[Hidden-tech] web host problem - advice request

[Val Nelson]

Thanks David and others who replied on an off the list. It was all very
helpful.

I think I will stay with Bluehost as they have been excellent in every other
way, and it seems good enough under this situation. I don't want the hassle
of a host switch. I will add the dedicated IP. Sounds like a good deal.

To answer a couple questions people had:
- They had to give everyone separate IPs temporarily so they could isolate
and go after the attacker.
- I have no idea if they know the 60 second TTL idea David mentioned. I was
simply absorbing what I could from what the support guy said.

Thank you!!
Val



On Wed, Jun 9, 2010 at 9:56 PM, R. David Murray <rdmurray at bitdance.com>wrote:

> On Wed, 09 Jun 2010 17:53:11 -0400, Val Nelson <val at valnelson.com> wrote:
> > Wondering what you think of this. My web host, Bluehost, has my website
> on a
> > shared IP. One of the other websites on that server was attacked so now
> my
> > site has been temporarily moved to a dedicated IP and I have to wait for
> > propagation (anywhere from 4-72 hours-ish) for the site to be found
> again.
>
> First of all, that number is wrong (4-72 hours) [1].  The "normal" real
> numbers are 0-24 hours, and how long it takes for your new IP to be seen
> varies per visitor.  That is, someone who is using a DNS server where no
> one has visited your site for the previous 24 hours will see your new
> IP right away.  For someone using a DNS server where your site *has*
> been visited in the previous 24 hours, in the worst case it will be
> 24 hours before your new IP is picked up by that DNS server, but will
> typically be less than that (12 hours on average).
>
> This assumes your hosting provider is using the default TTL (time to live)
> of 24 hours on your web server DNS entry.
>
> A smart web host provider doesn't, they use a much shorter TTL, for
> exactly the reason you ran in to.  I use 60 minutes, myself.
>
> > To make matters worse, they will move it back once they solve the attack
> and
> > then I'll have that same propagation situation. And they won't promise to
> do
> > that move back overnight. Hate that.
>
> If this is true, they don't know what they are doing.  If they *know*
> they are going to make the move, then the standard procedure is this:
>
>    1) set the TTL on the DNS record to 60 seconds
>    2) wait until the previous TTL period has elapsed.  At that point,
>        all DNS servers will be working off the new, 60 second TTL.
>    3) change the IP
>    4) wait 60 seconds
>    5) change the TTL to the normal standard TTL that the hosting
>        provider uses
>
> > Bluehost claims this is a fairly common occurrence for shared hosting
> > services but not common on any one server. Is this that common? Doesn't
> > sound right to me.
>
> A hosting provider with a lot of sites is bound to have a someone get
> attacked (or turn out to be a spammer) every once in a while.  But as
> they say, any given IP shouldn't be too likely to get hit, since their
> large number of sites should be spread across a significant number
> of individual IPs.
>
> > I'm trying to decide between paying for a dedicated IP ($30/year) or
> moving
> > hosting services. Can you advise?
>
> If they really don't know how to do the transition back so that you have
> minimal downtime[2], then you should definitely switch hosting providers.
>
> --
> R. David Murray                                      www.bitdance.com
>
> [1] 4-72 hours is a number I have heard for transfers of DNS hosting
> (that is, changing which *DNS* hosting provider is serving your domain).
> Perhaps the person you spoke to was just confused about what was being
> done.  Though even DNS hosting transfers don't generally take that
> long.
>
> [2] Even with a TTL of 60 seconds, the perceived downtime for many of
> your visitors will be between 0 and 30 minutes.  This is because
> Internet Explorer doesn't pay attention to the TTL on DNS records, it
> always caches records for 30 minutes.  That is at least better than IE4,
> which always cached them for 24 hours.
>
>    http://support.microsoft.com/kb/263558
>
> Firefox caches DNS records for only 60 seconds.  Not sure about
> other browsers.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20100609/fa88052b/attachment.html