Blue Security Shifted Attack, Brought Down Blogs

The denial-of-service attack that crashed TypePad and LiveJournal this week was caused by anti-spam company Blue Security, which pinned the target on the blog in an attempt to save its own servers, analysts said Thursday. Blue Security denied that it knew the attack would crash its blog host.

Blue Security's Web site has been overwhelmed by a denial-of-service (DoS) attack for at least the last four days, said Todd Underwood, the chief of operations and security at Manchester, N.H.-based Renesys, an Internet monitoring and routing analysis firm.

"Blue Security changed its DNS record, and pointed bluesecurity.com at its blog site hosted by Six Apart's TypePad," said Underwood, "without telling anyone at Six Apart to expect millions of packets per second. That's unacceptable and unethical."

When Blue Security redirected traffic to its TypePad blog, the load overwhelmed Six Apart's servers, bringing down all its blogging services, including TypePad and LiveJournal.

Wednesday, a spokesperson for Six Apart said that the company's servers were not directly targeted, but had been victimized as by an attack against a "security company" whose name she refused to disclose.For its part, Blue Security continued Thursday to deny that any DoS attack had been launched against it this week.

"It's not a denial-of-service attack," said Eran Reshef, Blue Security's chief executive. "We weren't getting any traffic but from inside Israel. Nothing."

Reshef sees a deeper conspiracy than the one which developed earlier this week, when he reported that some users of Blue Security software were being threatened in messages from a then-unknown spammer. "It's much more complicated than a DoS. What's now happening is that one of the top spammers in the world views [us] as a threat to spam. He bribed someone at a top ISP to make changes to the Internet's backbone so we got no [data] packets."

He also claimed that the attacker, a Russian spammer now dubbed "PharmaMaster," attacked one of the largest domain name providers, took down four major ISPs, and punished one of the world's biggest download sites, all in an attempt to retaliate against Blue Security and its anti-spam software.

"He ICQed us and said 'I own the Net. Everyplace you are going to be, I'm going to follow,'" said Reshef.Reshef acknowledged that Blue Security redirected traffic from its bluesecurity.com URL to the TypePad blog, but pleaded ignorance. "I didn't think he was so crazy as to attack them," said Reshef.

"His argument doesn't hold water," said Underwood. Reshef had to know his site was under attack, what with 1 to 3 million packets per second hitting the site from just one of the two backbones upstream from the Blue Security domain. "I find it implausible that Blue Security didn't know it was being bombarded by 4 or 5 or 6 million packets a second."

Nor does Reshef's story of backbone bribery stand up. "I went into our data and looked at the last five days of routing updates," said Underwood. "There was nothing fishy there."

"This has nothing to do with Blue Security now," countered Reshef. "PharmaMaster is just not willing to have the spam economy changed. This is about a criminal who wants to keep his spam business."

It is all about Blue Security, argued Underwood, who found no evidence of an Internet-wide campaign as Reshef alleged. But there has been fallout beyond the downed blogs."Blue Security changed its domain name provider to MDNSservice.com, which is owned by Tucows.com [a major software download site]. Yesterday, the DoS either started against name servers, or increased. That did damage to Tucows, which is one of the top 20 registrars. That was bad for everyone who had a domain [with Tucows]."

According to Martin Hannigan, who works at Renesys on the technical operations staff, the expanded attack against Tucows brought down 104,000 sites hosted by the company. As of Thursday, Tucows's status page noted that e-mail and Web-based mail were still offline due to "intermittent issues."

Reshef admitted that Blue Security's name server provider shut down its DNS, and Underwood confirmed that traffic to Blue Security now resolves to the local loop IP address of 127.0.0.1, meaning it's offline.

Reshef couldn't give a timeline for when his site would be back up, saying only that he was searching for a name server provider and Internet hosting company willing to stand up to PharmaMaster.

Underwood, however, said that it appeared Blue Security was in the process of repointing its traffic to Prolexic, a noted DoS mitigation service provider based in Florida. "They have tons of upstream traffic [bandwidth], and black boxes that can sanitize some of the traffic," said Underwood.Prolexic would not confirm nor deny that Blue Security was one of its customers, while Reshef had earlier refused to name the vendor it was talking with about handing the Blue Security site.

"I don't blame Blue Security for the Tucows attack," said Underwood. "You have to have your name server somewhere.

"But if my couch is on fire, I don't push it out of my house and into my neighbor's. It just wasn't ethical for Blue Security to not sound the alarm with Six Apart, and instead to silently redirect the [DoS] traffic to them."