Who Is Hosting This

The Westboro Baptist Church is best known for its controversial picketing of military funerals with anti-gay slogans and its recent contentious victory at the Supreme Court.

The church has made a lot of enemies online. One of those is a “hacktivist” called “The Jester” or “th3j35t3r”. The hacker took it upon himself to silence the Church’s famous “God Hates Fags” website and, on February 21 launched a denial of service attack. The site went down and has not been back online for any length of time since.

According to Jester, this is new type of denial of service attack. He hasn’t shared the details, but claims that it can keep virtually any site offline for as long as he wants.

Though many may cheer the closure of the Westboro’s site, the DOS attack, its success and its longevity raise serious questions about hosting security.

The Nature of the Attack

According to Jester, the attack is being executed through an application called XerXeS, which uses an exploit found in Apache (though he claims other servers are vulnerable as well) to take sites offline.

Unlike the distributed denial of service attack (DDOS) used by Anonymous on many sites, which involves simply sending more traffic to a sever than it can possibly handle, the XerXeS denial of service (DOS) only requires one machine and does not need either a botnet or a large group of assistants.

According to Jester, this has several benefits: the attack is easier to sustain, does not cause any collateral damage (sometimes with a DDOS, other sites are taken offline as well) and does not cause any long-term damage on the server.

And apparently the attack has also been highly successful. The Westboro Baptist Church site remains offline well after a month following the attack. Though the attack has been wrongly attributed to Anonymous, a group Jester has had battles with in the past, that is largely because the site went down in the middle of a war of words between the church and Anonymous.

But what does the attack mean for security of websites across the globe, especially for smaller webmasters who just want to make sure their sites are safe? The answer is, unfortunately, nothing good.

A New Look at Website Security

According to Jester, XerXeS works by using an exploit in Apache, the most common Web server application, but can work on IIS and other servers. These exploits have not been released to the public, which means they can’t be patched and there is no easy defense.

As we’ve talked about in our previous security discussions, what this attack highlights is that there is no such thing as 100% security; it’s better to think of it as a sliding scale.

If someone with enough skill wants to take your site down or get access to your data, they will be able to do so. It’s that simple. However, plugging security holes and patching your server is still important, not because it can stop every attacker, but because it can prevent casual hackers.

Why do we lock our car at night? Because, although a skilled and determined thief wouldn’t have a problem, most car thieves simply look for the easiest target. Locked doors and an anti-theft device therefore make an important difference.

The online equivalent of a skilled and determined car thief is what the Jester is to the Westboro Baptist Church site. The group angered a very skilled hacker who has tools not available elsewhere, and he has been able to easily take down their domain.

In short, no one is safe if the right person targets them but, fortunately, hackers of that caliber are relatively few and far between.

Bottom Line

In the end, if someone like The Jester wants your site offline, they can probably do so fairly easily. With all of the application layers involved in getting a site on the Web, there’s virtually no way to ensure that you are completely exploit-free, especially with the number of unknown and unpatched exploits out there.

There is no such thing as being “completely secure” on the Web. You are simply either more secure or less secure and the goal is to make yourself as safe as possible, not to prevent all attacks.

It does no good to set impossible goals for yourself and, furthermore, you’re spending time, money and resources protecting against attacks that, most likely, will never happen. It’s best to spend your energies where they can do the most good, not on trying to reach some unattainable status.