I woke up this morning to a series of email and Twitter messages letting me know that my web site (www.MisfitGeek.com) was gone !
My site was (until this afternoon) hosted at Site5. (http://www.site5.com/) Now, I’m going to tell you what happened and how Site5’s process makes them an undesirable choice for my needs. Before I do that – a disclaimer. Site5 is a pretty good service with good folks working there. They did restore my site and engaged me in public discussion on Twitter about the event and their desire to help me. I don’t “blame them” per se. They have emailed asking to discuss what happened and how they could improve their services.
Running a high quality, low cost hosting service is very difficult, especially the “service” part. The hosting business is based on low margin and high volume. Each support person on parole causes a distinct increase in the shared hosting site density required to turn a profit. I do sympathize.
So here is what happened.
After receiving notices from my Tweeples that my site was down I logged in to my Site5 hosting account and they had opened a support ticket telling me they had turned off web access to my site due to “excessive CPU utilization”.
My Site5 account is “Unlimited” storage and bandwidth, but it’s a shared account, so if my disk space / band width use causes too much CPU use – it’s a problem.
There is no phone number for direct support so I went to the Site5 site to use “on-line” chat. Unfortunately, Site5’s on-line chat was “not available”.
So I added a reply to the support ticket and waited.
Site5 later replied that my site was turned off due to too many requests for the index.php page of my WordPress blog from a single IP address in Hungary. They explained that they only turn off a site as a last resort and they had to do it because it was a shared account and the CPU use was effecting the performance of other sites on the machine.
Now, my web site isn’t important, like, say FEMA or CNN, but it’s part of how I feed my family so a default support policy of unplugging my site because ONE IP ADDRESS is spamming my site with requests seems like a really poor support policy.
It’s also not the first time I’ve experienced a DoS attack against one of my blogs and I’ve never had a host simply turn off my site as a result. While Site5 support said it was a “last resort” no one could tell me what steps had been made BEFORE turning off my site to attempt to solve the problem.
Not only was my site unplugged, but it was done in an “ugly” way. Visitors did not get a temporary landing page telling them there was a temporary problem, visitors didn’t even see an error. It just looked like the site had been deleted.
Site5 first suggested that the inex.php page was the problem and it was probably because I had added a new plug-in to my WordPress instance. They instructed me to try installing a cache plugin for WordPress. (I hadn’t added a plugin to WordPress since it’s original installation.)
Then they explained that they had identified the inbound request flood from a single IP address – which again made me wonder what other actions had been attempted before executing the “last resort” of unplugging my site.
I later got a detailed explanation of how difficult it is to identify attacks in real time. I’m sure the person who emailed me was not aware that 5 of my 10 years at Microsoft were spent focusing largely on cyber-security and I thought offering to help him implement a strategy to identify such attacks would not be well received. In fact, when I ran Microsoft’s ASP.NET site we identified DoS attempts on an almost daily basis and other “entry level” hosting providers have been able to do so with my accounts as well.
I was also told that even if they had identified the source of the issue they would block an IP address because that could be “bad”.
Still, it wasn’t this one time issue – in and of itself – that caused me to change service providers.
I was worried about the NEXT TIME.
Site5 turned my site off as a “last resort” but wasn’t able to explain what other steps were attempted.
Visitors to my site received NOTHING – no, “Temporarily Off Line” message, nothing !
Doesn’t that mean that anyone who was so inclined could cause anyone else’s site, if it was hosted at Site5, to be turned of by simple flooding it with requests. Even when the requests stop, my site is still down. Why not block the IP spammer ?
Anyway, I kept trying to gat someone on support chat, sometime later I did. I was told that Tier 1 did not have authority to actually make changes to my account (like turn web access back on) and that someone else was “looking into” what was going on, but customers weren’t allowed to talk to “those” support people.
I also found it bothersome that the problem was being looked into only AFTER turning my account off.
After some dialog I understood that the on-line support people serve as middle-men who can not touch an account and that “higher level” support staff and managers do not talk to customers on the phone or chat with them directly. My only recourse was to wait until someone replied to my question on the support ticket.
After complaining via the support ticket system and an ongoing conversation on twitter, the service manager emailed me to say that he was sorry and he explained that, while they could tell the problem was coming from a Hungarian IP Address after the fact, apparently their real time monitoring is not sophisticated enough to identify such an attack in real time. He also told me that they wouldn’t block an IP address under such circumstances as that might have negative results, though I can’t see how they feel turning of my entire site was a less negative result that blocking a single IP address that had been identified as flooding my site.
As I’m 100% focused on the HTML5 Apps space this is especially problematic for me. Turning a site off completely could have cascading negative effects if I’m using that site to host an App being distributed through store and would make it easy for competitors and objectors to kill my App’s success simply by spamming my home page. (Which, by the way is so trivial easy to do, and script kiddie can do it and it’s pretty easy to do it anonymously as well.)
So, while the folks at Site5 were very nice, the fact that turning off a site in this manner, in response to a fairly common issue – coupled with the fact that there is no way to interact in real time with someone who has the authority to make a change on my account – simply makes this level of service less than my minimum requirement.
This is especially true as I start developing guidance for Apps developers and making hosting recommendations.
I don’t mean to sound overly harsh about Site5. Most people wouldn’t ever experience this problem. My Mom’s blog doesn’t get that much traffic and she’s not likely to attract the attention of someone who would try to mess with were web site. I wouldn’t hesitate to recommend Site5 with those criteria.
But, service needs vary.
So – I’m researching a number of options for hosting HTML5 “Apps” but in the mean time I needed to move my site to a host where the events I experienced today would not be repeated.
Over he past decade I’ve used hosting services from more than a dozen companies, most of the economically priced ones have been poor performers in the customer service and up-time departments.
Though I already have a reseller account at another hosting provider (which I’ve had for 6 or 7 years) I originally set up an account at Site5 because they advertised unlimited bandwidth and I was leaving Microsoft so I needed a place to host podcast audio files.
I made a list of features I wanted in a hosting company and discovered that one of my existing hosts already met my criteria and I’ve had 7 years of great service experience with them.
So, what is my hosting criteria ?
- A wide variety of Individual Shared, Reseller, Virtual Private and MANAGED Virtual Private, and Dedicated account options with multiple levels for each and reasonable pricing at each level
- The ability to move domains between account types and assistance available to do so.
- The ability to have my own custom NDS names.
- Support for developing apps with PHP, Python / Django, Perl, Ruby Rails, and NODE.js
- Multiple Database options
- A guaranteed service level (99% up time, etc)
- A support ticket system.
- On-line chat support that is ALWAYS manned.
- Telephone support options for when things are really critical.
Then there are some additional “nice to have” items.
- Shared SSL Support
- Individual SSL options
- Source Control Hosting Options
- Free default WebMail
- Customizable Control Panel
- Some kind of domain / account manager
- SSH access
It turns out that I’m already using a hosting company that meets all those critera – though I didn’t realise it until yesterday.
The company is A2 Hosting – http://www.a2hosting.com/
Now let me be clear. I’ve been using A2 for 6-7 years. I started using them while working at Microsoft so I kept my use of their Linux based hosting pretty quiet. A2 has never provided me with any incentive to endorse them in any way, they don’t know I’m writing this, and I have always paid full retail prioce for the services that I have received from them – so my experience as a customer has been the same that you or anyone else is likely to experience.
When I signed up for my A2 “reseller” account it was because I wanted to host a bunch of little web sites and didn’t want to have a bunch of different accounts. Though I have a reseller account, I only use it to host my own sites. I choose A2 because I though their reseller account offered a lot for a very reasonable price. Because of the way that I started with them I guess I always thought of them as a “low end” provider.
I signed up for Site5 because of their unlimited bandwidth option.
As I started yesterday researching an alternative, I remembered the great service I’ve received from A2.
My A2 account is a “low cost” account, and there HAVE been issues and down time. But in all the years I’ve used them any issue has been solved quickly.
There is always someone in the on-line chat support and that someone can actually solve problems. IN fact, the chat based support people are so good – in all the years I’ve hosted with them I’ve never had to call the 24/7/365 phone based tech support.
They have always known what was happening and what the eta to fix it was – or they could do it themselves.
I couldn’t remember the last time I had been to the A2 web site – they’ve added lots of services.
They now have hosting starting at $3.35 a month (unlimited disk and bandwidth) all the way up to high end, managed, dedicated servers with Cloud options.
So I moved my blog before it was even back on line at Site. It took me about 30 minutes to get all the content,the code and the database moved. There was one thing I couldn’t figure out because the DNS change had not propagated yet, but I chatted the on-line support and Erin had the answer (thanks Erin) !
My web sites are often PHP apps like WordPress or Drupal but my Apps stuff is moving towards Node.js and Python – I was thrilled to discover that A2 supports both.
So for now I’ve consolidated all my hosted stuff to A2. (I still need to choose a Cloud based PaaS provider for some work.)
I’ll be using A2 for a bunch of my Apps learning content since my account gives me the flexibility to create sub domains for all the test apps I want to build. Heck, with Virtual Private instances starting at $13.95 per month I could even host test Apps with Java back ends if I really wanted to.
Anyway, I though this was a fairly significant experience and that sharing it might be useful to some of my readers.
Choosing a hosting company is a bit like cheering for your favorite sports team.
Either : Mine is the best and yours sucks!
Or: Yours sucks and mine sucks TOO !
And: If you ask me tomorrow I may feel differently about mine !