • by grolaw (670747)

                    Assuming that I ran an Amazon - a lawful business - I'd report the extortion and work with INTERPOL and the FBI to make the payment and keep my business alive and catch the botnet operator(s).

                    That would, undoubtedly, cost a lot of money.

                    • by bartwol (117819)

                      Interesting choice of strategies.

                      I/my company was recently a DDoS attack target. We were only willing to employ technical counter-measures; we had/have no willingness to appease the attacker. Our strategy was (and is) very expensive for us. But so far, we survive (and grow).

                      As long as there are people around who think like you, there will be attackers who will exploit your strategy, and there will be collateral victims such as my company. Fortunately, we're unprofitable feed for the attackers so they don'

                    • by grolaw (670747)

                      I'm an attorney. The response is what the law mandates.

                      The anonymity of these attackers makes any countermeasure expensive.

                      Your company has been the victim of criminal trespass (or, whatever the crime is called in your jurisdiction) and your company has to report the crime or be guilty of aiding the DDoS criminal. Effectively, your company's path facilitates future attacks because the failure to report this attack denies the police information about a crime and leads. The police cannot exercise their powe

                    • by bartwol (117819)

                      Forgive me for my delay...I had to summon the will to reply.

                      Your points are rife with invalid assumptions about my points and the applicability of your analogies/anecdotes. For example, your closing remark:

                      Your company's failure to take its duty to the law seriously only makes it easier for these criminals to ply their trade. Sloppy decision. If I knew enough to turn your company in, I would do so in a heartbeat.

                      Whatever unlawful act you imply my company to have done here is, quite simply, of your conveni

                    • by grolaw (670747)

                      You and your company are criminals. END OF DISCUSSION.

                      My degrees include biology, chemistry, endocrine physiology and law and I have been a major midwest city assistant DA (20 years ago).

                      I have only CONTEMPT for people who don't report criminal acts - and thusly facilitate further criminal acts.

                      If you see a drunk getting into a car, then watch them run over a kid in a crosswalk - but don't call the police because you don't want to get involved - I can easily put you both in the same set as those people in

  • by horatio (127595) on Friday December 25, 2009 @09:10PM (#30553730)
    Maybe I'm wrong, but it seems like the attack vectors are shifting away from going after your target directly, but instead attacking the critical infrastructure support services like DNS.
    • Re: (Score:2, Insightful)

      by Katchu (1036242)
      Perhaps this is because the sources are not idle time-wasters simply marking territory. The source may be political/military tests to determine how to effectively damage commerce. Check out the usual suspects. [OT] I sometimes (used to) read Usenet newsgroups with Google Groups, but some political/military spam attacks have rendered many groups there virtually useless. No commercial spammers would so effectively drive potential clients away. This spam does not appear when I use a newsreader.
  • Perhaps to show that they can do it, but then whaRegards, Bill Starkov
  • by Anonymous Coward

    Sure, I know what you're all thinking: "Lead Web Evangelist" is a really lame job title and/or job description.

    All what I'm saying is that you should REALLY feel sorry for the subordinate web evangelists that by extension, Amazon also has on staff.

  • In the Register article:

    Although more limited, Wednesday's malicious torrent of web traffic will insure that someone gets coal in their stocking.

    Of course, it's again the fault of those torrents of bits.

  • ... according to Jeff Barr, Amazon's lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.'

    "Web Evangelist" ... "retweeted" ... "tweets" ... :rolleyes:

    • by jo42 (227475)

      My brain automatically reads that as:

      ... according to Jeff Barr, Amazon's lead Twat, who retwated a report to that effect without clarification and confirmed it in later twats.'

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...