Uncharted Waters

Sep 12 2012   11:31AM GMT

The DDos That Wasn’t

Matt Heusser Matt Heusser Profile: Matt Heusser

On September 10th, the story was that an “anonymous hacker”, security lead for the internet group ‘anonymous’  has hacked into GoDaddy, taking down as many as 52 million websites. The New York Times ran the story that Anonymous used a Distributed Denial of service attack by taking over millions of computers, then directing them all to route traffic to GoDaddy sites, creating an influx beyond the capacity of GoDaddy’s servers.

Except, three hours later, the hacker collective Anonymous claimed, through several twitter feeds, that it was not them. and the hacker anonymousown3er was acting alone.

At least, that’s our story so far.  It’s a good story; it’s a credible story, reported by CNNCNBC, the Register, TechCrunch, and others.

It’s just not true.

Or at least, it might not be true.  We think.  Maybe.

Then things get weird.

The next day, September 11th, 2012, Scott Wagner, the CEO of GoDaddy, made a public post claiming the problem was internal – a corrupt router table – and had nothing to do with hackers, hacktivists, or Anonymous.  Meanwhile, AnonCentral, an incredibly prolific twitter account with one hundred and fifty thousand followers that may be posted by multiple people, was claiming that GoDaddy supported (or had supported) SOPA – the Stop Internet Piracy Act, that advocates argue is so loosely defined that the attorney general can take down nearly any non-us site he does not like.

What is really going on here?

We may never know for sure.

 What we do know

GoDaddy was down for six hours, from 10AM Pacific to 4PM Pacific on September 10th.

Assuming this kind of outage happens once every five years, that would be 99.98% uptime, which sounds nice – but GoDaddy’s Service Level Agreement is an incredibly 99.999%.  For those without a calculator handy, that is about 25 minutes of downtime, total, in five years – or five minutes per year.

That is a huge promise to make.

Famed Internet Blogger Joel Spolsky explained his faith in those sorts of Service Agreements this way:

Internet providers like Peer 1 like to guarantee the uptime of their services in terms of a Service Level Agreement, otherwise known as an SLA. A typical SLA might state something like “99.99% uptime.” When you do the math, let’s see, there are 525,949 minutes in a year (or 525,600 if you are in the cast of Rent), so that allows them 52.59 minutes of downtime per year. If they have any more downtime than that, the SLA usually provides for some kind of penalty, but honestly, it’s often rather trivial… like, you get your money back for the minutes they were down. I remember once getting something like $10 off the bill once from a T1 provider because of a two day outage that cost us thousands of dollars. SLAs can be a little bit meaningless that way, and given how low the penalties are, a lot of network providers just started advertising 100% uptime.

I don’t think the lesson on this site, today, is not about anonymous; it is not about computer security at all.

Instead, it is about trust.

When someone makes a promise that is too good to be true, look for the guarantee; what happens if the promise is broken?

In case of GoDaddy, my personal site, Excelon Development, was down for six hours.  The possible loss to my business is in the five figures — it is, after all, possible that a decision maker, offering a large consulting contract, looked at my website at just the wrong time, saw that it was down, and decided to take his business elsewhere.

The probable loss, of course, is much less.

Black Swans will happen; there will be unexpected things, exactly what SLA’s do not account for.  Router Tables or Hacktivist, it really doesn’t matter.

The question to be prepared for is: How will your business respond when they do happen?

My tiny little business decided to take the risk and live with the downtime.

What about yours?




5  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Ben Rubenstein
    Looks like GoDaddy is offering a credit for affected users. https://itknowledgeexchange.techtarget.com/itanswers/were-you-affected-by-the-godaddy-outage/. Not sure if that smooths things over for some sites. 
    11,260 pointsBadges:
  • Matt Heusser
    Thanks Ben.  At $120/year, I think my rebate will work out 120/(365*4), or about 8 cents.  I suppose, for a modestly large internet property, that might be a few hundred dollars.  Which brings up the question - how does a modestly large internet property value the cost of being down for six hours? 
    4,805 pointsBadges:
  • carlosdl
    In this case the credit offered is for the value of one month, but I'm sure for many companies the negative impact of those down hours is much greater than that.
    84,745 pointsBadges:
  • Matt Heusser
    hey! That beats a poke in the eye with a sharp stick!
    4,805 pointsBadges:
  • GoDaddy outages and business travel: This week in IT quotes - Enterprise IT Watch Blog
    [...] customers down and we know it.” - GoDaddy CEO Scott Wagner expressing his displeasure after 52 million websites were taken down on Monday. Confusion still remains over what caused the outage but it does cause trust issues [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: