Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Dreamhost is Under DDoS Attack

This entry was posted in General Security, WordPress Security on August 24, 2017 by Mark Maunder   32 Replies

Dreamhost is currently experiencing a DDoS attack. I am updating this post in real-time as the situation unfolds. Last update was at 10:46am PST. ~Mark Maunder

Their team posted this tweet 20 mins ago.

I’ll be posting updates here as the situation progresses. Their engineers are clearly working the problem.

You can find their status page at https://www.dreamhoststatus.com/ – currently it says the following are affected:

Dedicated Servers, DreamPress 2, Remixer, Shared Hosting, Virtual Private Servers (VPS), Webmail.

Their team detected the attack at 9:20am PST and mitigation started at 10:20am PST.

Dreamhost has recently been in the news for fighting a US Department of Justice request for the IP addresses of all visitors to a website that they host.

The DDoS appears to be unrelated to the DoJ request above. It looks like it may be an Anonymous attack targeting the Dreamhost DNS to try to take a white supremacist website called ‘punishedstormer dot com’ offline. The website came online today and is hosted at Dreamhost.

What is Being Attacked

Dreamhost currently host an extremist website called punishedstormer. The site’s DNS is also hosted by dreamhost. That means that if you try to access the site, your computer or device contacts Dreamhost’s servers and asks for the IP address so that it can connect.

The attackers have launched a massive amount of traffic targeting Dreamhost’s DNS servers so that the website they want to take down becomes inaccessible.

You can see the DNS servers that are being used for the target website in this screen capture:

As you can see, the servers ns1, 2 and 3 at dreamhost.com are responsible for handing out the IP address of anyone looking up punishedstormer’s address. These are being targeted, possibly along with other DNS servers at dreamhost.

This will affect the availability of any website and domain that is using Dreamhost DNS services.

What to Do

If you host your website at dreamhost, you may not be affected by this attack if you host your DNS with another provider. If you host it with Dreamhost, it is likely that you are affected.

Unfortunately there is not much you can do. If you move your DNS away from Dreamhost, it will take up to 48 hours for the update to propagate around the Internet. Dreamhost will probably have this situation resolved in the next few hours. So the best advice may be to sit tight until their engineers are able to filter out the DDoS traffic and bring their systems back up.

Email Also Affected

It is worth noting that if your domain’s DNS is handled by Dreamhost, then your email deliverability may be affected. Emails that are sent to you may be bounced back to the sender. If you are expecting an urgent email, we recommend that you contact the sender directly and let them know your email may be temporarily unavailable.

Once this service disruption ends, you may want to let your contact list know that your email may have been temporarily unavailable due to an attack on your email DNS hosting provider.

Update at 11:22am PST: Dreamhost are reporting that they are beginning to mitigate the attack.

 

Update at 12:36pm PST: Dreamhost is reporting all services are restored and operational, although they show many services in a ‘degraded’ state. You can find out more information on their status page.

Did you enjoy this post? Share it!


3.70 (27 votes) Your rating:

32 Comments on "Dreamhost is Under DDoS Attack"

MG August 24, 2017 at 10:42 am • Reply

"Their team detected the attack at 9:48am PST (1 hour ago at the time of this writing) and mitigation started at 9:40am PST (about 30 minutes ago)."

Their mitigation started 8 minutes before they detected it? Damn near prescient! ;) I'm guessing there was a typo in there somewhere? ;)

Mark Maunder August 24, 2017 at 10:45 am • Reply

Thanks! Fixed.

Derek August 24, 2017 at 11:00 am • Reply

All of my DNS is hosted with another provider, and all of my sites are down at Dreamhost

Mark Maunder August 24, 2017 at 11:10 am • Reply

Oh darn. Sorry to hear that.

Derek August 24, 2017 at 11:52 am • Reply

Sites are starting to come back up! :)

Liz August 24, 2017 at 11:14 am • Reply

Things are coming back up now.

Mark Maunder August 24, 2017 at 11:16 am • Reply

I'm also getting reports that things are beginning to come back online. Still seeing some down reports thought.

Liz August 24, 2017 at 11:23 am • Reply

Yeah, I'm only seeing about 50% restoration so far. I imagine it's going to be a bit of time still. I'm quite curious how the afternoon will shake out.

David Boggs August 24, 2017 at 11:27 am • Reply

FYI, https://panel.dreamhost.com/index.cgi is now out of service.

Doc Pop August 24, 2017 at 11:18 am • Reply

The stormer supposedly "hacked itself" a week ago to drum up sympathy. That hasn't been confirmed, but seemed believable at the time. Any idea if this might be a similar situation to get lots of free press, or is the Anonymous messages coming from a trusted Anonymous affiliate?

Mark Maunder August 24, 2017 at 11:20 am • Reply

The trouble is that anonymous is... anonymous. But based on what I'm seeing, this is a DDoS attack from an external group. The site owners haven't demonstrated any kind of technical capability. I'm seeing anon affiliated twitter accounts making noise about this.

Kirrus August 24, 2017 at 11:23 am • Reply

Email sent to you shouldn't be bounced/lost it should be held on the sending SMTP relay server for a typical minimum of 2 days whilst the sending server isn't able to connect to the receiving. Emails will definitely be delayed incoming, though.

Email was designed when the internet was a lot more unreliable than it is today :)

Mark Maunder August 24, 2017 at 11:38 am • Reply

Sadly, I'm old enough to remember those days. Thanks Kirrus. Agreed - I think the bounce reports I'm seeing are the initial SMTP "delayed" notifications that people are reporting on twitter.

Teri Buhl August 24, 2017 at 11:24 am • Reply

My news publication host with Dreamhost on a vps server and it is not down.

Icy Sedgwick August 24, 2017 at 11:32 am • Reply

Yep, I'm on Dreamhost so all of my sites are down.

Anne Hutchins August 24, 2017 at 11:38 am • Reply

All of my sites are down, unable to receive or send domain email. Great.

Mark Maunder August 24, 2017 at 11:59 am • Reply

Sorry to hear that Anne.

Steve August 24, 2017 at 11:54 am • Reply

Just curious...what steps would Dreamhost be taking now to mitigate the attack? Just block all the IPs the attack is emanating from?

PS. Thanks for all you and your team do, Mark!

Mark Maunder August 24, 2017 at 11:58 am • Reply

They're probably chatting to an upstream provider like NTT to have them route all traffic to the affected IP blocks through a layer 7 DDoS scrubbing service.

Jason C. Levine August 24, 2017 at 12:34 pm • Reply

Granted, I think we can all agree that any version of the D---y S-----r shouldn't be hosted anywhere, but if an entire ISP can be taken out because someone doesn't like a site that's hosted on it, how should a business choose a host?

Mark Maunder August 24, 2017 at 12:39 pm • Reply

I'd say situations like this are the luck of the draw. Tomorrow it could be GoDaddy, or Hostgator or Bluehost. It isn't really predictable.

Anne Hutchins August 24, 2017 at 12:49 pm • Reply

Exactly. And you'll end up spending a ridiculous amount of time sorting through endless WHOIS records to find that "perfect" host. It just doesn't exist.

David Paul August 24, 2017 at 3:48 pm • Reply

My company's site was affected by this. Do you think a service like Cloudflare can help us non-technical people avoid down times like this? Or are they just as vulnerable?

Mark Maunder August 24, 2017 at 4:14 pm • Reply

They'll stop a DDoS on your website. They would not have helped if your DNS was hosted with Dreamhost - even if you used their website cache/waf service.

Even if you move your DNS to cloudflare, if your origin server is hosted at a host and they go after infrastructure (e.g. DDoS a router) then all bets are off.

The trouble with cloud wafs is that attackers can just go around them. Read about the cloud WAF bypass problem here.

Rich S. August 24, 2017 at 1:24 pm • Reply

Jason, I think its more appropriate to say the message of D---y S-----r should be rejected, but we shouldn't care where it's hosted, or that it is hosted. Nor do we want the host company attacked for hosting it.

People and organizations should be able to post any content messages they like, and it's up to the rest of society to reject and shun the message and messenger if it's offensive material.

It is not up to any of us to take away their natural right to express their views, no matter how foul they are.

Anonymous, or whoever is behind the DDoS attck, is hurting the rest of society, by assuming they are the arbiters of which messages are acceptable, and which are not. I don't want them thinking for me. I presume you don't either.

Mark Maunder August 24, 2017 at 4:21 pm • Reply

I've been having this debate with Pat Gray of Risky Biz on Twitter. I've been taking the "free speech" side for a while, but he's doing a great job of making me see the other side of the argument. I don't think any company should be compelled to host extremist content - and I think it's also OK to "fire a customer" when their business is very obviously disagreeable.

Rich Stern August 25, 2017 at 11:22 am • Reply

Mark, please don't misconstrue what I am saying: Dreamhost is and should be free to reject anyone as a customer. Business relationships should always be voluntary.

The difference, in this case, is that someone is trying to make that decision for Dreamhost, by causing them criminal harm.

Dave Dally August 24, 2017 at 2:01 pm • Reply

I feel this is a good time to point out that Dreamhost is not a good hosting company, they use very dishonest marketing on their website, and their products are slimy, at best.

For example, their "Virtual Private Server" product is not a real VPS. You don't get root access, and you can't install MySQL, you have to use a shared SQL database, which is by it's definition not "private". They offer a private option if you spend more money, but advertising the shared version as a VPS is dishonest.
Also, all shared hosting is dishonest, by nature, which is the core of Dreamhost's business.
Do they deserved to get DDoSed? I don't know, but I'm not shedding any tears over them.

Mark Maunder August 24, 2017 at 4:17 pm • Reply

Oh come on Dave. They're having a bad day already. ;-)

Don't kick them while they're down. A DoJ decision didn't go their way this morning and now Anon is DDoS'ing them over a new stormer website they're hosting.

IanPJ August 24, 2017 at 3:45 pm • Reply

I wouldn't be so sure it has absolutely nothing to do with the disruptj20.org site, this from a few hours ago.

A District of Columbia Federal Judge has approved a government warrant seeking information about users and subscribers to an anti-Trump website which has been linked to rioting during the presidential inauguration in Washington, D.C., but he added protections to safeguard "innocent users."

Chief Judge Robert Morin ruled that DreamHost, an LA-based web-hosting company, must turn over data about visitors to the website disruptj20.org, which is a home to political activists who organized protests at the time of Donald Trump's inauguration as U.S. president in January, many of whom have since morphed into the controversial "antifa" movement.

Mark Maunder August 24, 2017 at 4:16 pm • Reply

Yup, we're aware of all that. Check twitter. Anonymous are targeting DH because they're hosting a new stormer site as of this morning. Dreamhost are having a bad day.

Jobst August 24, 2017 at 5:50 pm • Reply

Doing a "jwhois punishedstormer.com" yields godaddy, 18.39 hours.
So they just moved, dns is at domaincontrol.com

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.