Friday, January 12, 2007

The DDoS Diaries

My (otherwise wonderful) girlfriend has one habit that drives me to distraction. From time to time she will say, in a thoughtful tone of voice, "So ...". I stop thinking about whatever I was thinking about and start paying attention, waiting for her to go on.

Nothing. Silence. She just leaves her "So ..." hanging there in mid-air.

You can do that to computers too. It forms the basis of a kind of attack known as a SYN flood attack, which is one variety of distributed denial of service (DDos) attack. The attacking computers send a SYN(chronize) signal to the target, which responds with the computer equivalent of "Uh-huh" and waits for a reply to complete the connection. The reply never comes. Instead, the attacker sends more SYN signals. Or 'attackers', because there are usually very many of them. If enough attacking machines hit the target together, the target will almost inevitably go down.

Today, a distributed denial of service attack took down the anti-spam information website spamnation.info. The site was almost certainly attacked because it published information that was intended to help victims of spam. This included a regularly-updated database of spam-advertised stocks, a list of 'frequently-asked questions' about stock spam, a database of domains advertised by spam and other miscellaneous information. Apparently this displeased certain people to the point that they used a botnet to knock the site offline.

The identity of the attackers is unknown. Perhaps the most likely candidates are the spammers behind the recent wave of spam advertising penny stocks that has been flooding everyone's inboxes. The senders of this type of spam are known to use botnets to distribute their material, and they are suspected to have links to a spammer known as Pharmamaster who was allegedly responsible for taking down the Israeli company Blue Security with a sustained DDoS attack. However, there are plenty of other possibilities as well: I'd recently written on the site about the networks of spammers promoting 'mainstream' companies in the United States, and the site also contained a good deal of information about presumed Russian scammers operating 'money transfer' scams. None of these people are particularly eager to have their activities discussed in public.

I'm the webmaster of spamnation.info. I'm starting this site as a temporary alternative while I decide whether I can put the site back online and, if so, how. I'd welcome comments, reactions, and anything else - except more spam.

5 comments:

Anonymous said...

You need to put your site back up as soon as possible.

Make many mirrors if you have to.

Anonymous said...

I appreciated your site and hope you can post the archive data at your new site.

Anonymous said...

Please bring spamnation.info back. I find it interesting what Earthlink.net does not catch.

Anonymous said...

Take it as a form of compliment that your site was deemed "dangerous" enough to be taken down.

I say you need to put your site back. It was really useful.

But it could get expensive if they keep hitting you.

At the very least, keep up the blog.

Anonymous said...

USEFUL IT WAS & WE DO NEED YOU BACK~~ I THINK THEIR MAIN FEAR OF YOU & YOUR SITE WAS THE FACT THAT THE REST OF US COULD SEE THE DATES OF THEIR MAILINGS & COMPARE THOSE TO THE CHARTS THEMSELVES. HUMMM~~ SOME OF THESE PUMP & DUMP GUYS HIT THE SAME STOCKS WEEK AFTER WEEK & COMBINING YOUR INFO WITH THE CHART TRENDS DOES GIVE ONE A BETTER CHANCE OF GETTING IN & OUT AT THE RIGHT TIMES. DRIVES THEM CRAZY & COSTS THEM $$ TOO. THEY ARE TRYING TO MAKE IT TO $1.60 AGAIN & YOU ARE SHORTING THEM OUT AT $1.50! he-he-he. ;O)