Holiday E-Commerce DDoS Attack Hits EC2 Cloud

ARos writes "A holiday DDoS attack targeted a west-coast DNS provider, which is known for serving large-scale E-Commerce sites (including amazon.com and walmart.com). 'Neustar, which provides DNS services to high profile website addresses under the UltraDNS brand, said the flood of malicious traffic, just two days before Christmas, was directed at the company's facilities in San Jose and Palo Alto, and that the effects were mostly limited to California users.' CNet adds: 'In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon's S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon's lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.'"

Why?

[Brad1138]

Who is so damn board that they have nothing better to do than "attack" a web site? What feeling of accomplishment do they really get and/or what point are they trying to make? They need to get out of their mothers basement and do something with there lives.

Re:Why?

[Shikaku]

Who is so damn board that they have nothing better to do than "attack"

...Did Canada have a sudden rabies outbreak for beavers?

Re:Why?

[palegray.net]

Who is so damn board

Hey, if I were made of wood I'd be angry too.

Re:Why?

Plank-ton?

Re:Why?

Quit complaining Pinocchio.

Re:Why?

Who is so damn board that they have nothing better to do than "attack" a web site? What feeling of accomplishment do they really get and/or what point are they trying to make? They need to get out of their mothers basement and do something with there lives.

Step 1. DOS existing DNS server
Step 2. Make rogue DNS server active, which returns URL's for phishing organization's transparent proxy.
Step 3. Phish out all login, pw, and CC information.
Step 4. Launder info or use to run fraudulent transactions.
Step 5. Profit!

The technical details vary, of course, as well as the specific mechanism. But in essence this is most likely what was being attempted... how successful it was remains to be seen. Or it could be any number of people, organizations, or governments that would like to see a big hit to the largest online retailers during their busiest time of year.

Re:Why?

[AigariusDebian]

Ever heard of DNS cache poisoning? There really should be an investigation into this. One of the attack vectors is pretty simple - use a DDOS to slow down the response time of the real DNS servers of *.amazon.com, use a cache poisoning timing-based attack on some subset of DNS servers further down the chain (like for example at a medium-sized ISP) to replace the IP of Amazon servers with an IP of your specially prepared hijacking servers, a client goes to amazon.com, but get redirected to your server, you proxy their traffic (use a man-in-the-middle attack to defeat SSL or just use human-engineering for that) until they make a purchase and instead of proxing their credit-card info you just keep it for your self and transfer money to your accounts. Profit!

Something like that could have taken place here, but you cann't know that until you analyse logs at Amazon and all the ISP DNS servers that could have beenaffected by this.

Re:Why?

[Jah-Wren+Ryel]

What feeling of accomplishment do they really get and/or what point are they trying to make?

The ability to believably threaten to do it again in order to extort money.
Or, given the timing, they may have been trying to make good on such a threat.

Re:Why?

[Katchu]

Who is so damn board

Hey, if I were made of wood I'd be angry too.

Some old broad, probably.

Re:Why?

[tlhIngan]

Who is so damn board that they have nothing better to do than "attack" a web site? What feeling of accomplishment do they really get and/or what point are they trying to make? They need to get out of their mothers basement and do something with there lives.

Money.

Online gambling sites are constantly attacked by DDoS, because they have money, and their continued revenue relies on people being able to connect reliably to their servers. Thus, you can threaten to shut down a site or ask they pay $5000 or so to avoid a protection fee.

I'm guessing in this economy, big sites like Amazon and the like are the next tempting targets. Imagine being able to shut them down during the critical shopping periods and how much money you could extort out of them.

And with EC2, many sites are probably running on it or relying on it for backup. Kill it and you've proved to many sites that their service could go down, and hey, would you like to pay $5000 to ensure it stays up? And heck, the sites that go down, you don't even have to know what they are. If it's a big site, the news will report it. If it's a small site, you'll hear about it through various forums. Boom, instant target list for extortion.

Re:Why?

There's been several DDoS attacks against hosting providers in the last week or so, including the one I work at. Both data centers were hit on different days, the one in California received a much larger attack. A day or so after the incident we heard a competitor was also hit, adding Amazon to the list makes it 3-4 DDoS attacks in 7 days. Are there technical specs anywhere? We noticed increased activity over port 22.

Re:Why?

[sopssa]

What? Do you understand how DNS works? How the fuck would you get root and other recursive DNS servers to connect to your server instead of the real one by merely bringing the real dns servers down? If the attackers would be able to intercept DNS traffic, it wouldn't matter if the real servers we're down or not. But that's a little bit harder to pull off than some kiddie dossing.

Re:Why?

[Cassius+Corodes]

I wonder if it would be cost effective to pay someone to take out a major online retailer (esp at christmas) so as to get more traffic yourself (assuming you are a rival online retailer)?

Re:Why?

if there's a mitm attack you will get a SSL warning about the certificate, if you are foolish enough to accept that "new" certificate, well.....

Re:Why?

[ascari]

Hmm. A competitor perchance?

East Coast, no problem

[Suki+I]

A holiday DDoS attack targeted a west-coast DNS provider, which is known for serving large-scale E-Commerce sites (including amazon.com and walmart.com). 'Neustar, which provides DNS services to high profile website addresses under the UltraDNS brand, said the flood of malicious traffic, just two days before Christmas, was directed at the company's facilities in San Jose and Palo Alto, and that the effects were mostly limited to California users.'

My book and blogger buddy in the Mid-Atlantic didn't notice any issue. I hope they track the source down soon.

Re:East Coast, no problem

[socsoc]

and that the effects were mostly limited to California users.

Perhaps because the Mid-Atlantic states are nowhere near California?

Re:East Coast, no problem

[shentino]

Ok, here's a solution.

Trace as many of the IPs as possible and let their owners know their computers have been jacked.

Any of them don't do squat about it after X amount of time, confiscate their computer for knowingly aiding and abetting a criminal offense. Or something.

Enough people get in trouble for not doing jack about their computers being infected and you can see vigilance going up.

Re:East Coast, no problem

[zill]

No law enforcement agency in the country has the authority to do this.

Re:East Coast, no problem

[sopssa]

Ok, here's a solution.

Trace as many of the IPs as possible and let their owners know their computers have been using BitTorrent.

Any of them don't do squat about it after X amount of time, confiscate their computer for knowingly aiding and abetting a copyright infringement. Or something.

Enough people get in trouble for not doing jack about their computers being used for copyright infringement and you can see vigilance going up.

Re:East Coast, no problem

[shentino]

That has never stopped them from violating our civil rights anyway.

My point was, if they're going to trample the constitution they may at least as well do something useful while they're at it.

Slashdot, now slower than all the major commercial

... sites.

One could think it is the holidays, but this simply isn't the case. Slashdot now often falls behind even engadget when reporting on "tech news". In fact, if it wasn't for the established community and passable moderation system this site would be completely worthless for keeping up with anything.

Get it together guys and stop being so damn lazy.

Re:Slashdot, now slower than all the major commerc

[palegray.net]

Umm... you must be new around here. Slashdot is basically a news aggregation site (stories come from other, already published sources), with community commentary and badly edited story summaries ;).

Consider extortion

[grolaw]

One reason for DDoS attacks is to prove that you can shutdown a site.

The site will pay for protection from future attacks. The offshore gambling sites have been "victims" of these attacks according to Steve Gibson.

Re:Consider extortion

[bartwol]

But the only protection you can buy from them is their "commitment" to not attack again. That doesn't protect you from another attacker launching an attack, and if you're one who pays, then I'd say you've improved your chance of that.

It seems that a technical defense is your only real defense, and "paid protection" is the resort of tomorrow's road kill.

Re:Consider extortion

[grolaw]

Just what do you think a "protection racket" is?

Re:Consider extortion

[bartwol]

Protection from the protector, *and* protection from his competitors (read: "territorial dominance").

Re:Consider extortion

[grolaw]

That's not a sentence. I have no idea what you want to convey.

A "protection racket" is a form of extortion that has existed for thousands of years, if you include feudal states as large-scale "protection rackets."

It may seem self-defeating to acquiesce to the extortion, but the costs are minimal compared to serious disruption of the business that a DDoS attack from a botnet.

Re:Consider extortion

[bartwol]

Thanks for explaining that.

Do you think the traditional protection racket, as your chosen model, is sufficiently congruent to this case as to make a good argument for a website operator to pay a DoS attacker to not attack again?

Let me re-phrase my question. Would YOU pay a [purported] DoS attacker to not attack again? (I need to differentiate here between that which you think a smart person such as yourself should do, as opposed to what you think is appropriate for the many stupid people such as myself.)

Re:Consider extortion

[grolaw]

The past has shown that the off shore gambling sites have paid repeatedly - and they remain profitable. The protection racket is a parasite that loses when it kills its host.

Re:Consider extortion

[bartwol]

Would YOU pay a [purported] DoS attacker to not attack again?

Re:Consider extortion

[grolaw]

Assuming that I ran an Amazon - a lawful business - I'd report the extortion and work with INTERPOL and the FBI to make the payment and keep my business alive and catch the botnet operator(s).

That would, undoubtedly, cost a lot of money.

Re:Consider extortion

[bartwol]

Interesting choice of strategies.

I/my company was recently a DDoS attack target. We were only willing to employ technical counter-measures; we had/have no willingness to appease the attacker. Our strategy was (and is) very expensive for us. But so far, we survive (and grow).

As long as there are people around who think like you, there will be attackers who will exploit your strategy, and there will be collateral victims such as my company. Fortunately, we're unprofitable feed for the attackers so they don't dwell too long on us, and instead make their beds with more "logical" thinkers such as yourself. Attackers are smart and adaptable that way.

Re:Consider extortion

[grolaw]

I'm an attorney. The response is what the law mandates.

The anonymity of these attackers makes any countermeasure expensive.

Your company has been the victim of criminal trespass (or, whatever the crime is called in your jurisdiction) and your company has to report the crime or be guilty of aiding the DDoS criminal. Effectively, your company's path facilitates future attacks because the failure to report this attack denies the police information about a crime and leads. The police cannot exercise their powers without assistance from the victims.

Your corporate legal department is simply not equipped to deal with this type of situation.

I litigated my first Title 18 civil computer tampering case back in '95. We put three adolescents (and, their parents) who had root on an ISP I represented, through the civil wringer - we sued the parents for placing a dangerous instrumentality into the hands of the kids - computers and Internet access - and then the US Attorney had a wack at them.

That situation was different - we were able to identify the hackers - because the fools were applying to warez groups from their "invisible" accounts on one of the Sun servers. We had names, addresses and copies of the IRC chats.

We asked for $200k/family and a LIFETIME BAN on the kids use of computers. The civil Court granted the judgments - but refused the equitable remedy of the ban.

However, the US Attorney got the ban under the Criminal charges and I damned well did follow up when the little criminals graduated from HS and went to college - each college received copies of the lifetime computer ban - in the form of a certified Judgment. I sent copies off to the parents, too.

Whatever happened to them afterward, I don't know. I do know that before all of the legal work - that we contacted the parents and advised them of what their kids were doing and asked them to stop or we would take legal action. The parents, to a family, reacted with hostility. We tagged their homeowners' policies in the civil judgments - but they had to pay for the kids criminal defense out of their own pockets. Nothing like a good walletectomy to shut down the arrogant.

Your company's failure to take its duty to the law seriously only makes it easier for these criminals to ply their trade. Sloppy decision. If I knew enough to turn your company in, I would do so in a heartbeat.

Re:Consider extortion

[bartwol]

Forgive me for my delay...I had to summon the will to reply.

Your points are rife with invalid assumptions about my points and the applicability of your analogies/anecdotes. For example, your closing remark:

Your company's failure to take its duty to the law seriously only makes it easier for these criminals to ply their trade. Sloppy decision. If I knew enough to turn your company in, I would do so in a heartbeat.

Whatever unlawful act you imply my company to have done here is, quite simply, of your convenient imagination. Your defense is no more than a blustery, uninformed, egotistical offense. Do you really consider your guidance to be helpful to a SMALL merchant who falls victim to an ALLEGED DDoS?

You are an attorney. I am a technician. Riddle me this: how many lawyers should it have taken me to address a DDoS attack?

I find your perspective to be way out at the periphery of the problem. You sound like a D.C. lawyer, or of some similar culture where one might develop the false belief that government is playing a large role in mitigation of internet technical risks. Keep chewing on that idea while I continue to adjust and harden my perimeter defenses, widen my trustful connections, heed good practices, and employ other techniques needed to keep DDoS risks at acceptable levels. I have many additional opportunities yet available to mitigate my risks such that I don't foresee any time in the next few years that your strategies will provide a competitive bang for my company's buck. Your strategies do, however, offer a reasonable return on lawyer's (or a bureaucrat's) investment.

Re:Consider extortion

[grolaw]

You and your company are criminals. END OF DISCUSSION.

My degrees include biology, chemistry, endocrine physiology and law and I have been a major midwest city assistant DA (20 years ago).

I have only CONTEMPT for people who don't report criminal acts - and thusly facilitate further criminal acts.

If you see a drunk getting into a car, then watch them run over a kid in a crosswalk - but don't call the police because you don't want to get involved - I can easily put you both in the same set as those people in Queens who ignored Kitty Genovese's cries for assistance while being murdered.

You are a criminal by dint of your failure to report criminal activity.

QQQQ U and your company, too.

Re:Slashdot, now slower than all the major commerc

[juuri]

Says the person with the ID over one million.

Slashdot used to be quite fast with the aggregation, it is quite terrible now. When CNN or the BBC are reporting tech news faster than a site that is supposed to be for tech nerds that's a good indication of the quality and speed. What's worse is this write up actually has misinformation in it that was disproven ALREADY... but this is so slow coming here, well...

Attack vectors shifting?

[horatio]

Maybe I'm wrong, but it seems like the attack vectors are shifting away from going after your target directly, but instead attacking the critical infrastructure support services like DNS.

Re:Attack vectors shifting?

[Katchu]

Perhaps this is because the sources are not idle time-wasters simply marking territory. The source may be political/military tests to determine how to effectively damage commerce. Check out the usual suspects. [OT] I sometimes (used to) read Usenet newsgroups with Google Groups, but some political/military spam attacks have rendered many groups there virtually useless. No commercial spammers would so effectively drive potential clients away. This spam does not appear when I use a newsreader.

Re:Slashdot, now slower than all the major commerc

[glitch23]

One could think it is the holidays,

Think about what that sentence states and answer me 2 things: 1) Does it even make any sense? and 2) What does it mean? I ask because "it is the holidays" does not make sense to me and I don't know what it means, not to mention it sounds stupid. What holidays? How can "it" be more than one holiday at the same time? Why is the non-sense term only used in December? A holiday is a specific day; not like a season that lasts for weeks. When is the proper time to start using the term "holidays" and when should I stop using the term "holidays"? Should I only do it to avoid using the term Christmas? What is the "holidays" etiquette?

Re:Slashdot, now slower than all the major commerc

[Low+Ranked+Craig]

All the nerds are playing with their new toys today...

Re:Slashdot, now slower than all the major commerc

[palegray.net]

Says the person with the ID over one million.

Actually, says the guy whose original UID wasn't much higher than yours, and created a new account a couple of years ago. And I really can't say that the average speed of news aggregation has significantly diminished since then.

Re:Slashdot, now slower than all the major commerc

This happened on Wednesday.. It is Friday... This is a tech site. Get your head out of your ass.

Re:Slashdot, now slower than all the major commerc

[Afforess]

If you come to /. to see the latest Tech News Report, you're doing it wrong. I come because /. features articles that don't appear anywhere else.

Re:Slashdot, now slower than all the major commerc

[DAldredge]

Be quite new guy! But you are right.

Re:Slashdot, now slower than all the major commerc

[Silvrmane]

I can name several: Christmas, Boxing Day, Winter Break for university students, and New Years. Hence, "it's the holidays."

What is gained-Bill Starkov

[billstarkov]

Perhaps to show that they can do it, but then whaRegards, Bill Starkov

Re:What is gained-Bill Starkov

Narcissistic much, Bill Starkov?

Regards, Anonymous Coward

Re:Slashdot, now slower than all the major commerc

[alen]

with all the educated people here, you should know that celebrating the time around the winter solstice goes back a long way

start putting faces to these crimes

[Stan92057]

They need to have very public court cases against these criminals to start putting faces to these crimes. There were probably being blackmailed pay up or suffer a DNS attack.

Re:start putting faces to these crimes

[michaelhood]

They need to have very public court cases against these criminals to start putting faces to these crimes. There were probably being blackmailed pay up or suffer a DNS attack.

Most attackers involved in these type of operations are usually found to be located abroad in countries where this is not a priority, or the laws are simply not up to date on making this sort of stuff criminal.

Re:Slashdot, now slower than all the major commerc

[palegray.net]

The point of this story isn't to announce the original incident, it's to talk about the impact on EC2. Get your own head out of your ass, and get some critical thinking skills while you're at it.

Evangelizing

Sure, I know what you're all thinking: "Lead Web Evangelist" is a really lame job title and/or job description.

All what I'm saying is that you should REALLY feel sorry for the subordinate web evangelists that by extension, Amazon also has on staff.

Linux gets shit on.

The white man has repressed the Linux using community for too long.

not an attack, desperate customers buying late

A similar, "oh noes we've been DDoS'd," event happened earlier in the year (i forget when, but it was reported on /.) and it turned out a few days later that it wasn't an attack after all but an unexpected flood of customers trying to buy product.

poor illegal businesses

if only they had government to help them

Another simple example about "cloud security"

cloud security -- when a simple grenade can destroy the entire city .....

So how is putting all the eggs of a collective into a single leaky nest going to protect them??

Re:Slashdot, now slower than all the major commerc

[dave562]

How much of that has to do with the fact that the "real" news sites are stepping up their coverage? Slashdot has been up for what, about a decade already? A lot has changed on the web in ten years. If nothing else Google has levelled the playing field in terms of information freshness. Where as in the past when search engines would miss huge swaths of content, it was presumably easier to get fresh information onto Slashdot before it showed up in other places.

Think about it for a second. Consider the various factors involved with "News for nerds" these days. The tech world is NDA central. That limits one main source of information right there. Beyond the NDAs, tech companies have their own communications departments and they want to control the release of information that nerds find interesting. Tech news is far more mainstream these days. When I was in school, the idea of telling people that I talked to people "online" was a huge social stigma and it never came up... I kept it hidden (outside of 2600 meetings, Defcon, etc.) The mainstream nature of it means that there are more people paying attention to it, more people talking about it, more coverage of it.

Re:Slashdot, now slower than all the major commerc

[cheekyboy]

Then why does slash report on stuff that I DO see in news paper prints 5 days before hand?

If your 5 days late, dont report on it.

Oh btw, im sick of this white background, its too corporate not NERDY, nerds like GREEN on BLACK.

Give us a nerd theme.

Bad Choice of Words

[eulernet]

In the Register article:

Although more limited, Wednesday's malicious torrent of web traffic will insure that someone gets coal in their stocking.

Of course, it's again the fault of those torrents of bits.

Buzzword cringe

[adnonsense]

... according to Jeff Barr, Amazon's lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.'

"Web Evangelist" ... "retweeted" ... "tweets" ... :rolleyes:

Re:Buzzword cringe

[jo42]

My brain automatically reads that as:

... according to Jeff Barr, Amazon's lead Twat, who retwated a report to that effect without clarification and confirmed it in later twats.'

Re:Slashdot, now slower than all the major commerc

[sopssa]

If you actually was a geek, you'd know about user css. Or god's sake, you'd manage to Google for such.

Re:Slashdot, now slower than all the major commerc

[Cyberax]

Yep. I routinely see tech news before they reach the Slashdot.

However, the strength of Slashdot is not the fast news reporting. It's the community, I enjoy reading discussions far more than reading TFAs.

Question is, have YOU (or others) heard of THIS?

"Ever heard of DNS cache poisoning?" - by AigariusDebian (721386) on Friday December 25, @10:13PM (#30553924) Homepage

Yes, I have... & TOO MANY TIMES the past 5++ yrs. now (see lists below in fact)... So, thus, I am going to tell you a way to get around it: And, a VERY OLD way, that works, in custom HOSTS files (specifically, via "hardcoding" your fav. most used sites into it - this technique is DEEP into this post, so read it, end-to-end, IF you are interested in a working "fix"):

I use a custom HOSTS file, in addition to the tools others here in this thread have noted (which MANY like FF addons only really function for FireFox/Mozilla products, but don't extend globally to all other webbound applications, & that is part of what HOSTS files give you above the methods you extoll + utilize: "GLOBAL COVERAGE", & of ALL webbound apps, not just FireFox/Mozilla ones via the addons you most likely use yourself...).

HOSTS files can be used to blockout KNOWN "bad" adserves, maliciously coded sites or adbanners, and "botnet C&C servers" too!

You can obtain reliable HOSTS files from reputable lists for more security online, but also for speed!

(More on that later & WHY/HOW (I use reliable lists for that, such as these HOSTS @ Wikipedia.com -> http://en.wikipedia.org/wiki/Hosts_file or those from mvps.org (a good one this one))

I also further populate & keep current my custom HOSTS file with up to date information in regards to all of those threats, via:

----

A.) Spybot "Search & Destroy" updates (populates HOSTS and browser block lists)

B.) Sites like ZDNet's Mr. Dancho Danchev's blog -> http://ddanchev.blogspot.com/

C.) Sites like FireEye -> http://blog.fireeye.com/

D.) SRI -> http://mtc.sri.com/

----

My HOSTS file incorporates ALL of the entries from the HOSTS files shown @ wikipedia as well... gaining me speed online (by blocking adbanners, which have been compromised many times the past few years now by malscripted exploits (examples below)).

(I combined ALL reputable HOSTS files with one of my own (30,000 entries), & I removed duplicates removed via a Borland Delphi app I wrote to do so called "APK HOSTS File Grinder 4.0++". That program also functions to change the default larger & SLOWER 127.0.0.1 blocking 'loopback adapter' IP address to either 0.0.0.0 (for VISTA/Windows Server 2008/Windows 7, smaller & thus faster than 127.0.0.1 default) or the smallest & fastest 0 "blocking 'IP ADDRESS'" (for Windows 2000/XP/Server 2003 which can STILL use it (& it was added in a service pack on Windows 2000, only on 12/09/2008 MS patch tuesday was it removed for VISTA onwards (& now all these "phunny little bugs" are showing up as FLAWS in this new NDIS6 approach via WFP as well in the firewall, which ROOTKIT.COM has stated (with code too no less on how it is done) -> http://www.rootkit.com/newsread.php?newsid=952 that it is EASIER TO UNHOOK (than was the design used in Windows 2000/XP/Server 2003))

Another EXCELLENT benefit of HOSTS file usage? More speed online, & also more security + reliability (especially in the case of DNS servers today, per folks like Dan Kaminsky &/or Moxie Marlinspike finding various security vulnerabilities in them the past couple years now)...

SO, to "CIRCUMVENT" THAT WHICH YOU NOTE & to get more speed online (besides/above potentially hijacked adbanners etc. et al)?

WELL - I also use another "technique" called "hardcoding" an IP address to domainname/hostname in my HOSTS files, for my FAVORITE websites:

This allows me to FIRST bypass any remote/external DNS lookups, which also would in theory @ least, make me "proofed" vs.

Re:Slashdot, now slower than all the major commerc

[Sage+Gaspar]

Why not? If it's a story you already have seen you can take a pass, if not then you get to see it and can comment on it which is the main reason behind Slashdot!

Re:Slashdot, now slower than all the major commerc

LOL.. you sir are a moron! That AC bastard was commenting on the current conversation which was that Slashdot was late to the punch... How's it smell up there?

Re:Question is, have YOU (or others) heard of THIS

Yes, yes, we know. Please stop posting this unreadable crap again.

This is why...

you cannot rely solely on the claims of companies like UltraDNS and EasyDNS of their high availability. It is still necessary to maintain your own standby DNS servers in your data centers which receive zone updates from these services, and can be easily switched back to master mode when the updates stop coming.

Re:Slashdot, now slower than all the major commerc

Suuuuuuuure. That's perfectly believable that you would just abandon your old account without reason to get a newer one. Happens all the time!

Re:What is gained-Anonymous Coward

Look at me! I'm adding no content to the discussioRegards, Anonymous Coward

Learn to read then, or, don't read it

Learn to read, or, just don't read it. Up to you, your loss.

APK

Take the advice others gave you and learn to read

I read it and it's legible and I don't see what your problem is.

It's obvious you are nothing more than a botmaster

Sounds like Mr. botmaster doesn't want anyone knowing how to stop his stupidity by their use of a hosts file. Too bad because the word is out and those like you are on their last legs, notable by botmasters, crackers, and malware makers having to open their own isp's as was shown here http://tech.slashdot.org/article.pl?sid=09/12/21/1922215