MaximumASP Weblog

Security: Learn to help yourself

10/7/2007 8:19:53 PM

In this industry there is a growing and needed focus on security. There is always the threat of viruses, spyware, worms and hacker attacks. Many people feel that the larger companies are more vulnerable to attacks than small businesses. In truth, however, it’s often the other way around.

As a hosting company we do what we can to mitigate network intrusions. We feel it is our responsibility to offer these services as part of our base products. I used to get a kick out of companies announcing that they were now offering SPAM protection on their mail servers. Wouldn’t you do that by default? That is why MaximumASP invests in its network security using intrusion prevention systems, enterprise firewalls and virus protection. We literally block hundreds of thousands of possible attacks every hour coming into our network.

Many people think that if these tools are in place they are safe from the possible threat of being hacked. These systems simply protect the network but there is another side that many people do not think about or address. It is application security. It is important that people understand that the way an application is written must also be secure. There are many vulnerabilities on the application level that we see.

It is impossible for MaximumASP as a hosting company to throw some hardware network device up and protect from these types of attacks. The only way to prevent someone from taking advantage of these vulnerabilities is to correct the issues within the code itself.

Some developers are not aware of these risks. A SQL or Code injection, according to Wikipedia, is “a technique to introduce (or "inject") code into a computer program or system by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs. The purpose of the injected code is typically to bypass or modify the originally intended functionality of the program.” The functionality most often bypassed is system security. Cross-site scripting attacks have been used most recently in phishing schemes.

Here are some tips to help you avoid the potentially disastrous effects of some of these attacks:

Never trust any type of client side input. This means forms such as HTTP POST data, parameters set within a URI (HTTP GET) or cookie information.
Always filter all un-needed characters from all client side input. This is especially true for any type of special characters. The following are characters that should never be allowed to pass in any client side input:
- | (pipe sign)
- & (ampersand sign)
- ; (semicolon sign)
- $ (dollar sign)
- % (percent sign)
- @ (at sign)
- ' (single apostrophe)
- " (quotation mark)
- \' (backslash-escaped apostrophe)
- \" (backslash-escaped quotation mark)
- < > (triangular parenthesis)
- () (parenthesis)
- + (plus sign)
- CR (Carriage return, ASCII 0x0d)
- LF (Line feed, ASCII 0x0a)
- , (comma sign)
- \ (backslash)
Include the URL encoded value of all characters you are filtering. For example the ‘ (single apostrophe) is equal to %27 when url encoded. The & (ampersand sign) is equal to %26 when url encoded. The URL http://example.com/example.asp?test=test’or%201=1%20-- is the same as http%3A%2F%2Fexample.com%2Fexample.asp%3Ftest%3Dtest%E2%80%99or%25201%3D1%2520—
If you are going to pass any authentication information from your client to server SSL must be used to protect your data.
Session cookies values should be very long and random. If your session values are easily guessed it is possible for an attacker to guess the value and steal or alter a session.
Authentication information should not be passed within a cookie. Cookies can be stolen from a client’s system and used to authenticate just like a username and password.
Application Session cookies should expire on logout or after a short period of inactivity.
Remove all developer notes from production code. Often developers leave comments and notes within code that could be of use to an attacker. This is fine during development of an application but before this code is viewable to the public these notes and comments should be removed.
Enable custom error messages at your webserver. Custom error pages allow you to remove the default error pages that could help an attacker learn how your system works.
Always protect administrative or management URL’s with authentication and SSL. Never rely on hard to guess or hidden files or directories to protect these pages.
If authentication is required for a web application always require strong passwords and ensure these passwords are being stored on your system in a secure method.

Web Application vulnerabilities like SQL injection, cross-site scripting and brute force attacks are the number 1 way we see customer accounts compromised on the MaximumASP network. If you follow the simple rules above when developing your webapplication your chances of becoming compromised are greatly reduced.

New Public Site Launched

6/22/2007 5:01:34 PM

We spent the last few months redesigning our site to make our products and services easier to find and understand. Our new site provides two entry points for visitors, guiding them through the process of learning more, or taking them directly to a specific product of interest.

Please visit our new website at www.maximumasp.com today to learn how our services and new offerings can help you grow your business. Our website will continue to develop over time, incorporating your feedback and suggestions. It is our intention to provide our customers with the most valuable information and resource tools available. Please send feedback regarding the website to marketing@maximumasp.com

Bad Things Can Happen…Twice

6/18/2007 5:08:13 PM

So why would I be taking time to write a post about us having redundancy and it actually working right? Well, it's pretty simple really. In the hosting business, there have been several incidents over the years where all of the promised redundancies did not work as they should and customers were left offline for extended periods. Times where transformers blew up and there was no backup power source, generators sat with their diesel engines locked up due to no one test firing them on a regular schedule, or UPS systems that were overloaded and failed as other back up systems attempted to come online. Last week, it was very satisfying to watch all of the systems we tout here at MaximumASP work exactly as designed, and you the customer experienced absolutely no downtime.

On Thursday, June 14th, at approximately 12:15PM EST the utility supplier to Louisville, Kentucky experienced a significant transformer failure in a substation that is in the same grid as the MaximumASP data center. This failure forced other parts of the grid to attempt to carry the load of failed section. This was too much for the remaining sections to handle and they began to cascade into a blackout condition. As this reached the MaximumASP data center, the UPS systems carried the full data center load as the power bucked 3 times in a 10 second span. As the UPS carried the load, the Automatic Transfer Switch (ATS) sensed the supply change and fired up the 2 megawatt generator. As the generator synchronized cycles with the existing electrical load, the ATS shifted power to the generator. We remained in this state for almost 1 full hour, until power was restored from the utility.

Less than 1 hour after power was restored by the utility, the transformer failed again. Like clockwork, the UPS's, ATS and generator engaged, and we switched the generator to manual mode allowing us to run it continuously until we were confident that the problem had been completely rectified. We actually ran the unit until 6PM EST that evening making our own power, and allowing the diesel refueling trucks to come in and replenish the fuel tanks as the generator was running.

All is normalized now, but I thought that some of you might be interested in all that went on behind the scenes on Thursday as your servers, switches, SANS, and disk arrays hummed along without skipping a beat. It is certainly nice to see these complex support systems work as they were designed to, and hopefully this provides further reassurance that you made the right choice in selecting MaximumASP as your hosting provider.

New Look

6/10/2007 6:52:05 PM

Pardon our dust as we roll out a new look for the weblog and our public site

What is the Price Point for Quality?

4/11/2007 2:52:49 PM

From the desk of Wade Lewis:

Over the years hosting has gone through many changes, both in the types of services offered and the relative price points for each level of service. Remember when dedicated boxes started at $400 per month, and bandwidth pushed $500+ per Mbps? In those days, the gap between shared and dedicated could be a wide one, and without stepping stones like Virtuozzo, VMWare, and Virtual Server to form an intermediate step both in price and management toolset, many users were hesitant to make the jump.

Fast forward to the present and look at where things stand. Dedicated servers have dropped in price to less than where high-end shared platforms used to be, VPS plans using virtualization technologies from any number of vendors are now priced often times where mid-level shared account used to be, and some companies are still trying to make a buck on sub-$10 per month shared accounts despite pressures from GoDaddy, Google, and Windows Live initiatives.

I spend a part of each day scouring blogs and forums looking for other operators’ thoughts on running a hosting company. One thing that many veteran and rookie hosting providers echo is, “margins are slim, everyone seems to be commoditizing the industry, how am I supposed to compete?” These observations are not far off base if you are looking at the current hosting marketplace strictly by the numbers. Even I shake my head sometimes when performing cursory margin analysis, on a purely speculative basis that is, on competitor plans. I assume that many of these folks are pushing overselling to the limit, are firm believers in the “loss-leader” concept, or are hoping that none of these individuals are going to ever actually need support.

So, as has been mentioned time and time again, the way to differentiate yourself is through customer service and customer experience. I think that two proofs of this theory come from ourselves and from a competitor, and interestingly enough, prove the theory from completely different angles. MaximumASP has been in existence since 2000, in that almost 7 year span, we have maintained almost 99% retention of our clients. How did we do it, support, support, support, and reminding ourselves daily that these folks are who are paying our salaries. This number is one of the most important indices off of which we base our success and value as a company, and it seems to be working. On the flip side, let’s take a look at some of the problems faced with customer service changes (particularly a decrease in quality) when companies merge or are acquired. The current debacle in Houston and Dallas is a prime example of where two solid companies, not perfect companies, but solid business models with solid support in general, are consolidated and customer support suffers. It would appear from research in the last couple of months that customers are being churned out at a rapid pace, and new customer acquisition is likely suffering as word spreads (all of this is speculative and garnered through reading customer comments on the Web).

So support is the key to retaining clients, but how does it attract clients and how do you articulate it to those folks that do not have any first-hand experience with your company? Herein lies the biggest challenge for marketers on the payroll of hosting providers that truly offer quality support and service for their clients. How do you articulate the value proposition, the level of support, and the quality of infrastructure that a potential client will be receiving in a space that is 120 pixels by 30 pixels, or 400-odd pixels by 80 pixels? You can’t, and that is why you see so many hosts default to the flashing “Dedicated Servers Starting at $39.95!!!” Do we have to use price as a primary decision factor when we have all of these other great things going for us? No fair! In this constant limbo game of how cheap can a plan go, do customers understand that quality does come at a price? I would argue that many do. I would also argue that many do not. It is easy to say you have great infrastructure, that you have great support, and that you use quality equipment, but all of these things cost money, and those expenses must be built into the price point. So going back to support, want to know what one of our largest expenses is, and in turn one of the largest cost contributors to your hosting plan’s price here at MaximumASP? Data center? Close. Connectivity? Close. Personnel and Training? You got it, and that is what provides the support that makes us different from the guy that is half the cost, and what we are counting on making you a long-time customer. We have watched many of our customers grow from $2400 / year customer to $24,000 / year customers and that certainly proves the business case for treating every customer right, particularly when the lifetime value of that single customer could easily hit six-figures!

SQL Server 2005 SP2 Updates

4/5/2007 3:44:18 PM

After intensive testing, MaximumASP has begun the process of updating customers who have purchased SQL Server 2005 to Service Pack 2. Most customers will notice changes to the management tools, including improvements to the Database Maintenance Wizard, new management reports and a new copy database wizard. Also Reporting Services can now be integrated with SharePoint.

Over the next month, customers who have purchased SQL Server from MaximumASP will be contacted about when would be the best time to perform the upgrade. This is a suggested upgrade, so those who are not ready to upgrade to SP2 can do so on their own time table.

Customers who are running SQL Server under their own license can request that the MaximumASP SQL Team perform the upgrade for them at a cost of $100 or perform the upgrade themselves.

SQL 2005 Service Pack 2

2/20/2007 5:07:22 PM

Microsoft has officially released Service Pack 2 for SQL Server 2005. This anticipated service pack provides support for Vista and the new Office 2007 suite, as well as fixing over 61 bugs. The Database Administration team at Maximum ASP is currently testing the new and updated features of Service Pack 2. After thoroughly testing SP2, the shared SQL 2005 customers will be notified of when SP2 will be applied to the shared servers. Following the upgrade of the shared SQL 2005 server, dedicated and Virtuozzo customers will be contacted about upgrading to the new service pack. Those dedicated and Virtuozzo customers who are prepared can install Service Pack 2 immediately themselves.

Cinderella Story or the Work Horse?

2/13/2007 3:59:22 PM

After being in this business for nearly 10 years now, one thing seems to recur time and time again -- the Cinderella Story. It seems like every year or two, a new provider or an existing provider that has been recently reinvented does one of the following things:

Undercuts the competition with ridiculously low pricing on hosting plans, servers, bandwidth, or disk space. Pricing that doesn’t make sense no matter how you cut it.
Takes something that many other providers have been doing for years and calls it something different, or hypes it in some new way and attracts uninformed (note I did not say unintelligent) buyers.
Grows their low-price-amazing-and-crazy deals-call-it-something-new hosting company to incredible heights and then sells it to the highest bidder. The highest bidder then realizes that these "crazy" deals are not making satisfactory margins or any margins at all and raises prices. Customers begin to leave and look elsewhere for other hosting providers. The highest bidder attempts to keep costs low and does not scale support to keep up with customer needs, or it has problems with the integration of their new hosting company. The founders of the acquired company use capital from the sold company, setup a new hosting company and begin taking customers from the old company with - you guessed it - "crazy" deals. The process repeats itself again in two to four years.

Take the flip side of this situation. Let’s call it the Workhorse. Tried and true, these companies have been around since before the dot com bust, have stayed true to their business models over time, and have pulled off the one thing you would think any hosting customer would die for: They have provided consistently solid support for 5 to 10 years! These companies have not had meteoric growth; instead, they have focused on solid, repeatable growth year over year and have used this consistency to scale their business to provide increased quality and service for their customers with minimal disruption, if any.

I am always amused to read forum posts on the various web hosting-centric bulletin boards where I see a customer bash one flash-in-the-pan host and move to another flash-in-the-pan host only to do the same thing eight months later. You would think that people would learn over time, but, alas, many do not seem to be getting the picture.

To tie these two together, I would simply like to reference a few Business 101 teachings:

Pricing - You can name any price you want, but a sustainable business model must have margin built in. Margin must consider raw material and input price fluctuations (servers, power, racks, personnel, etc.). Any business model that sets a price with little or no margin is not sustainable for the long term. Customer-acquiring plays through loss-leader product development have shown that time and time again they do not work. Ultimately, the current company or an acquirer will have to adjust pricing to make the model work, whether it be due to current business needs or future scaling requirements. When this happens, many of these bargain-shoppers jump ship. You have to be in business to make money - it is that simple.
You can polish a turd, but it still smells like a turd. Calling a server a "Centralized Hyper-Neural Processing Device" does not change the fact that it is a server. Calling a back-end network with 100Mbps port limits a private network and portraying it as something new and different does not make it something new and different. It is still just a back-end network with a high rate limit. Come on over we will show you ours. It has been around for years now.
The pattern of firms buying three-and-out hosting companies without sustainable business models - only to repeat the same mistake several years later - does not help our industry at all. It drives multiples down, creates customer ill-will and churn and promotes a sense of constant flux in the hosting marketplace.

Workhorses are the hosts that deserve the real credit - the folks that have put together a solid business model that has proven itself year over year. It would be nice for some of the general hosting consumer mass to notice these companies and find a place where they can stay, but alas a rapid influx of new customers could be disruptive to the consistency on which these hosts thrive.

In the meantime, I guess the workhorses will just have to weather the storm of paradigm shifts as flash-in-the-pan providers commoditize the market, fail to scale their support, and generally prove that there is no way around the Business 101 principles. As Ron Burgundy might say, "Stay classy, Workhorses" ... and as I would say, "Down with the commoditizers, and long live hosting consumer education!" To the hosting public out there, I ask you to search for substance in your host. Do not be lured away from this focus by the shiny objects referred to above as the Cinderella hosts ... she doesn’t look so good with the makeup off!

95th Percentile

2/2/2007 7:22:46 PM

If you've logged in and seen our new bandwidth UI, you've probably noticed a new piece of data labeled "95th percentile." One of the new features of the new bandwidth system is tracking bandwidth by megabits per second (mbps). For our higher bandwidth customers, this method can be used instead of tracking based on the total amount of data transferred.

To gather this data, we take a sampling every five minutes which will give us a roughly 8,640 readings per month. We use this data to figure out how much of our pipe you are using and then bill you on that value. To get this reading, we take the 95th percentile of the data. This is also called Burstable billing.

The 95th percentile gives us a value which roughly tells us that 95% of the time, the usage is below this amount. What we do is take all of the data we gathered up over the month and sort it. We then take the top 5% of the values and throw them out. The highest value that is left becomes your billable utilization.

The advantage for the customer is that the peak values are thrown out. Many of our higher bandwidth customers use a steady amount of bandwidth, but periodically they need to burst up. Let's say, for example, every morning at 8:00 am you need to replicate many gigs of data from your local servers up to the web servers hosted at MaximumASP. This process only takes about 30 minutes. With burstable bandwidth, we’ll allow you to get as much bandwidth as needed to accomplish this process as possible. And, as long as this temporary spike in traffic accounts for less than 5% of the total data, we won’t penalize you.

The vast majority of our customers are still billed per GB of transfer. If you are noticing peaks in your bandwidth and would like to be switched to burstable billing, please contact sales.

New Bandwidth Tracking

2/1/2007 12:02:09 PM

As you may have noticed, the bandwidth stats in the control panel now have a new user interface. Behind the scenes is also a whole new bandwidth tracking system.

We are now using a hardware based system using equipment from Foundry and InMon to monitor all bandwidth. In the past we used a software based solution which wasn’t nearly as accurate or as in-depth.

We are now tracking data on all ports. In the past we only tracked ports 80, 443 and ports 21.
You can now break down the data by ip address and port. Previously, we only identified the total traffic for an account regardless of how many IP addresses were associated with the account.
Data transfer between devices within our network is differentiated from data from the outside world. The only data you pay for is traffic crossing our network boundary. For example we won’t bill you for the traffic between your web server to your database server.
We can now track throughput as well as the volume of traffic. For our higher bandwidth users, this means that you can choose to be billed on the portion of the pipe you are using instead of having to worry about bandwidth overage charges. Having a set price for bandwidth can work better for those who continuously worry about overage charges.

For the vast majority of customers this will only mean better reporting of their data. If you are doing a lot of traffic off ports other than 80, 443 and 21, please make sure you log into the control panel and check out your bandwidth usage to make sure there aren’t any unexpected surprises.