Posted by: Matt Heusser
cloud adoption, Cloud-Based Applications, monitoring, outsourcing
On September 10th, the story was that an “anonymous hacker”, security lead for the internet group ‘anonymous’ has hacked into GoDaddy, taking down as many as 52 million websites. The New York Times ran the story that Anonymous used a Distributed Denial of service attack by taking over millions of computers, then directing them all to route traffic to GoDaddy sites, creating an influx beyond the capacity of GoDaddy’s servers.
Except, three hours later, the hacker collective Anonymous claimed, through several twitter feeds, that it was not them. and the hacker anonymousown3er was acting alone.
It’s just not true.
Or at least, it might not be true. We think. Maybe.
Then things get weird.
The next day, September 11th, 2012, Scott Wagner, the CEO of GoDaddy, made a public post claiming the problem was internal – a corrupt router table – and had nothing to do with hackers, hacktivists, or Anonymous. Meanwhile, AnonCentral, an incredibly prolific twitter account with one hundred and fifty thousand followers that may be posted by multiple people, was claiming that GoDaddy supported (or had supported) SOPA – the Stop Internet Piracy Act, that advocates argue is so loosely defined that the attorney general can take down nearly any non-us site he does not like.
What is really going on here?
We may never know for sure.
What we do know
GoDaddy was down for six hours, from 10AM Pacific to 4PM Pacific on September 10th.
Assuming this kind of outage happens once every five years, that would be 99.98% uptime, which sounds nice – but GoDaddy’s Service Level Agreement is an incredibly 99.999%. For those without a calculator handy, that is about 25 minutes of downtime, total, in five years – or five minutes per year.
That is a huge promise to make.
Famed Internet Blogger Joel Spolsky explained his faith in those sorts of Service Agreements this way:
Internet providers like Peer 1 like to guarantee the uptime of their services in terms of a Service Level Agreement, otherwise known as an SLA. A typical SLA might state something like “99.99% uptime.” When you do the math, let’s see, there are 525,949 minutes in a year (or 525,600 if you are in the cast of Rent), so that allows them 52.59 minutes of downtime per year. If they have any more downtime than that, the SLA usually provides for some kind of penalty, but honestly, it’s often rather trivial… like, you get your money back for the minutes they were down. I remember once getting something like $10 off the bill once from a T1 provider because of a two day outage that cost us thousands of dollars. SLAs can be a little bit meaningless that way, and given how low the penalties are, a lot of network providers just started advertising 100% uptime.
I don’t think the lesson on this site, today, is not about anonymous; it is not about computer security at all.
Instead, it is about trust.
When someone makes a promise that is too good to be true, look for the guarantee; what happens if the promise is broken?
In case of GoDaddy, my personal site, Excelon Development, was down for six hours. The possible loss to my business is in the five figures — it is, after all, possible that a decision maker, offering a large consulting contract, looked at my website at just the wrong time, saw that it was down, and decided to take his business elsewhere.
The probable loss, of course, is much less.
Black Swans will happen; there will be unexpected things, exactly what SLA’s do not account for. Router Tables or Hacktivist, it really doesn’t matter.
The question to be prepared for is: How will your business respond when they do happen?
My tiny little business decided to take the risk and live with the downtime.
What about yours?