HAZI.ro | Performance drops expected tomorrow for VPSs in Romania

emgh

hetrix is actually stupid, they password protect the main page but not the monitoring URLs...

the attacker still have access if they have the link (and they will have if they ever visited) and so will everyone here too

totally_not_banned

@emgh said:
hetrix is actually stupid, they password protect the main page but not the monitoring URLs...

Wow, that's very much not what one would expect from a professional service.

alfatarsos

@emgh said:
hetrix is actually stupid, they password protect the main page but not the monitoring URLs...

the attacker still have access if they have the link (and they will have if they ever visited) and so will everyone here too

Autch

totally_not_banned

So the big question remains: Is there external filtering now?

FlorinMarian

@totally_not_banned said:
So the big question remains: Is there external filtering now?

No.

totally_not_banned

@FlorinMarian said:

@totally_not_banned said:
So the big question remains: Is there external filtering now?

No.

OK... but then it's not really a mystery what kind of traffic is reaching you, isn't it? It's very much the kind of traffic this guy keeps sending.

alfatarsos

@FlorinMarian said:

@totally_not_banned said:
So the big question remains: Is there external filtering now?

No.

lol

JabJab

@emgh said:
hetrix is actually stupid, they password protect the main page but not the monitoring URLs...

the attacker still have access if they have the link (and they will have if they ever visited) and so will everyone here too

@HBAndrei ping, you probably want to put that on some #TODO list.

emgh

@totally_not_banned said:

@FlorinMarian said:

@totally_not_banned said:
So the big question remains: Is there external filtering now?

No.

OK... but then it's not really a mystery what kind of traffic is reaching you, isn't it? It's very much the kind of traffic this guy keeps sending.

yeah lol..

xrz

facepalm

https://www.abuseipdb.com/check-block/188.241.241.0/24
https://www.abuseipdb.com/check-block/188.241.240.0/24

BilohBucks

I'm still curious why he use Orange now when RDS or whatever else their name is, working perfectly fine, considering that both of them have the same IP's, attacks would be rerouted to RDS too.. but it is not..

FlorinMarian

@xrz said:
facepalm

https://www.abuseipdb.com/check-block/188.241.241.0/24
https://www.abuseipdb.com/check-block/188.241.240.0/24

Not only other people's IPs are spoofed when we are attacked.
It is clear that there is someone competing with us since they are also targeting our IP addresses in order to damage their reputation.
Fortunately, abuseipdb is not reliable

alincupunct

@BilohBucks said:
I'm still curious why he use Orange now when RDS or whatever else their name is, working perfectly fine, considering that both of them have the same IP's, attacks would be rerouted to RDS too.. but it is not..

I am curious why any of them use Orange when the latency's horrible with every other provider but this is offtopic.

xrz

@FlorinMarian said: abuseipdb is not reliable

surely not reliable, but showing sign of what attackers doing (if its even some % who knows)

FlorinMarian

@BilohBucks said:
I'm still curious why he use Orange now when RDS or whatever else their name is, working perfectly fine, considering that both of them have the same IP's, attacks would be rerouted to RDS too.. but it is not..

At this moment, the attacks come through both providers.
The attack is so clever that there are 120K packets only through Orange, 500 each on the 256 IP addresses.

FlorinMarian

@alincupunct said:

@BilohBucks said:
I'm still curious why he use Orange now when RDS or whatever else their name is, working perfectly fine, considering that both of them have the same IP's, attacks would be rerouted to RDS too.. but it is not..

I am curious why any of them use Orange when the latency's horrible with every other provider but this is offtopic.

Not true at all.

iperf3 Network Speed Tests (IPv4):
---------------------------------
Provider        | Location (Link)           | Send Speed      | Recv Speed      | Ping
-----           | -----                     | ----            | ----            | ----
Clouvider       | London, UK (10G)          | 3.66 Gbits/sec  | 4.20 Gbits/sec  | 57.1 ms
Scaleway        | Paris, FR (10G)           | busy            | busy            | 52.4 ms
NovoServe       | North Holland, NL (40G)   | 3.66 Gbits/sec  | 156 Mbits/sec   | 60.7 ms
Uztelecom       | Tashkent, UZ (10G)        | 3.08 Gbits/sec  | 3.83 Gbits/sec  | 118 ms
Clouvider       | NYC, NY, US (10G)         | 900 Mbits/sec   | busy            | 137 ms
Clouvider       | Dallas, TX, US (10G)      | 1.09 Gbits/sec  | 106 Mbits/sec   | 166 ms
Clouvider       | Los Angeles, CA, US (10G) | 907 Mbits/sec   | 109 Mbits/sec   | 192 ms

Swiftnode

@xrz said:
facepalm

https://www.abuseipdb.com/check-block/188.241.241.0/24
https://www.abuseipdb.com/check-block/188.241.240.0/24

You realize that is because people are spoofing his IPs, right? That's how most UDP amplification attacks work.

You spoof the victim IP toward hundreds/thousands of destinations, they respond with an larger payload of traffic to the victim.

This is why automated abuse reporting for UDP traffic is retarded. Hetzner does the same shit.

Bennett

I wonder whether users will be compensated for lost days

BilohBucks

Why don't you use for example BuyVM Protected BGP service to protect your site? Or OVH like others mentioned earlier? few ms more to your network won't be a big deal, at least your servers will be up, not down for 5(?) day..

xrz

@Swiftnode said: This is why automated abuse reporting for UDP traffic is retarded. Hetzner does the same shit.

i know, i am just curios how many types of attacks are carried out there against him, this sh*t is now boring and so long

FlorinMarian

@Bennett said:
I wonder whether users will be compensated for lost days

They will get 30% off next month but first we have to stop this shit.

FlorinMarian

@BilohBucks said:
Why don't you use for example BuyVM Protected BGP service to protect your site? Or OVH like others mentioned earlier? few ms more to your network won't be a big deal, at least your servers will be up, not down for 5(?) day..

I tried a session with wireguard/GRE earlier.
The IPs announced via BGP were inaccessible and the speed was below 350Mbps, although in Romania we have 2150Mbps and the server I tried to pair with has 10Gbps.

emgh

@FlorinMarian said:

@Bennett said:
I wonder whether users will be compensated for lost days

They will get 30% off next month but first we have to stop this shit.

how?

FlorinMarian

@emgh said:

@FlorinMarian said:

@Bennett said:
I wonder whether users will be compensated for lost days

They will get 30% off next month but first we have to stop this shit.

how?

Arbor from ISP or OVH, it depends on who implements first.

emgh

@FlorinMarian said: I tried a session with wireguard/GRE earlier.
The IPs announced via BGP were inaccessible and the speed was below 350Mbps, although in Romania we have 2150Mbps and the server I tried to pair with has 10Gbps.

PEBKAC

Were you doing it from your network with its IPs receiving DDoS?

FlorinMarian

@emgh said:

@FlorinMarian said: I tried a session with wireguard/GRE earlier.
The IPs announced via BGP were inaccessible and the speed was below 350Mbps, although in Romania we have 2150Mbps and the server I tried to pair with has 10Gbps.

PEBKAC

Were you doing it from your network with its IPs receiving DDoS?

Possibly, it's not like I've ever implemented something like this before.

emgh

@FlorinMarian said:

@emgh said:

@FlorinMarian said: I tried a session with wireguard/GRE earlier.
The IPs announced via BGP were inaccessible and the speed was below 350Mbps, although in Romania we have 2150Mbps and the server I tried to pair with has 10Gbps.

PEBKAC

Were you doing it from your network with its IPs receiving DDoS?

Possibly, it's not like I've ever implemented something like this before.

https://wiki.buyvm.net/doku.php/gre_tunnel

xrz

@FlorinMarian said: Arbor from ISP or OVH, it depends on who implements first.

so will it stop the attacks finally?

FlorinMarian

@emgh said:

@FlorinMarian said:

@emgh said:

@FlorinMarian said: I tried a session with wireguard/GRE earlier.
The IPs announced via BGP were inaccessible and the speed was below 350Mbps, although in Romania we have 2150Mbps and the server I tried to pair with has 10Gbps.

PEBKAC

Were you doing it from your network with its IPs receiving DDoS?

Possibly, it's not like I've ever implemented something like this before.

https://wiki.buyvm.net/doku.php/gre_tunnel

I know this kind of tunneling.
The main difference is that IPs are part of BGP session same unprotected host.

FlorinMarian

@xrz said:

@FlorinMarian said: Arbor from ISP or OVH, it depends on who implements first.

so will it stop the attacks finally?

One of them will stop them.
The attacker targeted our another subnet at OVH but their filters did their job.