HAZI.ro | Performance drops expected tomorrow for VPSs in Romania

Kris

@FlorinMarian said: I cannot effectively implement solutions that I know nothing about (fastnetmon, RTBH) I was not offered any community through which to determine which IPs I want to be dropped at the ISP level
Next time a skid stops by do you just fall over again, or are you making any effort at all?
Of course I do, I always have. The fact that only now I fell to my knees after 3 years, clearly shows that until now we had solutions that worked for the respective types of attack. We are not naive to think that you can have multiple subnets through which you sell VPSs but have 0 attacks for several years.

Fastnetmon takes care of that for you and submits the RTBH for you. Pay someone with some network experience to set it up for your clients sake.

The fact is you were lucky no one bothered poking at you for 3 years. Now they know your network is a joke, have no desire to fix it, and apparently no interest.

1) Ask your ISPs their communities, you could have easily set a community to sinkhole an IP.

2) Your ISP can help you block an IP if you're getting pummeled like you did.

3) Pay someone with network knowledge you trust to setup FastNetMon. This will avoid you having no idea what's going on with flowspec or netflow populating it. Beyond telling you network inbound and outbound, it can send RTBH communities upstream.

We are not naive to think that you can have multiple subnets through which you sell VPSs but have 0 attacks for several years.

Yeah you 100% are. You spent time dicking around on L7 techniques and asking people what shapes they liked instead of any type of DDoS mitigation. You got lucky, got slapped once, and now are throwing in the towel.

I don't know anyone reliable to help me with this and I don't give access to the equipment either.

K, enjoy OVH, you're a lost cause.

Andreix

@xrz said:

@FlorinMarian said: The party started again.

how? you have 2x 10Gbit no? + ovh

Would be useful if DDoS was originating from LAN.

Moopah

@Andreix said:

@xrz said:

@FlorinMarian said: The party started again.

how? you have 2x 10Gbit no? + ovh

Would be useful if DDoS was originating from LAN.

The DDoS is coming from the inside!

xrz

@Moopah said: The DDoS is coming from the inside!

i knew it, its the old laptop

Kris

PS: - 8953:666 Blackhole IPv4 /32 or IPv6 /128 (from own networks only)

This wasn't hard to find. Now please, try to fix your shit.

xrz

Also you should secure your network seems someone is already in.

https://viz.greynoise.io/query?gnql=metadata.asn:"AS57403"

alincupunct

At least his website is on OVH now; oh wait that's dead too

xrz

abuseipdb also started too hmm

https://www.abuseipdb.com/check/188.241.241.3
https://www.abuseipdb.com/check/188.241.240.3

Levi

@xrz said:
Also you should secure your network seems someone is already in.

https://viz.greynoise.io/query?gnql=metadata.asn:"AS57403"

Does this mean incorectly configed network?

xrz

@Levi said: Does this mean incorectly configed network?

who knows, but he should

xrz

@Levi said: Does this mean incorectly configed network?

https://www.abuseipdb.com/check-block/188.241.240.0/24

sort by date most recent and see lol

i know abuseipdb is not so reliable but will tell something...

Levi

@xrz said:

@Levi said: Does this mean incorectly configed network?

https://www.abuseipdb.com/check-block/188.241.240.0/24

sort by date most recent and see lol

i know abuseipdb is not so reliable but will tell something...

Mmm, yes...

Observed Threat: NTP Amplification REQ_MON_GETLIST Request Found

xrz

@Levi said: NTP Amplification

he does not have problem he has ovh + 2 x 10 gbit

drivex

I hope he has RPF, DHCP Snooping and IP Source Guard enabled on his Ciscos…and ofc blocks RFC 1918 ip space. At least thats what i know from CCNA…or work with ACLs

totally_not_banned

@Levi said:
Observed Threat: NTP Amplification REQ_MON_GETLIST Request Found

I guess that's somewhat misleading. As i read it it's a record from when he was attacked. The reporting site simply recorded the requesting IP which in case of DNS amplification is spoofed to the actual victim's IP.

tentor

@drivex said:
I hope he has RPF, DHCP Snooping and IP Source Guard enabled on his Ciscos…and ofc blocks RFC 1918 ip space. At least thats what i know from CCNA…or work with ACLs

I am not sure that his virtual machines use DHCP and are not statically configured, however I doubt he don't implement BCP-38 - he would be abused by DDoSers to the dust otherwise :D

@totally_not_banned said: I guess that's somewhat misleading.

AbuseIPDB is known to have lots of useless reports - most of reporters don't have any clue on why they should not report TCP SYN packets. However, AbuseIPDB states both UDP and TCP SYN reports are not allowed (point 10 of FAQ).

Levi

@totally_not_banned said:

@Levi said:
Observed Threat: NTP Amplification REQ_MON_GETLIST Request Found

I guess that's somewhat misleading. As i read it it's a record from when he was attacked. The reporting site simply recorded the requesting IP which in case of DNS amplification is spoofed to the actual victim's IP.

As I read: gazi is in chain of attack by DNS amplification. Smth -> gazi -> victim

tentor

@Levi said: As I read: gazi is in chain of attack by DNS amplification. Smth -> gazi -> victim

No, hazi is a victim of an amplification attempts. This is due to the nature of amplification attacks - attacker pretends to be a victim, sends UDP packet to an amplificator (DNS or NTP server), and victim receives large response.

Void

Hamzi Damzi sat on a wall…

emgh

Please correct me if I’m wrong, but isn’t the current L7 challenge kind of stupid?

Even by just completely guessing, there’s a 20 % chance of getting it right, after which you seem to gain access instantly, no matter what (if you’re right, of course)

Sululu

I am sure Calin is throwing a celebratory party tonight. The battle between this two has been entertaining, this is just the icing on a juicy cake.

Levi

@Sululu said:
I am sure Calin is throwing a celebratory party tonight. The battle between this two has been entertaining, this is just the icing on a juicy cake.

Nah, calin is bussy to pay those instalments to crunch maister. More like @Andreix is smiling

Moopah

@Sululu said:
I am sure Calin is throwing a celebratory party tonight. The battle between this two has been entertaining, this is just the icing on a juicy cake.

Meanwhile @host_c and @Hosteroid are watching Florin and Calin from the background, facepalming.

xrz

@FlorinMarian said: Since yesterday, my presence is no longer needed anyway. All network connections are LACP and in the unfortunate event that the switch itself has problems, through Team Viewer I can access an old laptop left in the rack, open 24/7 and with a physical connection to the switch console.

so how it is now? can you access it? cause i can not load a sh*te

FlorinMarian

@xrz said:

@FlorinMarian said: Since yesterday, my presence is no longer needed anyway. All network connections are LACP and in the unfortunate event that the switch itself has problems, through Team Viewer I can access an old laptop left in the rack, open 24/7 and with a physical connection to the switch console.

so how it is now? can you access it? cause i can not load a sh*te

No, I can't.

xrz

@FlorinMarian said: No, I can't.

why dont u fix it

tentor

@FlorinMarian said:

@xrz said:

@FlorinMarian said: Since yesterday, my presence is no longer needed anyway. All network connections are LACP and in the unfortunate event that the switch itself has problems, through Team Viewer I can access an old laptop left in the rack, open 24/7 and with a physical connection to the switch console.

so how it is now? can you access it? cause i can not load a sh*te

No, I can't.

Your ACL prevents your own nameservers from serving public (ns1 and ns2 are not responding to the queries)

Levi

Pull the plug. Don't give satisfaction for skids.

xrz

@Levi said: Pull the plug. Don't give satisfaction for skids.

best free anti ddos -> pull out all the cables

attacks again https://www.abuseipdb.com/check/188.241.240.3 ??

totally_not_banned

@emgh said:
Please correct me if I’m wrong, but isn’t the current L7 challenge kind of stupid?

Even by just completely guessing, there’s a 20 % chance of getting it right, after which you seem to gain access instantly, no matter what (if you’re right, of course)

Yeah and by what i remember from the thread where he first demonstrated it ChatGPT was able to solve it instantly. While it failed to correctly identify the contents of the picture it still picked the right combination so any wannabe attacker would simply have to automate ChatGPT solving the challenge...