Sorry ...
Let's start this week with an apology; we forgot to include the Web link for the Open Access example we published in Extra last week. If you haven't already read the article, you can find it here. The actual source code can be found here. We hope to be able to add a save file with sample data, etc., in the next day or two. We just ran out of time--sorry.
Last week Jon decided perhaps the true meaning of the initials DNS stood for "Do Not Swear" or "Damned Nasty Screw-up." For those of you who have no idea what DNS means or does, in simple terms it's the method by which domain names (e.g., Partner400.com) are resolved to IP addresses. If a DNS lookup on your domain name fails, nobody can send you e-mail or reach your website. Most people, ourselves included, have their DNS entries hosted by the company they use to register the domain. Last week we discovered what happens if that company's DNS servers all effectively fail simultaneously. It wasn't that they didn't have a comprehensive fall-back plan, or enough distributed servers, but this specific failure was caused by a particularly nasty Distributed Denial-Of_Service (DDOS) attack that was "smart" enough to anticipate the normal defense methods and dynamically circumvent them. The result was that even when the servers came back up it was only for a brief period.
The first defense suggested by folks on the Web was to switch the DNS registration to another host. OK, so Jon found another host at FreeDNS that, while it has a somewhat clunky-looking interface, offers some really useful tools which, amongst other things, can ensure your domain names will resolve without errors. It also has a much nicer method for entering domain information than we were used to. So, he set up all of the new DNS entries and all we then needed to do was to update the DNS records at our domain registrar. Some of you may have guessed this already, but there was a small problem: to do so required logging into our account at the registrar and the DNS entry for that website was hosted ... guess where. Yup--on the failing DNS servers.
To cut a long (and painful) story short, eventually someone published alternate domain names that got us to the management server we needed and we could make the changes. Being now fully aware of the potential dangers, we didn't switch over completely to the new DNS server, rather we have kept some entries pointing at the original servers and added a couple to point to the new ones. The value of this we discovered the following day when (briefly this time) several of our main DNS servers died again.
Of course, the truly scary bit is just how much damage can be done by a sufficiently mean-minded attacker. Suppose such a DDOS attack had been simultaneously launched against all of the big DNS servers in the world? Other than for cached DNS entries, the entire Web would basically stop for a while. How many billions of dollars would that cost? Many companies affected by this attack were claiming hundreds of thousands of dollars of lost revenues during the 8 to12 hours the attack lasted. We've done our bit to try and protect our own websites, even though it means extra work should we make changes, but it makes us wonder how the Web world as a whole can protect against this kind of threat.
Interestingly last week's episode of one of our favorite TV shows (MI-5) featured just such a scenario. If you live in the U.S. you may have to wait quite awhile to see it as you're only on about season three. Here in Canada we're currently on season seven (in the UK series eight is already completed). If you haven't watched the show, take a look--particularly if you enjoy the realism and grit of writers such as John le Carre. But be prepared to be terrified. Some of the scenarios explored in the program are horribly plausible.
Let's start this week with an apology; we forgot to include the Web link for the Open Access example we published in Extra last week. If you haven't already read the article, you can find it here. The actual source code can be found here. We hope to be able to add a save file with sample data, etc., in the next day or two. We just ran out of time--sorry.
Last week Jon decided perhaps the true meaning of the initials DNS stood for "Do Not Swear" or "Damned Nasty Screw-up." For those of you who have no idea what DNS means or does, in simple terms it's the method by which domain names (e.g., Partner400.com) are resolved to IP addresses. If a DNS lookup on your domain name fails, nobody can send you e-mail or reach your website. Most people, ourselves included, have their DNS entries hosted by the company they use to register the domain. Last week we discovered what happens if that company's DNS servers all effectively fail simultaneously. It wasn't that they didn't have a comprehensive fall-back plan, or enough distributed servers, but this specific failure was caused by a particularly nasty Distributed Denial-Of_Service (DDOS) attack that was "smart" enough to anticipate the normal defense methods and dynamically circumvent them. The result was that even when the servers came back up it was only for a brief period.
The first defense suggested by folks on the Web was to switch the DNS registration to another host. OK, so Jon found another host at FreeDNS that, while it has a somewhat clunky-looking interface, offers some really useful tools which, amongst other things, can ensure your domain names will resolve without errors. It also has a much nicer method for entering domain information than we were used to. So, he set up all of the new DNS entries and all we then needed to do was to update the DNS records at our domain registrar. Some of you may have guessed this already, but there was a small problem: to do so required logging into our account at the registrar and the DNS entry for that website was hosted ... guess where. Yup--on the failing DNS servers.
To cut a long (and painful) story short, eventually someone published alternate domain names that got us to the management server we needed and we could make the changes. Being now fully aware of the potential dangers, we didn't switch over completely to the new DNS server, rather we have kept some entries pointing at the original servers and added a couple to point to the new ones. The value of this we discovered the following day when (briefly this time) several of our main DNS servers died again.
Of course, the truly scary bit is just how much damage can be done by a sufficiently mean-minded attacker. Suppose such a DDOS attack had been simultaneously launched against all of the big DNS servers in the world? Other than for cached DNS entries, the entire Web would basically stop for a while. How many billions of dollars would that cost? Many companies affected by this attack were claiming hundreds of thousands of dollars of lost revenues during the 8 to12 hours the attack lasted. We've done our bit to try and protect our own websites, even though it means extra work should we make changes, but it makes us wonder how the Web world as a whole can protect against this kind of threat.
Interestingly last week's episode of one of our favorite TV shows (MI-5) featured just such a scenario. If you live in the U.S. you may have to wait quite awhile to see it as you're only on about season three. Here in Canada we're currently on season seven (in the UK series eight is already completed). If you haven't watched the show, take a look--particularly if you enjoy the realism and grit of writers such as John le Carre. But be prepared to be terrified. Some of the scenarios explored in the program are horribly plausible.
Connect With Us: