Ddos attack against a specific website, in stead of an IP address

Gryz

Golden Member
Aug 28, 2010
1,551
204
106
A friend of mine has a simple website.
On a shared hosting server.
She uses WordPress. About 8-10k pageviews per day. (Not bad for an amateur).

According to her hosting provider, there was a DDoS attack recently.
They say that the attack was against her website.

Theoretically I know TCP/IP pretty well. But I'm not so familair with HTTP. Nor with the latest practical stuff.

AFAIK DDoS attacks are attacks where IP packets are sent to a specific IP address. If you sent enough packets, the path to the target will become congested. There are/were other variants of DoS attacks where people sent TCP SYN packets, trying to overflow the half-open connection table on the target. Etc, etc.

But AFAIK all those DoS attacks are targeted towards a specific IP address.
Not against a specific website.

So I am wondering how that webhosting-provider can claim the attack was against my friend's website ? I'm pretty sure her website runs on a shared server, where many other small websites are hosted. I don't believe her website has its own IP address. That would be possible if she rented a Virtual Private Server. But she doesn't. In theory, the DoS packets could be HTTP packets with the name/url of her website. But AFAIK all DoS tools target IP addresses, not websites.

I assume that the employee of the hosting provider is just a simple helpdesk worker. Who doesn't know what he's talking about. Or maybe misunderstood his 2nd line collegues.

Still, I'd like to know if I missed something.
Do any of you know a way to determine if a DoS attack is just against a specific IP address ? Or in fact against a specific website on the shared server ? TIA.
 

Fardringle

Diamond Member
Oct 23, 2000
9,200
765
126
DDOS attacks by IP are simple. Just spam PING or other basic packets from lots of attacking machines.

Attacks via HTTP are slightly more difficult, but not impossible. Just write a script that will continuously request a refresh of the page (or something similar). The web hosting service can easily see from their logs if the requests are made to the host server IP or to the web site address.


note: I'm not a security expert. This is just the first easy way I could think of to do it.
 

Ben90

Platinum Member
Jun 14, 2009
2,866
3
0
You can ddos a specific website. If a user can connect to a website, they can attempt to connect thousands of times a second.
 

Cooky

Golden Member
Apr 2, 2002
1,408
0
76
To answer OP's question: website vs IP
How can an attack target at a website, instead of all websites behind an IP.

Many hosting providers host websites behind the same IP.
They differentiate by the host entry, or URL.

For example, www.website1.com and www.website2.com resolve to the same exact IP, but they're two different websites.
So it's very possible an attack you mentioned was targeted specifically at your friend's website.
 

Gryz

Golden Member
Aug 28, 2010
1,551
204
106
Yes, I understand it is possible they attacked her website.
But I wanna know: how can they see that ?
How can they see the difference between an attack against the web-server's IP address and a specific website hosted on that web-server ?

I just don't buy it.
My friend's website is an innocent foodblog. She has no enemies.
Unless I understand how the provider can see the difference, I refuse to believe the attack was against her specifically.
 

Gryz

Golden Member
Aug 28, 2010
1,551
204
106
You can ddos a specific website. If a user can connect to a website, they can attempt to connect thousands of times a second.

All websites on the same webserver get "approached" via the same IP address (and portnumber 80). If you wanna DDoS a specific website, you'll need to construct packets with HTTP content. When you do that, the whole webserver will be DoSsed, and the other websites on that webserver will be unreachable too. So it doesn't matter for an attack to include a HTTP request inside his DoS packets. So I doubt an attacker will do that. Just sending any packet, or a packet with any content, to port 80, will do the trick.
 

Emulex

Diamond Member
Jan 28, 2001
9,759
1
71
There is the slow attack - open up a bunch of port 80 http requests and SLOWLY ask for content, repeat, filling up all the http requests slots.

there is the SSL attack, where you bomb the SSL KEYGEN 2048 handshake over and over. Older cpu's just couldn't handle it.

Windows has dampeners built in that prevent too many connections too rapidly - which causes huge spikes in activity to cause timeouts - pita if you have very bursty traffic and 2003 server ;)

I often wondered, if you charged someone bandwidth, what would stop them from having ev1l hax0rs from randomly hitting up your customers to rake in bandwidth overages?

It is important to run your own IP (try lowendtalk for $2/month with own VM and IP hosting services and discussions). Then have IPS software and throttling built in. So if IP X hits your site too much or in nefarious ways, ban them for 30 minutes. Or use cloudflare ;)

So you get ddos'd and hack'd and overage charges, then you a get a spam from cloudflare or similar offering to protect you.

Sounds like the "mafia" huh?

All hypothetical of course.
 

dawks

Diamond Member
Oct 9, 1999
5,071
2
81
Some versions of apache and incorrectly configured versions of apache are vulnerable to an attack where someone can send significant requests to a domain, which would overload apache causing a DDoS. If the host was able to access the server, with something like top, they could see which apache process was being maxed out and who the owner of that process is (a specific account). Its not just network flooding used in DDoS'ing.

Additionally, they provider may have an advanced filter at the gateway which can see the HTTP requests which may included your friends domain.

Pretty good article on DDoS'ing.
http://arstechnica.com/security/201...of-service-attack-that-targeted-ars-technica/
 

Gryz

Golden Member
Aug 28, 2010
1,551
204
106
My friend runs statistics.
(It's a simple WordPress website, with JetPack site statistics).

We do not see any increase in pageviews before or after the server got his by the DDoS attack. I understand how apache could get bombed so hard that no http-requests wouldn't even make it to her wordpress software or the JetPack counting software. But I find it highly unlikely. Maybe JetPack caches statistics, and sends them only once in a while to main server (JetPack uses a centralized server to keep statistics. I bet this is so they can do their own analysis).

The website we are talking about is an innocent foodblog. I just can't see why anyone wants to attack it. I'm still not convinced this was not an attack against the hosting provider, or against another website on the same host.

The hosting provider hasn't shown us any proof. They say they don't keep logs, because they would grow too fast during an attack. (Cyclic logging is hard now ? Or rate-limited logging ?) They say they can't give more details. I can understand that, it's just a helpdesk employee we've been talking to.
There also haven't been any other attacks since. I still think the whole story is weird.

Thanks for all the suggestions. Much appreciated.
 
Last edited: