Feline firewall woke developer to declaw DDoS disaster
System alerts were pinging but cat had no way of knowing what was happening
A developer named Danny Guo has shared a story of the time his cat alerted him to a DDoS attack.
In a post on his personal site, Guo revealed that he once worked at a startup that was yet to develop a formal on-call rotation.
He also revealed that his cat would occasionally groom his hair. "She did it occasionally, and I optimistically took it as a sign that she actually liked me and didn't just tolerate me."
But the cat didn't usually do this sort of thing at 3am. Which it did on the day of the DDoS.
"In nine years, that was the only time she did it while I was sleeping."
The grooming woke Guo, who rolled over and picked up his phone to check the time – and found "an AWS CloudWatch alert had gone off a couple minutes ago because of unhealthy targets for our load balancer."
Guo tried to visit his company's website and found it did not load.
"I groaned and went to log onto my work laptop," he wrote, and found "a massive number of requests coming from many IP addresses that were associated with different countries."
This was odd because his then-employer only made its products available in the United States.
All that traffic from elsewhere was a DDoS.
Guo tried to fix it.
"My first and not great thought was to block IP addresses at the server level, which would have been tedious and possibly ineffective if the attacker had significantly more source IP addresses to use," Guo wrote. "But then I remembered that we had already set up AWS Web Application Firewall."
He created a rule to block requests from countries other than the US, and an hour later the DDoS traffic had all been deflected, the website he worked on became available, and the foreign traffic tailed off.
- 'Chemical cat' on the loose in Japanese city
- NASA makes purrrr-fect deep space transmission of cat vid
- US nuke reactor lab hit by 'gay furry hackers' demanding cat-human mutants
- Cat accused of wiping US Veteran Affairs server info after jumping on keyboard
Guo thinks he found the source of the attack – an email sent to a customer support inbox that landed at about the same time as the DDoS started.
"With horrible grammar, the sender claimed to have found a vulnerability with our website that crashed Apache, which we didn't even use," Guo wrote. "They said they stopped all traffic to our website and could keep it that way for months" – for the very reasonable price of $5,000 in Bitcoin.
"We didn't reply, though in retrospect, it could have been fun to try to troll them," he wrote.
To this day, Guo isn't sure why his cat decided to wake him on that night.
"You might guess that the AWS alert caused my phone to vibrate or make a sound, waking my cat up first," he wrote.
If that's your guess, you're wrong. Guo keeps his phone in do not disturb mode during the night.
"I just like to think that somehow, she sensed something was wrong that couldn't wait until the morning. It was certainly a more pleasant way to be woken up than by a blaring PagerDuty alarm." ®