New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This thread is dope
FIRST DEADPOOL OF 2024
Close your eyes when you dream, my friend.
As they say in my local language You still have the mouth to talk? ok o..
Best thread of 2024 so far. I’m starting to think this is all a marketing strategy from Florin. Master in business.
All I can do at the moment is to wait for the testing of the Arbor solution or the complete migration to OVH, but both processes are taking time (the procedures have already started).
We are talking here as if I had sold someone services protected by aliens and now the buyers realized that they were deceived.
Let's be serious, not even half of the providers on LET are capable of mitigating an attack of the scale I have.
That is quite presumptuous of you
Look at their peerings and you'll get surprised.
DDoS protection exists as long there is no attacker who wanna prove the oposite.
This was our case too (not just now but even in DC).
That resemble so much with an idiot's attitude.
"mitigating an attack of the scale I have."
What's the scale of the attack? It could be 4Gbps of Amplified DNS for all we know right? which I would safely say the majority of providers on LET could handle without issue, because most have upstream DDoS Mitigation from their provider as it's pretty standard these days.
And have you actually confirmed it's a DDoS Attack? like taken a pcap but then reviewed it to ensure it's consistent with a amplification vector, as this sounds more and more like it's a misconfiguration in the setup, especially as you state when you remove the announcement from Orange, everything is OK.
surely the "attacker" would re-target either your secondary upstream provider once Orange is no longer announced, and/or once the primary upstream provider is deannounced, the secondary provider would instantly get knocked as well, once the announcement has withdrawn and all that attack traffic get's diverted to the secondary upstream?
The attack is confirmed.
By measuring your frustration, it becomes even clearer which side you are on
The scale is DNS amplification with at least 50000 IP addresses + "unlimited" IP spoofing that combines multiple techniques such as SYN, SYN+ACK, Fragmentation, UDP with random ports and packets of variable size and others.
My switch is capable of routing 176Gbps and 131Mpps IPv4 + 110Mpps and still managed at one point to have lag even on the vlans not connected to the Internet.
What does it matter when only 3Gbit can reach it anyways?
Besides what does "unlimited" IP spoofing even mean. All that's needed for spoofing is a provider which (including upstreams) doesn't filter outgoing traffic. What gets send from there is pretty much "unlimited" by definition. Like i've said before a single 10Gbit box at Ecatel could flood you offline. Zero sophistication needed. I'm sorry but it's true.
This has gone too long. Can someone do tl;dr till now ?
Hazi is DDoSed via DNS amplification of about 4Gbps, waits for Arbor (3 working? days ETA)
His network is receiving a ton of shit. At this point it's not even certain if it's DDoS or a misconfiguration at one of his providers. He insists it's DDoS though and one very special super DDoS at that, while fully ignoring that even the most stupid packet flood would saturate his uplink.
Certainly not your side.
It is not frustration, it is honesty.
And also, you could have simply ask and would have gotten an answer. I will not support shady sellers, no matter if their name is hazi or woodenrack.
I don't need your support, but your opinions against me don't help anyone either.
Seems to be going mostly via RCS / RDS now, which seemingly supports hiding the last few hops if you're trying it.
Good on installing FastNetMon.
Everything about this situation is ...hazy.
I am totally confused on what @FlorinMarian is trying to achieve.
If the objective is to get his subscribers back on line as quickly as possible (which it should be!) he should have reached out to at least 3 guys on this thread, created a communication channel with them and tracked this thing down days ago.
I know I would have done that if in his shoes.
If the objective is to find a way out of an undesirable business that has become a burden (hint, he has vacated his basement DC to pursue true love) then this makes some kind of sense, but enough people are considering this possibility now and if he deadpools he will be called out.
If it is a marketing stunt...naa cannot be that ..gone on for too long
Or he could simply be a 19 year old dude who thinks he knows more than he actually does and is not yet aware enough to know how he comes across.
Whichever it is, this has gone on for too long, it was fun for a long while, but I suspect the fun is wearing off.
@FlorinMarian it is time to pull the plug on this drama.
Problem solved
All the traffic goes to the opposite side.
With a new srcip that can be easily dropped.
His network cant ever receive traffic, let alone re-sending it haha
Run the DNAT command on 100Gbps connection.
If nftables isn't fast enough, use the DPDK equivalent (pay me 100 push-ups and I'll write for you, it's about 100 lines).
RIP Andreix network.
Even from the evening of the attack, I did the simplest thing, I ordered BYIOP from OVH, knowing that it would take up to 3 weeks (with the first subnet, I was lucky and it was ready in just 10 days).
A few days ago I did not have as many certainties as now.
Think that at the moment 5 out of the 8 IPs targeted with a huge number of packets are not even configured on any device, so no GRE tunnel would help me because the tunnel would be configured according to the saturated band with Orange.
If I were to buy GRE + BGP support from somewhere, the attacker would simply move the attack to the IPs from Orange with which we have configured the switches and the attack would continue to produce its effects.
@FlorinMarian Why did you talk to your accountant about entering insolvency?
Don't tell others what's your 🍊 IP.
Show me your 🍑
In order to get rid of the costs of the dedicated Internet for 24 months in Romania, paid unnecessarily after going to OVH, I took this into account, but the way the contracts with the ISPs are formulated makes the process very difficult.
It was a simple option to close the current SRL and open a new one while keeping my clients, but it is not cheap or simple at all.