New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Community-driven business!
shhhh can send anyone one more?
Well, you should all become shareholders to this mess.
I don't think this is the right time to pretend to be smart.
When it's your turn (if it comes) we'll see how you'll manage, until then you're just talking bs.
I didn't ask you or anyone else here for help, so I don't know how you deduced that I'm asking people for help.
Then, isn't it shocking that being a provider doesn't mean you know everything?
https://arstechnica.com/information-technology/2021/01/ddosers-are-abusing-microsoft-rdp-to-make-attacks-more-powerful/
This looks interesting
Usually my clients pay me for my knowledge, aside from the hardware resources.
Also, you shouldn't become a provider if you don't know shit.
Are you dropping these offending IP addresses at the edge of your network (your switch/router/etc), or at the edge of your IP Transit Providers via BGP flow spec?
If you're only dropping at the edge of your network, this will do nothing as they only need to saturate your IP transit allocation (e.g. 2.5Gbps or whatever you currently have.), regardless of what rule set you have at your edge.
I would advise you contact your IP Transit Providers and get them to put "temporary" edge rules in place to drop these pretty basic amplification vectors at their edge.
If your IP Transit providers won't do this (I doubt they will considering it's a "residential" connection), then you'll want to look into getting a DDoS Mitigation provider that can hijack your IP Subnets when you announce to them you're under attack.
There are quite a few providers that can do this for 200-300 euro per month in Romania, as Voxility is in close proximity but you'll have to do a google search for "BGP DDoS Mitigation" for that.
DNS attack, just block all dns and only allow reputed dns like 1.1.1.1 or 8.8.8.8 or you can do ratelimiting on DNS queries per IP
Performance drops that's a understatement, it's completely off to me, i hope this gets sorted soon because frequent slows speeds and outages are not good for business.
This is why using the big boys is better, over the 20 or so years i have had servers etc with big companies, these attacks don't bother you as when my server gets attacked there ddos protection deals with it, you just get a email you was attacked but no downtime, but hay they have much larger budgets and way bigger networks to handle these idiot attackers. I hope the ass gets bored very soon and stops the attack.
Big question here is - is this a carpet-bombing attack or not?
What can be dropped at edge level if all IPs are spoofed?
But you said that most of your traffic has src port 53, isn't it an amplification from specific hosts?
Just pull the plug for 48 hours. Take weekend to relax. Your clientele expects 80% uptime. You may go dark for a week without any questions.
time to become blood brothers with @diamwall
You can still drop an IP address regardless of whether the src header is spoofed/modified, it's still the source of the traffic as far as your network is concerned.
I only stated specifically about dropping individual IP addresses, as you said you were doing this in your above comments.
It would be far better to find the pattern, and build a rule set to drop the traffic relating to the attack pattern.
e.g. for SSDP Amplification, you would drop UDP/1900 on inbound. for DNS Amplification you would drop or heavily rate-limit UDP/53 on inbound. for SNMP Amplification you would drop UDP/161 on inbound.
Of course all of these above examples would really only help if you're implementing them at the ISP's Edge, not your own as you don't have the capacity/throughput to handle these amplified attacks.
So far one person complained. Looks like none really cares either way.
Just pull the plug for 48 hours. Take weekend to relax. Your clientele expects 80% uptime. You may go dark for a week without any questions.> @jmaxwell said:
Well, at least for marketing it is good.
I don't know anything about DDoS attacks but this sounds like it makes sense - are you doing this @FlorinMarian?
You should give him a step-by-step tutorial or at least a good ChatGPT prompt.
The news are pretty bad.
I have opened 3 incidents at Orange in the last 24 hours and in all of them the outcome was unfavorable:
This thread was opened strictly for the purpose of announcing today's upgrade but it turned into a new stage on which the great gods of the community climbed.
It's frustrating to research over and over again how to stop IP spoofing attacks and after reading a few pages always see the same conclusion: it can't be done.
A quote says that night is a good counselor, let's see what ideas I come up with to get out of this mess.
Thanks to everyone who offered to help me!
Can’t be long before Orange kicks you off.
I don't think attack is noticeable for them, probably a few Gbps more than paid commitment but the attack must last long enough to increase 95th percentile
And when I said 2 weeks ago that you are at orange mercy you said that nobody asked me to say that.
Take it in the ass because you deserve it.
Bandaid:
1) Drop SSDP at ISP edge (1900 not in or out)
2) Restrict UDP on 53 to outbound known resolvers.
Proper fix:
3) Get BGP / Anycast based protection from someone like Path. You can permanently announce them, manually via prepending. It's best to automate the BGP announcement with fastnetmon.
You will pay only for clean traffic back to your line.
They don't break the bank like my former ISP did back in the day for the same technology, and more scrubbing centers / capacity.
If you just go to sleep, you may not have a second ISP in the morning.
well the site is down so? doesnt matter how much Gbps attack it is, it seems it works well?
I was talking about getting kicked out by Orange, I don't think that going to happen soon. Sure, the attack looks to be successful.
He does not have money or don't want to spend any money on this problem. His technical knowledge is very limited on this topic. But he has clientelle with very low expectations, everything is fine.
Did you really not count this in when you decided to build your own DC into your home?
It was a matter of time since you are quite eccentric on this forum, and many people would surely get enjoyment to annoy you.
Maybe you should put your primary website hazi.ro on a ddos protected server/network if you have access to do that? At least you can provide your customers with announcements / send out the necessary emails etc @FlorinMarian