Tuesday, August 08, 2006

Questions About the Legitimacy of the Lieberman Website Takedown

Being a CT resident, I'm taking some interest in the story of Joe Lieberman's "hacked" website. According to the Lieberman campaign, their website and email has been offline for about 18 hours now. They are also claiming that this is a DoS (Denial of Service) attack, and suggesting Ned Lamont supporters' involvement (Update: Now denied).

(Note: More updates below)

A few extra pieces of info you can glean from public databases, apart from what is in the linked post:

1) The hosting provider for joe2006.com (myhostcamp.com) has a /30 IP block assigned to them, meaning only two usable IP addresses, one of which is www.joe2006.com (69.56.129.130).

2) A hosting provider that has only a /30 assigned to them is not very big - most likely, they are using virtual hosting on one or two servers to provide websites for all their clients.

3) The assigned range of IP addresses, 69.56.129.128/30, is part of a much bigger range assigned to theplanet.com - a large hosting provider and hosting reseller.

4) www.myhostcamp.com - the website of the hosting provider - is offline as well, also redirecting to a 'suspended' page. This is the biggest clue to what happened.

Given the above, it looks like a small-time web hosting provider was overwhelmed on election eve/day by traffic to one of their hosted websites, namely joe2006.com. The hosting provider's (myhostcamp.com) bandwidth allocation was exceeded, causing the end provider (theplanet.com) to shut them down. Until some money is forthcoming from myhostcamp.com to theplanet.com, the site won't be back up (at least under the original hosting provider). We can't know for sure this is what happened, the facts just seem to point in that direction. It is certainly possible that a DoS attack took place last night/this AM, but has since stopped. It would only have needed to run for long enough to exhaust myhostcamp's monthly bandwidth quota.

Contrary to what others are saying, the Lieberman camp could probably still make updates to the site, since most hosting providers will use some sort of policy routing or QoS (quality-of-service) to restrict web bandwidth only. This would also explain why echo-requests (ICMP pings) sent the the IP address of www.joe2006.com have an RTT of 10ms or so - very fast in Internet terms. There must be very little traffic to that domain right now - only web traffic is being redirected to the suspended pages.

A few things are odd about all this:

1) Given that Senator Lieberman's website associated email have been offline for over 18 hours, on the eve of a contentious election, why has the Lieberman camp allowed this to continue? As the link above suggests, a competent sysadmin could get them back online with another provider in an hour or so.

2) Why is the website being handled by such a small operation, and why were no contingency plans put into place in a race that has had national interest? I'd say they got some very bad advice from their hosting provider/Internet consultant.

3) Email for joe2006.com is down because the email is handled by the same server as the web traffic - not something usually done with larger domains, precisely because it's a single point of failure for the domain. Again, it would be very simple to redirect mail to another server temporarily. Why wasn't this done?

Now, we have to be careful not to blame the victim - if joe2006.com was DoS'd, there is simply no excuse, and those responsible should pay. If not, the Lieberman campaign got some very bad hosting and capacity planning advice from their Internet consultant, and should not be pointing their collective fingers anywhere but at themselves.

UPDATES: An update from DailyKos, from someone who did even more digging...and here.

Technorati Tags: , , , ,

No comments: