This page is a brief discussion on our policy towards incoming Network Abuse. That is, where the owner of a machine is subject This sounds silly, as if we have some middle ground on the subject, of course nobody wants their network abused. However in many cases where an ISP has to deal with incoming Network Abuse, they are not dealing directly with a malicious party, but a innocent or unwary systems administrator. Here are some questions and answers about network abuse and how we deal with it.
Why would anyone attack my machine?
The most common reason is that you run some kind of lively online community, usually Internet Relay Chat-based, but message boards and other discussion technologies can also be attacked. Disaffected members of the community will want to “punish” those that ostracized them by hitting out at the technical infrastructure of the community. This can be the result of any kind of social friction, which is often intensified by the lack of face-to-face contact.
Larger IRC-based communities are often not run from single servers, but are part of a network of servers, so that the load of running the various community is distributed between those who volunteer their servers to help. So you may have offered to run a server as part of a larger network. Unfortunately an attacker who wishes to attack “the whole network” may end up targeting your machine for being part of it, even if nobody who uses your server has anything to do with a particular dispute. So we would urge even greater caution when offering to host an IRC server as part of a larger network.
You might also be attacked if your site will attract attention for being down, or if it gives someone bragging rights, or simply for saying something that someone with means to attack you takes offence to.
How do they do it?
Tools for network abuse are easily available, and usually include “trojan horse” programs for giving a potential attacker remote control over another computer. They are easy to install on unwitting victims because of security flaws inherent in Microsoft Windows software. These computers are known as “zombies”. So in the worst case, an attacker may have many tens of zombies under his control , each with fast connections, and may direct them all to send traffic at your host at once. Often they obscure the source address of the traffic so that tracing the source of the traffic is practically impossible
What do you do about it?
Incoming network abuse has one of two effects on our network:
- our routers cope, and an exepensive amount of traffic is transferred;
- our routers don’t cope, and our network is made unavailable or partially unavailable
In the first instance we will notify you and attempt to stop the incoming traffic as soon as we’re informed by our alarms. This often results in us making phonecalls to foreign Internet Providers or requesting that our upstream provider block the incoming traffic. In cases where the source address of the abusive traffic is not constant, we have no choice but to block by destination address, making your machine inaccessible. This is simply due to the fact that the incoming traffic costs us money for as long as it’s being transferred.
In the second instance our upstream network provider will most likely do the same, permanently block by destination IP, in order to restore connectivity to the network. In this case we will refund any unused portion of your subscription and send your filesystem to you on CD, since we cannot afford to take such a risk, whatever the content or however unjustified.
But that’s not fair!
Unfortunately, like many small ISPs, every network has its limit and we will always act in the interests of our larger number of customers. Individual sites are still very much at the mercy of anybody with a little know-how and some time on their hands: even Yahoo, eBay and Amazon have suffered down time as a result of these kinds of attacks. The main reason it is relatively easy to launch these attacks is because “zombie” machines can be acquired en masse by probing the internet for insecure machines which will give the attacker many sources for abusive traffic.
What if I get hacked?
If we notice that your machine has been compromised, we will typically shut it down immediately, and reset it to a “virgin” state with a new root password, while leaving your old system drive accessible for you to copy your data. This will result in some unexpected down time, but your machine will be secure again and you can analyse what went wrong on the old drive, or what data a compromise may have exposed.
Note that this reaction is in our interests only: since we do not want a compromised machine to be the source of any network abuse. You may have a lot of collateral damage to clean up if your machine had any sensitive information on, or attackers got in through an easily-guessed password, or your system gave easy access to other systems outside of Bytemark’s network.
What if I get “slashdotted”?
“Slashdotting” refers to what happens when a very popular site posts a link to a smaller site, usually unexpectedly (named after a certain large, popular nerd news site). At an instant, hundreds of thousands of people are suddenly accessing pages on the smaller site, usually not a situation that the small site owner envisaged. This often overwhelms the resources of the smaller site, causing the site to become unavailable.
Hence the effect is exactly the same as for a denial-of-service attack, but the cause is different: Bytemark’s network has 100Mb connection to most of the rest of the internet, so our routers will cope with the traffic. However if the pages on the site are not static HTML pages, but scripted, it is very easy to write an inefficient page which will (e.g.) open a database connection for every page fetch. Alternatively Apache’s performance settings may not allow very many simultaneous connections.
We are always notified when our traffic spikes above normal usage, but we can tell the difference between malicious traffic and a suddenly popular web site, and will do you the courtesy of letting you know of a potential excess bandwidth bill.