Remember how LiveJournal, TypePad, and related sites were down the other day? The official line was that “Six Apart has been the victim of a sophisticated distributed denial of service attack.”

It turns out that the DDOS wasn’t aimed at 6A, LJ, or any other part of their network. It was aimed at Blue Security, an anti-spam company, who decided to re-route their web traffic to their blog—a blog hosted on TypePad. So instead of their own site going down, it took out Six Apart’s entire network of millions of bloggers.

Classy move, guys.

I do admire Six Apart’s restraint in not pointing fingers themselves. If it had been my site (though in a way, I suppose it was, since I’ve got an LJ blog, even if I don’t update it very often), I would have been royally pissed off.

Sure, Blue Security didn’t launch the attack—but they did choose where to redirect it. Maybe they thought Six Apart would be able to handle it. Maybe they thought the attackers were targeting them by IP and not domain name. Maybe they were panicked and didn’t think. Maybe they thought things through, but 6A got bitten by the now-all-too-familiar law of unintended consequences. They could easily have pointed their domain name at empty IP space, or to localhost. Redirecting it to a third party was less like deflecting a punch and more like the “Do it to Julia!” moment in 1984, or the classic joke, “I don’t have to outrun the bear, I only have to outrun you.”

(via Spamroll)

Update: Additional articles at Computer Business Review and at Netcraft, and a Slashdot story.

Update 2: According to Blue Security, the DDoS was not targeting their website by name, and the DDoS didn’t attack their blog until after they had already redirected the website. So it looks like it was less a case of them redirecting the attack and more a case of the attackers chasing them.

*Sigh* Must remember to collect all facts before engaging in righteous anger.

Update 3 (May 9): Apparently “all the facts” as reported by Blue Security don’t add up… (via Happy Software Prole)

Too bad it’s the bad guys.

As reported on DailyDave and picked up at SANS, Email Battles and elsewhere, there are phishers out there using a botnet (a network of infected “zombie” computers) not just to send emails, but to host the websites and the DNS for their scam.

Imagine what this technology could do for legitimate sites. It could potentially surpass Akamai’s system of worldwide mirrors. You could set up something like BitTorrent that would automatically mirror sites you’re looking at. Getting Slashdotted would actually improve a site’s response!

Yesterday morning, I remarked to Katie that it seemed odd that with the vast number of “zombie” computers infected with remote control programs via viruses, trojans, spyware, etc., their primary use so far has been sending spam. After 7-odd years of distributed computing projects ranging from demonstrating weaknesses in encryption schemes to searching for extra-terrestrial radio signals via SETI@Home, and reports that access to zombie nets is selling on the black market, you’d think someone out there would be trying to crack into the DoD or something. (That last link refers to phishing attacks, but the current form of phishing is very tightly coupled with spam.)

Last night I saw proof that zombies are at least branching out a little: they’re not just being used for email spam, but they’re also being used for comment spam. Starting around 8:30, someone started posting pairs of comments every 20-30 minutes. The content and links were identical each time, except for some random numbers in the (probably bogus) email and at the end of the body… but the IP address was different each time.

I caught it around 10:00, added “poker” to the list of moderation triggers, figured they’d give up when they saw their comments weren’t posting, and after another 3 pair (that’s not a legal hand, is it?) I just closed comments on the two posts.

Update 6pm: After a long afternoon dealing with server recovery issues, I checked my email and found about 40 “Please approve…” notices, starting around 1:45 and running all afternoon. All from the same blog spammer. A bit more aggressive than yesterday’s, because they hit a new post every time, but this batch all went straight into moderation. You’d think after you posted 20 comments and none of them showed up, you’d get the clue that it’s not worth posting 20 more…

Update 9am: I installed a plugin last night to block those comments from even reaching the moderation queue. Then laaate last night I noticed that it was screwing up comments with apostrophes, so I disabled it. The moderation notices started coming in immediately. 60 of them from around midnight to about 6am this morning. And none were ever displayed on the site. (Thank you, WordPress!)