All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DDoS Attack - What would you do?
randvegeta
Member, Host Rep
For the past 30 hours, we've been getting DDoS. The affected subnet has been re-routed through our mitigation service and so remain 100% online. The only issue is, the mitigation is increasing latency for the affected subnet.
Our primary upstreams in HK do not propogate our null-routes so we see the traffic hitting our routers all the time, so a null-route of the IP is not a solution. The server being attacked has already been shut down (over 18 hours ago), and yet the attack persists.
It's not the end of the world, since we are still up and running, but some people are not too happy with the higher latency.
At the moment, seems we must wait out the attack before reverting back to normal network config. But perhaps someone else has a better suggestion?
From what I can see, the attack is not continuous and seems to be relatively predictable as to how long the attacks last and how often. Since activating the mitigation service, the attacks have started to grow in size. The attack traffic has doubled in the last 12 hours.
I suspect the attacker is renting a botnet and increased the attack size after realizing his attack had no affect on our network any more. But since the target IP has already been shut down, I am curious why the attack is persisting at all. Perhaps it was a randomly selected IP, and the client may be completely innocent in this case?
Anyone know of this kind of tactic?
Comments
Welcome in da club bro of super lucky guys
Try giving the client a new ip, and have him update his dns records. If the attack shifts to the new ip, you know that it's the client that's being targetted.
If the attack persists on the old ip, it's just someone that hates you and your network.
Well, usually if they hate you, really hate you, they just look up your IP space and boot everything what you announced.
Let's just not hope your client has angered the wrong person at HF. Perhaps they purchased a booter/botnet and are now playing allmighty
HF?
Whatever, I'll just keep the protection enabled until they stop .
HackForums
You need upstreams, that provide nullrouting and, preferably, flowspec. We use FastNetMon Advanced to analyze traffic and announce BGP flowspec rules to our upstreams. If that fails - nullroute always remains as a failover option.
Hk upstream providers just don't seem to offer it. At least not the ones that actually have good Bandwidth. You can with Cogent and hurricane electric, but both of those are crap for China routing. Can't do it with PCCW, HGC, Pacnet or HKBN.
Ability to block a single IP address is just critical to any hosting-related business, either with announcing this IP with blackhole community via BGP, having enough bandwidth to block it on your own border routers or just call your upstream and ask them to block the address.
You just can't sustain without it.
You pay for attacks by duration, if down you still pay and the attack continues - this is the case on most booters.
That sounds easy in EU or US, but not in Asia or Africa. South America is special as for efficiency you only need to get your shit nulled at Telmex/Claro and few other major players.
PCCW has communities - send to [email protected] to enable, someone sent me these at one point:
If you're still stuck after checking out @william's post, perhaps you could temporarily announce the impacted /24 over only upstreams that support nullrouting & flowspec?
He has BGP for filtering, so it is filtered anyway at likely better quality than pure HE/HGC.
The other way to only get CN traffic on them would be to prepend to the protected a few times and announce in addition via PCCW/other peer to China, this route should be shorter in distance.
Interesting if they do it now. Last time I asked they did not have communities.
In any case, we don't have PCCW. And HGC definitely does not support.
Already possible through he.net, but they have terrible routing for China so there is no point.
Welcome to Asia! Response time from upstreams can be hours or even days! They are completely unreliable for support.
And buying many gbits of bandwidth to make sure we can handle the traffic at our edges is just too expensive in HK. Especially if you consider China traffic.
If at all and in a language you speak... Telstra/Optus/Singtel is a pleasure to work with, and if you know them that already tells you how horrible all others are.
Not much easy choice than to wait, pretty much.
Then that's what I'll be doing. Annoying but at least I can sleep well.
How large is the attack?
What for attack is it?
Usually this:
UDP flood. Few gigabit. Every hour it grows a bit. The protection can handle 1tbit of attack traffic so I'm not concerned with the size of attack right now.
The best way to solve your problem is to report those DDoS attacks to the owners of the source IPs. Please make the victims aware that they are part of a botnet, so that they can take steps to clean their computers. The botnet is going to shrink in size, losing its ability to attack your networks.
That's a lot of IPs to report.
Usually source IP isn't reliable since it can be spoofed.
That is absolutely the worst possible advice you could give to someone receiving any form of UDP flood.
But it sounded prem, no?
Impossible to report any source of attackers IP. I experienced once, captured around 2.3M IP, but my router dead. No routers can handle such traffics nor "capture" them. Only enterprise grade that is design specific for that kind of situation (mostly Juniper series).
This. Only exception would be reflection attacks and even then i'd question the sense in mailing hundreds of providers about their costumers crappy upnp devices or similar stuff.
It doesn't matter. They just generate random source address on non-filtered links. It can be 1 server attacking you from millions of random IPs from the entire /0.
I mildly object. Lousy isps who don't scrub their network are a major culprit and should be hunted down and, in fact, even be treated as fair game.
The reason udp ips are worth plain nothing is that them shitty isps don't do their job, particularly as they are the ones who can do it cheaply. After all they fucking know their ip ranges and could easily and cheaply filter out almost all of the crap. Similarly, my hoster/provider knows his ip ranges and could filter out crap easily.
I spare you the question, though, how many of you do and how many don't. I guess we all have an idea about the state of things in our segment...
I got asked recently about what I would do if attacked by DDoS from open DNS resolvers. I know the source IP of UDP packets can be spoofed, but in this particular case, we could check whether they accept external DNS queries with a simple nslookup command. We could report only those verified open resolvers.
I don't know if randvegeta was attacked by open resolvers or not. He didn't tell us. But to cope with DDoS or botnets, you have to report them as you find them. The only reason botnets and DDoS become big is because the victims don't know their computers are infected by malware or abused by hackers. Making them aware is not easy, a lot of work, but necessary.
No, you tried to configure a L3 mirror based on routing. Dumb idea. Configure a L2 port mirror of the uplink on another 10/40G interface, then depending on hardware either only redirect packets with DST=attack-dst or the entire flow and analyze on connected system.
Or, you buy a reasonable router, that actually does flow analysis and output internally.