Hacker News new | ask | show | jobs
by zagi 4643 days ago
Hi, this is Ben, CEO and Co-Founder of DigitalOcean, we have received the document and will discuss the matter publicly.

-----

All times are UTC.

Our monitoring picked up a malicious UDP traffic pattern on 2013-09-08 00:58:23. A ticket was then opened with the customer at : 2013-09-08 01:05:55 roughly 7 minutes later.

The customer informed us that it was a script that was crawling in the background.

We informed the customer that it may be a good idea to check through the virtual server to see if there were any signs of a compromise just in case.

The droplet was unlocked at this time.

A second UDP pattern was detected on 2013-09-24 12:27:09 and a ticket was opened 2013-09-24 12:27:14 to request more information from the customer.

Because this was already a second occurrence we had to do a more thorough follow up. Discussing the matter with the customer, he informed us that it was a mysql db dump script that was pushing data to dropbox.

He provided us a link to a github project that he wrote, we asked further questions. Specifically if you are writing a mysql dump remotely why are the packets being sent as UDP? Additionally if the final destination is dropbox that would be an SSL encrypted connection and again why would that transfer go over UDP?

We reviewed the code of the dump-to-cloud project and it was using the dropbox sdk, here is where the file transfer is initiated:

   def upload_file(file_name)

        client = DropboxClient.new(@access_token)

        file = open(file_name)

        puts 'Uploading file!! Please wait.'

        response = client.put_file("/#{file_name}", file)

        puts "uploaded:", response.inspect

    end
From the dropbox SDK here is where it sets the destination for the file transfer:

   def build_url(url, params=nil, content_server=false) # :nodoc:

        port = 443

        host = content_server ? Dropbox::API_CONTENT_SERVER : Dropbox::API_SERVER

        versioned_url = "/#{Dropbox::API_VERSION}#{url}"



        target = URI::Generic.new("https", nil, host, port, nil, versioned_url, nil, nil, nil)



        #add a locale param if we have one

        #initialize a params object is we don't have one

        if @locale

            (params ||= {})['locale']=@locale

        end



        if params

            target.query = params.collect {|k,v|

                CGI.escape(k) + "=" + CGI.escape(v)

            }.join("&")

        end



        target.to_s

    end
The code that actually transfers the file from the dropbox sdk:

    def do_put(url, headers=nil, body=nil)  # :nodoc:

        assert_authorized

        uri = URI.parse(url)

        do_http_with_body(uri, Net::HTTP::Put.new(uri.request_uri, headers), body)

    end
The file is transferred via HTTPS since it is going to a secure service and HTTPS would rely on TCP for the data transfer, again to ensure that all packets are delivered.

Given that it was the second incident that a UDP traffic pattern was observed in less than 30 days and that the information the customer provided regarding the traffic did not match up, we made a determination that in fact it couldn't be this script that was generating the traffic.

All of this information was relayed to the customer that we did not believe that the traffic in question was related to this script because it would not rely on UDP, an insecure protocol to deliver files to a secure endpoint where data integrity was of the utmost importance.

Unfortunately, we could not unlock the account at this time because the information we received was not clear and we already had two incidents of outbound UDP traffic that appeared to be disruptive and abusive in nature totaling 1Gbps as if it were a denial of service attack, typically associated with UDP packets.
9 comments
orclev 4643 days ago
A far more thorough response than I expected to see. It does look like, best case scenario his instance was compromised and being used for malicious purposes, worst case scenario he was actively doing something malicious himself. In either case taking the compromised/malicious instance offline is the appropriate first response in the case of an active attack underway.

I think I have to agree with a comment someone else made in the previous thread about this, with the rise of cheap VPS services we're seeing an influx of people unqualified and unprepared to run their own internet routable servers and things like this are the outcome of that. When you choose to stand up a VPS with a service like DO you take on the responsibility of keeping it secure and preventing it from engaging in malicious activity. If you fail at that task, the consequence is your servers will be shutdown for the good of the internet as a whole. If you are either unprepared or incapable of dealing with that responsibility you should be paying for a hosting service that's prepared to offer those services for you.

I say this as someone that currently has accounts with a number of VPS providers where I do take the responsibility of managing my servers seriously, as well as previously helping to administer a server that was compromised and taken offline until such a time as we had performed a full audit and verified our code on a new instance.

You should be prepared to treat a compromise of your servers the same as any other form of disaster. Treat it the same as if a flood happened and took out the facility you were hosted out of. You should have a backup plan in place so you can roll over to your backup until such time as you can fix the "broken" server, or else accept the downtime.

link
veemjeem 4643 days ago
I think it's a bit sad that you have to go to such great lengths to protect your company's image. This was a very obvious case of customer fault. He admitted that he doesn't know if his server was hacked. The customer probably should have looked into the issue before making a inflammatory blog post.

Maybe if you guys charged more you wouldn't get these ultra-cheap customers who think they should get 24/7 support for paying $5 a month.

link
sdogruyol 4643 days ago
Being attacked or even getting compromised is customer fault ? Okay i get that. But what about closing the account instantly, not notifying the customer, accusing that customer of being a cheap liar and treating them in a bad way?
link
dragonwriter 4643 days ago
Suspending -- what was done in the first instance -- a system which is engaging in an apparent DDOS is a perfectly reasonable action.

Locking the account when the explanation given is inconsistent with the observed behavior it was supposed to explain and the system is again engaing in an apparent DDOS is also a perfectly reasonable action.

It also seems from your posts that both times you were notified of the action by DO, so "not notifying the customer" is not an issue.

I don't see any evidence you were accused of being a "cheap liar", either.

The fact that services now make it cheap and easy to set up servers doesn't mean that you have no responsibility for what the servers you set up do. If you are really running a service with 25K active users, you probably ought to be able to respond to your VPS hosts questions about unusual UDP activity with either an explanation that holds water, or an up-front admission that you don't know where it is coming from and will take action to prevent it, rather than claim it comes from a database dump script that doesn't use UDP.

link
waps 4643 days ago
Sadly, suspending a system which is the target of a ddos is the only action an ISP can take. Even if you're not ddossing anyone but merely the target you'll get suspended, assuming you're not paying enough to make it worth it for the ISP
link
ehutch79 4643 days ago
Sounds like they gave you plenty of chance to check it out;

""" We informed the customer that it may be a good idea to check through the virtual server to see if there were any signs of a compromise just in case """

In fact from the dates listed, it looks like you had over two weeks to check for compromise. Even then, it seems like they tried to talk to you before just closing your account;

""" A second UDP pattern was detected on 2013-09-24 12:27:09 and a ticket was opened 2013-09-24 12:27:14 to request more information from the customer. Because this was already a second occurrence we had to do a more thorough follow up. Discussing the matter with the customer, he informed us that it was a mysql db dump script that was pushing data to dropbox. """

link
bradleyland 4642 days ago
> But what about closing the account instantly, not notifying the customer, accusing that customer of being a cheap liar and treating them in a bad way?

I know this can be difficult, but it's important to understand the difference between calling someone a liar and pointing out that what is being claimed does not match reality.

DO has to take action to protect their reputation, their other customers, and whoever is the target of the potentially malicious attack. If they have empirical evidence of this attack, then they must take action. When you attempted to explain what you thought was the source of the traffic, they took the time to show (in detail) why that was not the case. This is not the same as calling you a liar. It is calling you incorrect, but these are two very different things.

You can be incorrect and not be a liar. That's a valuable lesson to learn if you intend to work in a technical field. If I were you, I'd try to take a step back. Take a couple of days off and come back to the issue. Try to understand why everyone is siding with DO on this, and resist the urge to immediately believe that everyone is against you.

link
csomar 4643 days ago
According to Ben, they did notify and talk to you about the issue.
link
taf2 4643 days ago
perhaps they can't tell if the customer was running the attack or not... it's kind of similar to someone buying and selling drugs in your house... it's your house you take some heat when it happens in your home... not sure it was the right thing or wrong, but i am sure they have to shut you down at least on that one instance to protect themselves as well as anyone else using their service...
link
sdogruyol 4643 days ago
You know what they stopped answering my ticket after first response. If it wasn't HN post gaining this much traction i'm pretty sure that they won't respond to me.
link
veemjeem 4643 days ago
They responded to you 7 minutes after discovering the irregular behavior. It's up to you to figure out the cause. It's not their responsibility to tail log files.

Had you chosen a VPS like amazon, you probably wouldn't even get notified. The first time you'd notice a problem is when you get your $1000 bandwidth bill from amazon.

You're like the customer that shows up at a restaurant and complains publicly about the food and demands a refund. When you make it a public issue, the company will move mountains to help you, but you're still an asshole for doing it.

link
sdogruyol 4643 days ago
They notified me what? They closed my account first and then mailed me after? It's like killing a man first and then saying the reason why.
link
thaumaturgy 4643 days ago
If the account can reasonably be considered to be abusive (whether intentionally or because it was compromised), DigitalOcean has an even greater obligation to protect their network and the other network that's being targeted. Immediately suspending the account is the correct first step.

If DigitalOcean's support wasn't clear about their reasons for suspending the account, or if you feel that you weren't getting a helpful response from them, then post the communications you had with them to prove it.

link
orclev 4643 days ago
Well, we've now heard two different stories. According to Ben, there were two events. The first time they took your server offline and contacted you to tell you about it, they did not however lock your account. When the second event occurred with you being unable to provide a reasonable explanation and apparently being unable to deal with whatever compromise occurred, they took the system down again and this time also locked your account.

Your explanation of the events only mentions a single occurrence, at which time your account was locked in addition to the server being shutdown.

In either case, a server engaging in malicious activity, is normally taken offline as soon as the malicious activity is discovered to prevent further damage from occurring. You'd get a similar response from just about any other hosting provider you care to name. If you're lucky, and they're feeling generous, they might work with you to find the problem prior to taking the system offline, but normally standard procedure is to take the system offline immediately. The fact that you seem surprised about this shows you don't have much experience administering your own servers.

The standard response usually goes something like:

1) Server is discovered doing something malicious

2) Server is taken offline/shutdown

3) Administrator is notified

3a) Read only copy of the old server HD is brought online on a new server to allow administrator to perform forensic and backup work*

4) Administrator must bring up new server to replace old compromised one

*Sometimes the provider will provide you the old HD image, sometimes not, really depends on the provider.

link
debian3 4643 days ago
They basically killed the killer, 1gbit udp probably killed the website or servers of someone else.
link
dragonwriter 4643 days ago
Suspending account is an action reversable with sufficient cause, killing him is not.
link
thecoffman 4643 days ago
This is:

a.) pretty good evidence that DO did their due diligence and

b.) way more thorough investigation than I would have expected from a "value" vps provider.

link
opendais 4643 days ago
So you shutdown the VM due to what appears to be a compromise. That is typical host behavior at least.

Locking the user out of their account seems...odd, tho. I've never had that happen, personally, at any host.

link
csomar 4643 days ago
Maybe Ben can explain what "locking" an account is actually is. If the customer did, in fact, break the TOS, I think it's logical to lock his account.
link
toomuchtodo 4643 days ago
Locking the account should put it in a read-only mode. No changes to your DNS, no ability to start the droplet back up, firewall rules put in place at the hypervisor/network layer that block outbound traffic, but still allows you inbound access.
link
opendais 4643 days ago
That would be ideal. Its sounds like it was more than preventing changes to the account information tho.
link
joshdance 4643 days ago
Good reply Ben. I am actually a DO customer I think you've explained yourself well. Good to remember that there are always two sides to the story. I'm sure both parties could have done things differently. But thanks for the disclosure.
link
quicksilver03 4643 days ago
Instead of locking the account, couldn't you just have blocked all outgoing UDP packets from the IP address of the customer's droplet?

Blocking UDP would have stopped the attack, it would have given you a time window to contact the customer (allowing for time zone differences) and would have given both parties a chance to resolve the issue in private and with much less drama.

(speaking as a current customer of DigitalOcean, using UDP (thru collectd) to monitor my droplet and starting to have uneasy feelings).

link
csomar 4643 days ago
After 1 day or so i tried to reach my server but couldn’t even ping or ssh to my server. I thought that DO was down but the truth was that they’ve locked my account without any notification. Can you imagine this?

The customer is lying in this case?

link
cortesoft 4643 days ago
I am curious to see the blog poster's response to this, as your course of action seems completely reasonable.

May I ask what about the UDP traffic made it appear abusive?

link
gozzoo 4643 days ago
how about 'totaling 1Gbps'?
link
nerfhammer 4643 days ago
https://news.ycombinator.com/item?id=6447635
link
sdogruyol 4643 days ago
Hello Ben, thanks for the response. Fırst of all at first ticket i told that the only possibility of having an UDP outgoing is that script that i wrote.

Other than that i've no other activity or script that can generate that much traffic. Haven't you even considered that my droplet may be compromised or being attacked ?

Instead of letting me know what exactly happened or which processes were running at that time you just locked the account and accused me.

Couldn't you even look at the access logs or so to see which IPs login into the droplet and then take your action later instead of closing it instantly?

link
veemjeem 4643 days ago
Most cheap VPS providers would not go do that much work to decipher the root cause of the problem. When you have a server sending 1Gbps traffic, it's easier to shut it down than tail log files to figure out the cause. Digital Ocean can't do that for every customer that pays $5 a month. If you want a high level support, you should have picked a mid-level VPS like rackspace.
link
jrmiii 4643 days ago
Looks like they looked at the code and determined it could not be UDP from your script.

I think they did consider your droplets to be compromised.

I think at issue here is that they have to assume that the droplet owner is the malicious party, if they don't lock your account, they can't stop you from creating more droplets.

I think you may have a point that they did not clearly explain to you why your account was locked.

However, this incident makes me more likely to continue using Digital Ocean. With the new private networking they have in NYC2, I for one am thrilled that they do this kind of proactive monitoring.

link
csomar 4643 days ago
Unmanaged = Your responsibility

I got my server down with DO many times at first. It was a problem with the CentOs package; but it was indeed my responsibility to fix it.

You are responsible of securing your server.

link
chc 4643 days ago
According to Ben's account, they did suggest to you that the droplet might be compromised. That is what they believed to be the case.
link
sdogruyol 4643 days ago
I was also tremendously happy with DO and their service. But what if you get your production apps down without even any notification and proper reasoning ? That's the thing which makes you feel insecure.
link
nav1 4643 days ago
They did notify you.

>Our monitoring picked up a malicious UDP traffic pattern on 2013-09-08 00:58:23. A ticket was then opened with the customer at : 2013-09-08 01:05:55 roughly 7 minutes later.

Also, you should do a better job securing your server. It seems like the server was compromised.

link
veemjeem 4643 days ago
If you have a production app, it would make sense for you implement HA, then you wouldn't have to worry about a single server getting hacked.

What proper reasoning do you need? If your server is hacked, it makes sense to shutdown the server, or disconnect it from the network completely. You can extract the data at a later time.

What if your server was hacked, then started serving up child porn? Would you be okay with having the server continue running?

link
chc 4643 days ago
I'm sympathetic to your frustration — but when your box is owned and actively participating in illegal activity, you kind of have to expect it to get shut down.
link
debian3 4643 days ago
The only thing who feel insecure here is your vps.
link