It has been brought to my attention that a server that maps to powweb.com is doing some unseemly bandwidth hogging. A friend (whose name will remain anonymous) clued me in to the following:
Recently a series of bots from Powweb.com have been targetting websites with the sole purpose of accessing files simply to increase the bandwidth used... to the extent of exceeding the limits of the hosting service package... 4 (sites) that have had a series of attacks one starting 2 months (ago) and the others over the past few days.... In November sites that usually use between 10-30gb a month jump to 30-40gb a day... So far we have identified these IPs as the current offending addresses:
deny from 67.138.240.6
deny from powweb.com
deny from 66.152.98.61
deny from 66.152.98.62
deny from 66.152.98.63
deny from 66.152.98.64The culprit picks the largest image file it can find and then the script simply hammers it minute after minute, hour after hour.
There's some speculation as to what the goals or purpose of these requests are. Some guess that it could be part of a company effort to mine data, a rogue employee, an error, a multi user account with very wide distribution, or another, more henious idea. I've quoted an unnamed colleague below:
Powweb is a hosting company. Hammers the hell out of a site's bandwidth for a month or so. Website owner receives their bill with excessive bandwidth charges. Powweb calls website owner and says "Hey we offer 300gb of bandwidth for $7.77 a month!! How much did you say your current host charged you for your bandwidth?"
I know some companies play dirty but this is a new low.
I DO NOT have confirmation that this is what's happening, but if folks have more information about this company, their servers or can confirm or deny the tactics, that would be greatly appreciated. Obviously, it is of great importance to get to the bottom of this matter and see that nothing illegal is occurring.
NOTE: See this for more on libel laws, if you're concerned about the content of this post. Also note that while the described hammering of servers can be proven (through log files I've personally seen), the speculation on why this is occurring is simply that - speculation.
Another Note: The folks at Powweb appear to be taking this seriously. They have a discussion on their forums here, and an employee notes the following:
Those servers are client servers. So any reasonable person would deduce that a client is simply hotlinking or possibly worse (that can't be ruled out). If data were provided to our Abuse department, a full investigation could be made....
It's asinine to think a company like PowWeb that's been in business for 6+ years would resort to something like that. A move as such would ruin its reputation to the point where business would probably stop due to this highly competitive industry.
At this point, I've got to agree, somewhat. Powweb has a very positive reputation online from what I can see. I suspect there may deeper issues here, and I'll certainly update as I get information.
I used to use PowWeb to host my website, Hacker's Entity, until they shut it down for "illegal" activites. Without any warning at all, they closed it down. When I e-mailed them and asked what was so "illegal" about it, an abuse staff member replied saying I was hosting "illegal and crack-related content". The second I saw this, I thought "what illegal content?" Apprently, they thought of my security website as some kind of threat to the law. Further more, there were no cracks hosted on my website, ever. The same goes for the "illegal" content, which wasn't even illegal at all! At least not here in the US...
They have yet to reply to any of my other emails, which included very detailed explanations of my thoughts and why they are very mistaken.
What the hell is going on?
If the hosting company itself isn't the answer then one of your "75,000 upstanding clients is" correct?
Why do you quote me as saying "upstanding" when I didn't use the term? It isn't that I don't believe it to be true, I do, but you're trying to put a spin on what I said.
Well in my view that person commited numerous acts of commercial sabotage ... to what end? I emailed your company with specifics and awaiting a reply for factual action taken and the contact person for the firm that did the targeting.
"to what end"? What is the usual purpose of such an action? And what difference does it make? All we can do is shut down the offending account, which one of our admins did before I posted here. As for providing anyone with any personal information from the account, our privacy policy prevents that. We certainly can provide that information to law enforcement however, so if you choose to get them involved, we will work with them.
Fathom, every host on earth attracts its share of "knuckleheads." Every host of any size attracts many of them. We do daily resource accounting that identifies the vast majority of troublemakers, and we shut them down. Then they go open an account somewhere else and continue with whatever they were doing. How do you suggest a host make themselves a difficult target? By reducing the resources they offer? How do you think that would affect a company when every other host on earth is increasing their offerings? I have no idea what this is in reference to; "Anonymity is an illusion online..."
My point wasn't that the traffic was not coming from our network, obviously it was. As soon as we became aware of it we stopped it. My point was, and is, that this is absurd:
Powweb is a hosting company. Hammers the hell out of a site's bandwidth for a month or so. web site owner receives their bill with excessive bandwidth charges. PowWeb calls web site owner and says "Hey we offer 300gb of bandwidth for $7.77 a month!! How much did you say your current host charged you for your bandwidth?" I know some companies play dirty but this is a new low.
When randfish added that quote to his post, he was implying that he considered it to be a possibility. I just showed up to say it is not.
Another clown:
www . mysticmooncattery . com 65.61.216.123 https://whois.webhosting.info/mysticmooncattery.com https://whois.webhosting.info/65.61.216.123 Host: DotEasy.com, CA
order allow,deny allow from all # hammered several domains with referrer www . mysticmooncattery . com / privacy.php 2005-11-10 deny from 65.61.216.123 deny from mysticmooncattery.com
I would like to throw my hat into the "what the hell is going on" camp.
Sites have been down all day.
Anyone have ANY news? When might we expect to see PW back up? Why is it down (again)?
Thoughts?
Down again. All sites, even Powweb.com.
Anyone know anything about what's going on this time??? Why are they down again???
When will they be back up?
Please send me any news at strive4impact at gmail. Thank-you!
It appears that all of Powweb is down, but at this point, the best I can tell is that it's only for Comcast users.
Comcast appears to be blocking all connections to Powweb.
For anyone experiencing this issue, you can send a message to Comcast at one (or all) of the following:blacklist_comcastnet [at] cable.comcast.comabuse [at] att.netaddrmgt [at] qsun.att.com qhoang [at] att.com
and request that they remove the block.
Here's the message I sent.
As of approximately 3PM Mountain March 7, 2008, you have blocked access to a company called Powweb, and ALL sites hosted on their servers.
www.Powweb.comIP address : 65.254.250.20ISP : Endurance International GroupOrganization : Endurance International GroupLocation : US, United StatesCity : Burlington, MA 01803Latitude : 42°50'51" NorthLongitude : 71°20'47" West
This happened once in August of 2007 as well.
This block you have placed on their IP block includes the 10,000+ sites hosted there.
It means that your Comcast customers can not access all of these sites, or, if they are customers of Powweb, it means that they can not access their web site's email via Outlook or SquirrelMail.
I don’t know what the offending site was that caused this block, but please, look into this matter at your VERY earliest convenience, and clear it up as soon as possible.
Thank-you,
Down again. Over 40 sites. Time to migrate? I am thinking yes. Anyone know anything?
Food for thought:
"Though you've probably given some knucklehead who just leased a dedicated server to start his own "hosting company" an idea..."
Honestly isn't this accomplished via your 300gb/month offer.
I searched your forum on the keyword "bandwidth" and found a volume of [paraphrasing] "why am I getting huge bandwidth usage coming from PowWeb.com?"
Your company obviously attracts script developers and the fact that massive usage seems to be "no big deal"... the "knuckleheads" congregate on your assets - doesn't that make you an easy target to aim at?
Lastly - Anonymity is an illusion online... we both know this.
Michael Phillips of PowWeb, Inc. I am Rod Brown of Spheri Dot CA (Spherica) Inc.
If the hosting company itself isn't the answer then one of your "75,000 upstanding clients is" correct?
Well in my view that person commited numerous acts of commercial sabotage ... to what end?
I emailed your company with specifics and awaiting a reply for factual action taken and the contact person for the firm that did the targeting.
At least then I can possibly add motive to the list.
The only feedback I received thus far is you "here" once someone posted it publicly. I prefer private matters to be private - but public viewing does have some advantages.
As you are obviously "in the know" maybe you can enlighten me?
Doug - Good to see you here. I've always been a fan of yours in the forum and I trust your judgement. Hopefully, someone from powweb.com can explain this situation and I'll be happy to post an update.
Note that I copied that section into the post as well a couple hours ago.
The four PowWeb IPs listed are all from cluster06:
66.152.98.61 : clust06-www01.powweb.com 66.152.98.62 : clust06-www02.powweb.com 66.152.98.63 : clust06-www03.powweb.com 66.152.98.64 : clust06-www04.powweb.com
Those servers are client servers. So any reasonable person would deduce that a client is simply hotlinking or possibly worse (that can't be ruled out). If data were provided to our Abuse department, a full investigation could be made.
It is not a "effort to mine data, a rogue employee, an error, a multi user account with very wide distribution, or another, more henious idea" by PowWeb. It's asinine to think a company like PowWeb that's been in business for 6+ years would resort to something like that. A move as such would ruin its reputation to the point where business would probably stop due to this highly competitive industry.
This is from a Powweb Thread I started.
I have many sites with Powweb for many years and they are an excellent company. I give Powweb 5 stars.
PowerWeb itself or PowerWeb's clients (which judging by their forum posts, it's a client), shouldn't you blame PowerWeb? PowerWeb should be watching for this kind of stuff, its abuse pure and simple. I would almost have to think this violates the end-users EULA, so it's up to PowerWeb to stop it... right?
The scripts being used to carry out these attacks have been found and the account has been shutdown.
And I know it's not you RandFish, just someone who jumped the gun.
For the record bigdoug it was me that jumped the gun [if we call it that]
PowWeb.com was notified prior to any public information, which I am not 100% convinced as yet of what the truth is. My clients "lost revenue" which means I "lost revenue".
"A move as such would ruin its reputation to the point where business would probably stop due to this highly competitive industry."
Agree and WorldCom, Enron, and Martha Steward had great reputations as well... business is business and often making easy money is justification for ignoring your built up reputation.
If PowWeb.com services [assets] are being used to "sabotage" others [and that is what was occurring] they are just as liable as I am for "jumping the gun".
Waiting for a response from PowWeb.com to the person responsible as I cannot fathom why 4 independent clients were targeted with the only common link between them was:
1. me
2. ranked well.
3. currently have dedicated or semi dedicated hosting packages
4. same industry
A displaced competitor maybe?
An ex-client of mine and attempting to negatively effect my reputation?
A host looking for a way to acquire new clients?
Which of these is "most true"?... or is there another answer?
I have no answers - but I am sure the identify of the PowWeb.com client will provide some.
Should evidence be forwarded... thus I have a recourse... well I'll spend my time promoting their reliability and how quick they resolve situations.
Honestly if I was Michael Phillips I'd actually be appreciative that this "bug" was discovered. DOS attacks can end up in court and blaming a client's rogue script isnt a very good defense. These types of "bugs" have cost other companies quite alot of money especially when terms like "extortion", "sabotage", "purposely", "maliciously" start flying around a court room. No matter whose fault it is.
I think better bandwidth monitoring should be a priority on someone's list.
-PK
"A host looking for a way to acquire new clients?"
You are implying that we would intentionally and maliciously abuse web sites, at random, and from IP addresses that are easily identifiable, in order to gain a $7.77 account. Not only would you have to be out of your mind to do that, you'd also have to be really, really desperate. We are neither. We have over 75,000 clients, we don't really need to concoct ridiculous, destructive schemes to pick up one or two more here and there.
Though you've probably given some knucklehead who just leased a dedicated server to start his own "hosting company" an idea...
Michael Phillips PowWeb, Inc.
hmmm...i wonder if that is why my sites have been down for the past two days.