Between 11:00 PM and 11:59 PM Pacific time February 26, 2013, each of our servers will be restarted for a “kernel upgrade”. This will cause an approximately four minute interruption of service for each customer at some point during this hour.
Earlier today, Twitter user @adam_baldwin mentioned finding a security flaw on our site. He reported this to us (thanks!) and we fixed it, then another Twitter user @mattmcgee asked what it was. It helps everyone on the Internet be transparent about security, so here’s an attempt at an explanation.
Our business offices will be closed on Monday, February 18 to observe the US legal holiday. As always, we’ll provide same-day support for time-sensitive issues via our ticket and e-mail systems. However, questions that aren’t time-sensitive (including most billing matters) may not be answered until the next day, and telephone support (via callbacks) will be available only for urgent problems.
There was a brief outage on the web12 server today starting at about 6:22 PM Pacific time. This was caused by a “SYN flood” attack, which effectively blocked all other connections with the server.
We took steps to work around the attack, which we completed by 7:08 PM Pacific time (46 minutes after the start of the attack). Furthermore, the attack itself seems to have stopped; the steps we took should help in case in starts again.
We sincerely apologize for the interruption in service for those affected customers; we know that reliable service is a primary concern for all of our customers.
At 9:45 PM Pacific time February 6 2013, our “web03” server experienced a “kernel panic” and needed to be restarted. This led to an 11 minute outage of Web sites and e-mail hosted on that server.
All services are now working normally, and other servers were not affected. We apologize for the trouble this caused customers on the web03 server.
Beginning at 3:00 PM Pacific time February 5, a server on our network was the target of an extremely high volume DNS amplification denial of service attack. The inbound network data exceeded 11.6 Gbps, which is an extremely large amount — large enough to exceed the 10 Gpbs capacity of our upstream Ethernet switches and cause our entire network to slow down dramatically.
This affected all servers for about 19 minutes, until we and our network partners began discarding (“null routing”) all traffic targeted at that server. This fixed the problem for the rest of our network, but still left sites on the “web11” server unavailable.
To solve that, the IP addresses of all sites on the web11 server have been changed to new IP addresses that are working correctly and are not under attack. This was completed by 3:44 PM, and all sites on all servers are now working properly.
If the attackers target another IP address, we’re ready to immediately block that one, too. If that does happen, the way we’ve redistributed the IP addresses, in combination with previous analysis we’ve done on this attack, will allow us to immediately know which site is under attack. (It’s otherwise hard to determine which IP address is involved, because the type of attack we’re seeing targets only an IP address and not a specific Web site name.) That site will then be moved off our main network to prevent a recurrence.
We sincerely apologize for the inconvenience this caused our customers; we know you count on us for reliable service, and we’re committed to doing everything possible to avoid problems.
There was a brief outage on the web11 server today at about 2:42 PM Pacific time.
This was caused by a “denial of service” attack that increased the incoming network traffic to that server from the usual 5 Mbps or so to over 350 Mbps. Servers other than web11 were not affected.
This appears to be very similar to the attacks that occurred last Monday morning.
We are closely monitoring all systems so that we can see exactly how to block future attacks.
