Is your site down because someone wants it down?

[h701h]

As an analyst I want to know when any website, web service, or important DNS provider is being blasted off the internet (or is simply offline).

Create a end to end skeleton that can detect when a site is suspected offline because of outage or attack.

For the skeleton, and on the B stream.

todo: Figure out way to communicate HA to owners that isn't through the app.
todo: Clean up reqs.

Must Have

ACL

• Super Admins share all the domains labelled 'Monitor for Service Interruption'.
• Super Admins can remove the 'Monitor for Service Interruption' tag that Org Admins/Owners set
• Org Admins/Owners share all the domains they label as 'Monitor for Service Interruption'.
• Org Admins/Owners can not remove the 'Monitor for Service Interruption' of Super Admins

Logging

• When an Org Admin/Owner adds a domain to the 'Monitor for Service Interruption' the event is logged in the activity log of that org.
• When an Org Admin/Owner removes the label 'Monitor for Service Interruption' the event is logged in the activity log of that org.
• When a domain is unreachable for 3 consecutive blocks an event is logged in the activity log '[domain] not reachable for 45 minutes straight.

General Requirements

• Allow Super Admins to tag domains with a private tag called 'Monitor for Service Interruption'. This takes domains and adds them to the /uptime-monitoring list.

  • from /domains
  • from /domains/website
  • from /uptime-monitoring

• All domains tagged with 'Monitor for Service Interruption' are checked every 15 minutes (a block).

  • Scan from 2 different clouds, 2 different regions
  • Use a different IP address every check,
  • If a site is down for 3 consecutive blocks notify a CSEMP distribution list,
  • If more than 3 go down during the same 15 minute time slot, yellow alert

• Attempt to fetch websites and web services using a HTTP request.

  • Always log the IP address used during the fetch.
  • Set the user agent to (Tracker)
  • If the domain returns a successful HTTP response (200 OK status), it's considered up.
  • If there's a 4xx or 5xx error code, consider the site up (do nothing) <------------- ??????
  • If there's a 429 error code, notify the tracker developers
  • if no response within 15 seconds consider the site down
  • all gaps in scanning data for a block is displayed as 'no data'.

• No pagination on either page

• Allow alphabetical sorting

• allow sorting by most recent downtime

• Allow in-page filtering (filter on domain name , filter on has downtime in last 24 hours)

• Show if a domain is protected by DDoS protections

• Allow users to single-click on a domain and report via email if something is wrong.

• Keep all data forever, but

  • /uptime-monitoring show only last 96 hours
  • /domains/website/uptime show only last 30 days

• /uptime-monitoring page auto-refreshes every 15 minutes

• //domains/website/uptime page auto-refreshes every 15 minutes

Nice to Have

• Create a canned report for a time period
• Create a negative score for a domain if 'monitor for service interruption' is true and the domain lacks DoS protections.
• In the monthly report to org admins/owners show which domains have a lack of DoS protections
• Offer org admins/owners the ability to tag for their own 'monitor for service interruption'. Org admins/owners can only monitor domains associated with their organization. Org
  • org admins/org owners can or can't override a super admins <------------ ???????????
• integration into level 2 support.

[h701h]

Analyze HTTP Headers:

Examine the HTTP response headers of the website using tools like browser developer tools, curl, or online services. Certain headers may indicate the use of DDoS protection services. For example, Cloudflare often includes headers like cf-ray or server: cloudflare.

[h701h]

Look for Interstitial Pages or CAPTCHAs: Detect websites that are protected by services like Cloudflare. Some sites show an interstitial page or a CAPTCHA challenge when they detect unusual traffic.

[h701h]

Inspect Website's SSL Certificate: Check the website’s SSL certificate details. If the certificate is issued by a DDoS protection provider or mentions them, it's likely the site is using their services.

[h701h]

Observe Network Path with Traceroute: Traceroute to identify the network path to the website. If the path includes known IP ranges of DDoS protection providers, it suggests the site is using their services.