Reddit also got hammered pretty hard by legitimate traffic last night. There were many thousands of people in the Boston live update threads hitting refresh over and over all night. The admins actually locked the first update page because they said that so much traffic on an article with so many comments would crash the site.
If there's a malicious DDOS attack then this surge in legitimate traffic likely compounded the problem.
The traffic surge from the Boston incident is extremely marginal compared to the DDoS which we're facing right now. It is far and above any form of possibly being compounded, unfortunately.
But I wish it was :) Compounding I can deal with, astronomical is harder.
I hope this is a retaliation for the abhorrent behaviour of reddit users in blind smearing of innocent individuals in an attempt to prove the worth of social media/the internet/their "community". Information is dangerous when it is placed in the hands of these clowns and reddit needs to address their problems quickly before they ruin more lives.
Although it should be noted that the Latin itself is a translation, since this quote is attributed to Socrates and would have originally been in Greek.
According to Wikipedia it's (incorrectly) attributed to the Socrates character in Plato's Republic. Although a related idea is discussed in that book, the saying itself is attributed to Roman poet Juvenal, which was discussing marital affairs.
Actually posts containing speculations about Sunil (missing student) were instantaneously deleted (as groundless and potentially harmful) , at least before name appeared on police scanner, at least on r/findbostonbombers. Info was spread somewhere else, because new people constantly were creating ones.
No, this happened. A purported classmate of Sunil's had tweeted about the resemblance to Suspect #2 about 14 hours ago:
> @christiiinaaaxo @jaredleesmith @thejman218 Looks just like a kid from my area that went missing exactly a month and has yet to be found.
> I mean maybe it's a total coincidence but I'm more than a little freaked out by the resemblance. #Boston pic.twitter.com/Qsd6rj5v5l
At some point, the Internet ran with her speculation:
> It makes me sad that people are going to the Tripathi family Facebook page and writing nasty things. That was never my intention
And at around 4-5 am, the Boston police scanners said they were looking for Sunil. I remember this because I fell asleep at 5am thinking that this bizarre story involved Sunil and then woke up at 8 learning that two completely different suspects had been identified. From the twitterer:
> So if what I'm hearing is correct, at 3 AM when the police scanners said they had their suspect and it was Sunil, I was wrong.
The tweeter's account is now protected but she hasn't deleted her tweets. I think everyone, including her, has learned a little about making well-intentioned speculation on the Internet. But apparently, even the Boston police had been fooled (at least someone in the BPD was, which is why police scanners should not be taken as gospel)
the Boston police scanners said they were looking for Sunil
Did you hear this yourself, or did you read it? That's really what I'm asking. I know many people were listening, but it's hard to tell what people heard first-hand and what people simply re-tweeted.
For my own peace of mind I'm trying to distinguish between two possibilities: a) that the names were not heard on the scanner at all and whole story was either a mirage or an intentional hoax, b) that someone's erroneous tip to the police was mistaken for its own confirmation.
This is an excellent point. No I did not hear it myself and would not have been able to tell what was a first-hand account of hearing it from merely retweets/reposts of that information. And whoever originally heard it may have heard chatter that said the names, but not in the context of being actual suspects.
It didn't the student's name was mentioned by a friend of his on Twitter who after looking at the photos released by police said that they thought there was a resemblance between the suspect in the white hat and her friend who had been missing for a month after dropping out of school and becoming depressed. There were several articles about the individual already on the web predating the bombing because the FBI had been contacted by the guy's family to help find him. The name mentioned on Police scanners was a different person also incorrect.
Can you show me some examples of abhorrent behavior? In the few reddit threads I skimmed about the bombing everyone was surprisingly mature, especially when pointing out 'suspicious' people.
Not in my opinion. They were just people trying to catch the bombers. No one was jumping to conclusions from what I saw (maybe some did but they were downvoted further down than I scrolled), rather they were just pointing out scenes that looked suspicious to them so that the police could investigate further. While there have definitely been cases in the past where a line has been crossed, I don't believe that to have happened this time.
while I was quite shocked by the witch-hunt and amount of 'suspicious until proven innocent' I saw in that subreddit, in fairness to reddit as a whole that is one small subreddit among thousands.
Also, some of the highest upvoted threads and comments appear to be warning others of the potential negative consequences of their publicly pointing out everyone with a backpack or different coloured skin.
Some small subreddit goes off the rails every few months.
Reddit as a whole needs a better answer for that than just pointing out that it is just some small subreddit.
(I don't pretend to know what that answer is, and I guess it does have more to do with people choosing how to participate in online discussions than it does reddit, but reddit is well positioned to push that participation in a better direction)
Last time I checked, the find Boston bombers subreddit had ~5K subscribers. r/humor currently has ~3.6 million. Please check your facts before making any more claims...
The best example off the top of my head was a D-Link firmware update which added an NTP server operated by a third party for "public use." This wound up increasing the NTP server's traffic by 90% and costing them over $8K/year in additional bandwidth fees. See [1].
Then you have so called "slashdotting." Or linking to a small web-site with an interesting story and overloading it with legitimate traffic until it goes down. See [2].
Getting a slashdotting is not a "DDOS attack" under any definition although the practical consequence is the same. If the resulting traffic overload is caused by a (massive) router-configuration error or similar mishaps, it's also by definition not an attack.
Sorry about being picky around semantics, but still: No point in throwing words around to the point where they become completely pointless.
There is no inherent requirement that attacks need to be intentional. It's possible for a software glitch to launch a missile attack. Attack: An aggressive and violent action against a person or place
By definition, DDOS, are malicious no? Otherwise, the site is just having high traffic that it cannot handle. If my blog goes down after being on the front page of HN, is that a DDOS?
By definition: "[DDos] is an attempt to make a machine or network resource unavailable to its intended users.". When I see "DDoS" I always thought it was malicious...
I don't think it's appropriate to use the DDoS acronym when not referring to an "attack". It's non-standard and will only create confusion. Every "source" online describing a DDoS uses it explicitly to refer to an attack.
Non malicious DDOS happen all the time, but mostly reddit does it to other small sites that people discover and reddit ends up overwhelming the servers. Still technically a DDOS, but non malicious. Also during Obama AMA, site was in shambles because of itself.
Could this have something to do with reddit's co founder speaking against CISPA and calling out major tech companies? [1] Considering reddit played a big role in killing SOPA, CISPA backers feel threatened?
Yes, reddit was up for a bit and I saw two (edit: now four) huge threads with 10k+ comments and live updates from the shoot out in Boston. So maybe they are indeed messing with the Boston live event updates thing on reddit. DDOSing reddit is no small feat, unless you have a botnet at your disposal. Should be more than just some "fun".
I don't have data to back me up other than an anecdotal 'I seem to notice', but doesn't reddit often become unusable during exceptional usage spikes? the Obama AMA comes to mind.
if you look at their numbers[1] for 2012, it's plausible that they are simply overwhelmed during these bursts and they've judged it worthwhile to let these aberrations play out.
for many operations.. moving your availability from, say, 99.9% to 99.99% is simply not worth the cost.
uptime is hard; GitHub has only maintained 99.96% for the past month[2][3] (and, IMO, they're actively trying to improve it)
I would think it is a malicious attack in response to Reddit incorrectly identifying and popularizing the idea that Sunil Tripathi was one of the Boston Marathon bombers.
Unlikely, why would someone retaliate? Who on Tripathi's side has such power? Right now we are not even sure if the attack is related to boston events at all.
In ultra-simple terms you need to have a network capacity greater than the attacker and to identify the attack requests and discard them whilst still honouring valid requests.
That is basically what CloudFlare is.
Add in things like caches to prevent even valid requests from getting to the backend (so you've now added a CDN), and many peers to your network so that an attacker cannot saturate one or two peers... and you've got the essence of CloudFlare (sans features like optimising content for speedy delivery).
Ultimately the best defence to a DDoS is to be able to soak up the attack before it hits the backend, and to have enough spare capacity to keep serving regular traffic.
You can cache and distribute everything save for the valid requests to a dynamic resource (but even those you can optimise). So the whole game from a defensive point of view is to let nothing but valid dynamic requests through to the backend.
The attacker's side of a DDoS is about acquiring network capacity greater than your network capacity, identifying your weaker points (in an attempt to cause a domino effect, if they can take out a weaker peer then a stronger peer will need to do more work and itself becomes weaker). And then sending what appear to be valid requests without triggering an attack on themselves (having a 150 byte request respond with 100KB would wipe out the attackers). Bonus points for constructing requests that can get through to the dynamic resources on the site being attacked (as those are the weakest link).
This is a very good explanation but there is another side to this issue. (I`m talking about HTTP DDOS)
Basically, DDoS Attacks can be (roughly) divided in 2 categories:
1. Attacks on your server (which usually target your server IP or some other part of your network infrastructure)
2. Attacks on your site (which use bots to flood your site with fake HTTP requests)
As explained above, Network attack can only be countered with strong and flexible infrastructure. The most common solution is a combination of several high-powered servers and load balancing capabilities.
HTTP DDoS attacks are trickier because they're best mitigated by visitor profiling, a technology that can help identify bots from humans and block them while still allowing providing full access to all legitimate visitors.
Developing and maintaining such technology is arguably more complicated, simply because it's a software you need to create, not a hardware which you can buy.
Standard profiling solutions include CAPTCHAs and Delay Pages but these will also repel legitimate visitors. (because no one likes CAPTCHAs or waiting for 5-10 extra seconds for page load).
Advanced profiling solutions use a combination of behavior and signature recognition, coupled with seamless challenges (i.e. checking for JS support).
CF and Incapsula (where I work) both handle Network DDoS in a similar manner but we have a somewhat different approach to HTTP DDoS.
And yes, while under DDoS (or even without it), dynamic resources can be the "weakest link".
This is why WAFs are so important.
I probably should have clarified that by caches I mean reverse proxy caches that can take up the work of serving static resources from the network edge.
The combination of adding caches and distributing those caches is to add a CDN.
You add caches to stop the request reaching a backend and doing the work twice, for optimisation. But in effect they become defensive shields as serving a static file or an in-memory file is less work and can be handled in far greater numbers than doing the work on the backend, and if one cache is attacked users accessing other caches elsewhere in the world continue to get their requests served.
If you then place a cache at every point at which your site is surfaced, for example you use DNS anycast to have your front-end appear to be surfaced from every Amazon datacenter and the closest one is nearly always selected... then you've helped stop requests at the first opportunity and to return them from a place which can handle far greater requests.
You've increase your network capacity, increased the ability to serve valid requests, and you've prevented all of that traffic reaching the backends.
And in doing all of this... placing caches for static resources throughout the world and using DNS anycast to return the cached item from the closest peer... well, you have created a CDN. A primitive one for sure, but it still is one.
I wonder if it would be possible to generate a DDoS attack by reporting that a site is experiencing a DDoS, causing people to flock to the site to see if it is down.
I was on Reddit until 2am (EST) with no issues. Back on at 6:45am with no problem.
Either they've been doing a wonderful job with mitigation, or I'm missing something (I suppose I did miss a few hours while sleeping...). If anything I figured they're getting hammered with EST sunrise/Boston incident traffic...but a simultaneous malicious DDoS attack "beyond any shadow of doubt"? Wow
Total speculation, but: perhaps the police / FBI would DDoS Reddit to prevent the suspect from gaining intel on their operations? The Reddit live stream was all over Twitter...
If there's a malicious DDOS attack then this surge in legitimate traffic likely compounded the problem.
The update threads: [1] http://www.reddit.com/r/news/comments/1co395/live_updates_of... [2] http://www.reddit.com/r/news/comments/1cnwms/mods_removed_th...
Where the updates moved when reddit went down: [3] https://twitter.com/JpDeathBlade