Yesterday was crazy. At one point, eKstreme.com went down but my other sites on the same host remained functional. Eh? After investigating with support, turns out there was a SYN flood attack being carried out against the IP address of eKstreme.com. The IP address was dedicated to this site only.

While we were figuring out what's going no, life threw us a curve ball: The datacenter hosting the site went down. Although it's unclear what exactly went wrong, it seems to be that the power unit of the core routers failed and took down the routers with it. So now we had two problems to tease out. Sweet.

To fix the situation, support used the firewall to block all incoming traffic to the IP address. Simultaneously, I changed the IP address of eKstreme.com. This means that now we have to wait for all DNS servers around the web to update, and so the site will appear down for people until the DNS propagation reaches them. To speed things along, my host issued a DNS flush. The power problem was fixed within an hour.

In short: apologies for the downtime!

The other thing I want to mention here: I want to thank the support team at my host, SLHost. Their dedication and quick, knowledgeable responses ensured that any damage was minimal. Thank you! Although the site went offline (and in a twisted way, the DoS attack succeeded!), it could have been much worse.

So what's a SYN flood anyway? It's actually a very simple kind of denial of service attack. To understand it, we need to delve into how connections are made between computers. The process starts off with a computer making contact with the server. This initial connection is called the SYN packet, somewhat akin to you starting a conversation by saying "hello". The server responds then says 'ooh, this computer is trying to contact me, so I'll add that to my list of computers trying to reach me'. This list is a queue of sorts, and once a connection request joins the queue, the server sends out a reply packet, called the SYN-ACK packet; ACK means acknowledge. To continue our analogy, this is akin to someone replying to your hello with "Hi, I'm Pierre". When the connecting computer receives the SYN-ACK packet, it sends back one last packet, called the ACK packet. When the server receives an ACK packet, it looks in its queue, finds the details and the connection is established.

The SYN flood is basically interfering with this 'three-way' handshake. The attack is essentially a flood of SYN packets with spoofed IP addresses. When the server sends the SYN-ACK packet, it waits a bit for the ACK packet to come back. After a while, if no reply was received, a timeout happens and the request is removed from the queue. This wait is the weakness: the flood of SYN packets quickly fills up the queue so that no new connections get accepted. And because the IP addresses are spoofed, the server will be sending SYN-ACK to IP addresses that will never respond with ACK (because they didn't try to connect, so they ignore the ACK packet). So because the queue is full and the server is just waiting ignoring new connection attempts, the server appears offline.

So, apologies again for the unexpected downtime. The server itself is fine now. If you spot any problems, please contact me. Thanks!