Linode DDOS attack

Linode is one of the top VPS providers in the market. They have a huge amount of customers at all levels, from the low end to enterprise. And for the last week or so they have been the target of a large number of DDOS attacks. These DDOS attacks are obviously not targeting any specific customer, but Lindoe themselves.

Every webhosting or VPS service gets attacked at one point or another. The reason is usually due to some controversial topic being hosted. Maybe politics, or religion or a stupid disagreement over a video game. The reasons that DDOS attacks happen can be many. However, when it is a single customer being attacked, then the solution often is a simple null route of that customer's IP address. This leaves that specific customer's site unreachable, but stops all other customers and users from being affected.

This current attack on Linode seems to be different. It seems that in this case Linode themselves are the target. The DDOS seems to be targeting Linode's routers and the DNS servers which Linode uses. These types of addresses cannot be null routed without affecting all customers.

Most likely this is due to a ransom demand. There are gangs out there that threaten a company with a DDOS attack. They demand bitcoins as payment to prevent the attack. If the company does not pay (and sometimes even if it does pay) the gang will instigate a DDOS attack on the company. This is likely what is happening to Linode. If this is the case, then hats off to them for not paying the ransom. These ransoms only create more incentive for cyber gangs to create botnets and clog the Internet with their junk attacks.

Though it may be frustrating that Linode is currently having issues, any and all webhosts can be -- and often are the target of these types of attacks. DDOS attacks happen because they work. They are difficult to mitigate and relatively easy to perform. They are effective.

Because they are effective, they are common. It would be a mistake to move away from Linode to another host due to this incident. Once these attackers get tired of attacking Linode they will move on to their next target, which might be the same host you decided to leave Linode for.

DDOS attacks exist because of poor security. Individual computers and servers are taken over by hackers and the owners of these computers often do not even realize they are being used as part of a botnet. From there, the power of the botnet can be amplified using misconfigured NTP or DNS servers and other services to create a huge amount of traffic all being sent to a single Internet connection. That connection becomes clogged with all the DDOS traffic and legitimate traffic ends up being dropped.

Another interesting aspect of this attack on Linode is how long it has lasted. Normally a DDOS target gets attacked for under 24 hours. The attackers get bored and move on. This has been going on for days. It seems like whenever Linode mitigates an attack on one IP address, the attacker moves on to another IP address. This is like a game of cat and mouse, or whack-a-mole. Linode can stop one attack, and another pops up in its place. I'm glad I am not currently working for the Linode NOC or support lines.

It's always a bit interesting when the target of a DDOS is a provider, be it a host or an ISP or a DNS provider. These companies hold the Internet together and it is always fascinating how effective or ineffective an attack on them (as opposed to one of their end users) may be. In this case Linode's services have been affected to a high degree. It seems like Linode is able to mitigate one attack, and as soon as it does the attackers change course and attack a different datacenter or location that Linode uses. I wish the Linode crew the best in dealing with this.

Update: It now looks like Linode reset all Linode Manager passwords as their database may have been compromised. It has not been a good New Year for Linode. Take a look at Linode alternatives if you are looking for a new host.