I would like to apologise to readers who may have found that their regular grahamcluley.com fix has been disrupted since last Sunday, after my site suffered a significant distributed denial-of-service (DDoS) attack.
A denial-of-service attack sees online criminals attempt to make a website inaccessible by clogging it up with unwanted traffic. It’s what happens when 15 hippos are let loose in the lobby of a hotel, and they all rush to the revolving doors at the same time. Nothing can move.
However, the good news is that nothing gets breached in a denial-of-service attack. No data is stolen, no webpages defaced, no accounts broken into. It’s just that you can’t reach a particular website any longer.
Which is a problem if it’s the website from which you access your email, or if you run an online store. But it’s less of an issue if you just have a blog where you talk about computer security.
At first it wasn’t completely clear to me that I was the intended target of the attack, and I thought it was possible that the attackers were targeting one of my web host’s other clients, and I was merely collateral damage.
But it later became apparent (after I moved my website to an IP address that no other site was using, and the attack started up again) that for some reason the DDoS attackers really wanted to silence my site.
There is inevitably going to be speculation that the attack against my site is connected to the DDoS blackmail attacks attributed to the “Armada Collective” gang recently.
I cannot confirm if that is the case, but I can say that the attack was “unusually large”, and saw thousands of attacking sources stretching my web host’s upstream network infrastructure. I’m told that the attackers used multiple attack vectors and different techniques – including UPnP reflection, DNS reflection, and TCP SYN flooding.
For the record – I never received any ransom demands, or communications from anyone claiming to be the attackers. I have to assume that the attack was personally motivated, rather than done in the pursuit of cash.
In the early hours of Wednesday (when I really should have been sleeping so I could wake up nice and refreshed for my talk at Future Decoded) I put systems in place to better mitigate my site from DDoS attacks with help from the great teams at Pressidium and CloudFlare.
Going forward, more steps will be taken to harden the site to ensure that it remains online. My signing-up for CloudFlare was a decision I made at 4:30am – the plan I’m on isn’t free, and I’m not sure if it’s ideal. But for now, it works. I’m open to other suggestions.
But I’m sticking with Pressidium for their managed WordPress hosting. Their support team has been incredibly helpful to me at all times of the day and night.
As far as I can see, the site has been performing well since Wednesday (apart from a few hiccups which were misconfiguration mistakes I made rather than DDoS-related). If you spot any quirks on the site please do feel free to get in touch with me so I can investigate.
Sorry again that my site went down the plughole for a while. I can’t promise that it won’t ever happen again, but I’m more prepared than ever to fight off future attacks.
Update December 2015: I now use Incapsula to mitigate DDoS attacks and other internet threats against the website, and have turned off CloudFlare.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.