New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@Fatboy no screenshots, no names... ?
You and me both there then
All I want is the truth to why they blocked the server, changed their mind 3 times now (verification, traffic flood and now type of traffic).
I have put the graphs up, they do peak a lot when the dropbox sync happened but nothing either side as far as I can see. Not sure why I still see traffic to the box (if I am reading it right) after they closed off the server though.
Like I said, I just want to get one honest answer out of Online and the refund for the guy who bought 3 hours service in essence!
New server is up, they didn't block whilst the sync was going on and actually the sync was a lot faster. Accounts now restoring nicely.
Hopefully this thread has just informed people what could happen, not to everyone but even if this happens a few times a month people need to know.
Right - now late for work, got to run!
Maybe I'm dumb, maybe I'm reading the graphs incorrectly but the peak of ~32M in packets on device 2 is a little high, is it not?
32Mpps * 64 byte packets (minimum) is 16Gbps. Not possible.
Okay, didn't see this one to start with from @rm_.
Firstly thanks for putting me in the 'kids' category, at my age I am going to take that as a complement and started my morning off quite nicely. I will ignore the DDoS accusations.
Secondly, I did not come here and 'whine', if you bother to read from the start I came here to see if anyone had experienced the same as we were going through. I am now calling Online out a bit as they don't want to give a straight answer here, not surprisingly, or even in the own ticketing system.
If I am whining, how come I am not the one who has been show to be giving not one, not two but three reasons for the suspension?
All I wanted was a straight answer as to why it had happened, if @bene_online and the Online.net company don't want to give me a simple straight down the line answer then something is wrong. If they had given it Friday night, or even Monday morning this wouldn't be happening.
However, I am not going to sit back and be called an abuser without the facts. I know what I was doing on that server with the restores etc. You are right, what the guy actually did with the server in the three hours after I finished and Online suspended it I do not know, I can only go on what I am told by the guy I did the work for. He updated a few sites.
If they can say 'you were suspended because of xxxxxxxxx', then thats all I want. I am too old in the tooth to be pushed pillar to post by 'support' people in the ticket and @bene_online here giving me complete BS. Tell me straight and then I am done - thats all I have asked here and in the ticket from the start. As I said, everything is working on another server now without a problem - I did everything exactly the same as I did on the Online box with the new company and not one problem has arisen.
So you saying that @ATHK is wrong in believing what I have said in a one side story makes you look a little hypocritical as it appears you are siding with Online because they are a big company. I don't care if anyone believes what I am saying, I gave up caring what people thought of me a long time ago - I tell it as it is. Unfortunately Online.net and @bene_online appear to be politicians and couldn't give a straight answer if their lives depended on it as displayed between Friday and today where there have been three different reasons for suspension. Think they should get together, decide on one reason, give me the reason and its done as long as they have some proof to backup what they are saying.
You are welcome to your opinions as am I.
@Umcookies and @rds100 I am not an expert in reading graphs, but the large spike in packets is incoming isn't it? The latest reason from Online.net for suspension was for the traffic the server was sending.
Again, I don't really understand those graphs so could have it ass about face!
hi all,
well, it's not our habits to come public with our customers issues, but since you started it, let's do it.
when you install a server, then just a few hours later (less than 24) your server starts an attack to our network against our core infrastructure (not just a DDoS to a random IP but against our infrastructure), we won't be any tolerant nor help you in anyway, you get kicked out, plain and simple.
Either you or some of the guys who had access to your server did shit, deal with it and move on, you are no longer accepted on our network.
We have a 0 tolerance policy for kiddies on our network.
@mikmak instead of just flinging that out, which I must admit is at least a start compared to @bene_online and your staff on support, back it up with logs showing that. All I have asked is for proof of what has been done.
If a ddos on your infrastructure has taken place show me - if its true, then I would assume that one of the 54 accounts on the cpanel box is compromised in some way and will go digging for the guy.
If you said this on Friday when both he called you and I asked in the ticket, things wouldn't of got this far.
I'm as in the dark about it as you are, I'm trying to compare your graphs to what my Kidechire is pushing and I can't make heads or tails of it. Maybe I really have been up too long.
However if I had to hazard a guess that is probably the reason the server was terminated, as rds pointed out it's a rather large number and could have been what the online.net tech's saw.
Take the above with a pinch of salt however, it's a wild guess, not even an educated one.
Nope, those graphs are reversed, so "In" means from your server to online.net.
zero sh*ts given kinda day?
The packet flood showing in the graphs would be big enough to make me think it had been compromised.
+1.
@wych - if what you and @rm_ said was told to me over the weekend I would of been a whole lot clearer as to the problem.
Currently ClamAV and maldet is running on the server - the guy has told me he did nothing but update sites and didn't do any DDoS. To be honest, not putting him down, he hates playing with servers so running DDoS stuff, I think, is something he wouldn't do.
But at least with you guys having a look at the graphs and me now knowing that in means out and I guess out means in that points me to something more concrete than Online.net has done in the past 5 days!
The graphs are still strange, at least the "Packets" graph. The numbers under the graphs are suffixed with "u", which should mean "micro", i.e. 1/1000000 packets/second and "m" which should mean milli, i.e. 1/1000 packets/second. For "Millions" the suffix should be capital "M". Either i am reading it wrong, or it's some sort of French abbreviation that i don't understand.
Hi
Acting a bit childish aren't we?
>
Again OP has asked for proof..
Aren't you suppose to act professional? Instead you're acting like a child (again)..
Proof please...
Proof please....
I'm really wondering about your authenticity as a staff member of online.net, please post your ID, position at company, your direct line and your employment contract..
Ignoring for a moment the only reasonable thing to do, namely to get away from online and to make it publicly well known how unreasonable, vague, brute-force they are ...
Well, as long as France is in Europe there are some legal details which you @Fatboy can use to beat them into enough of a pain to (hopefully) learn something.
The law ist simple. There has been a contract and, no matter what funny crap a provider makes up in his TOS/AUP, the general legal framework of France and EU are still binding and must not be broken by TOS/AUP or other private stipulations.
Let me guess: You payed in advance. A month min. If so then too bad for online.net because then they are legally bound to provide proof that a (justified and reasonable!) policy had been broken. They don't provide that proof? Sue them to hell and be sure to let the public attorney know about what is assumed to be fraud with criminal intent.
And you providers out there, don't get me wrong. I understand perfectly that there must be rules and you must sort out rotten apples. I, for one, actually am happy about providers keeping their operations clean and criminals out of their network.
But: You can't do that in a wild west way. You can not have just any whosoever clerk bombing some client into nirvana because, uhm, he had an inkling in his guts. Either there is tangible and solid reasons or there isn't. If there is, then tell and proof it to the client - and hit the kill switch. If, however, there isn't then leave the client alone and let him use what he payed for - and slap the employee with the trigger happy fingers.
Is not dropbox using UDP? Online.net said that the attack was against their infrastructure which could mean that the software was used for some UDP amplification attack.
@mikmak Whilst I commend you for coming forward and discussing the case in public, your language is terrible and an excellent demonstration of just how professional (or lack of) you and your team can be at times.
I don't believe the graphs are reversed anymore. Here is mine which is correct.
The response from Online.net below concerns me.
What does this mean? Sounds to me like using too much bandwidth caused the switch to fall over.
I throw more traffic out per day than he did so I doubt its that, and I have never had a ticket about switch abuse.
Got a graph to share?
My peaks are lower to be fair but overall use is up, thats also the development box
@wych,
Let say, 100mbps is equal to 30TB. Your server only usage 1.74TB x 4 = 7TB/month (equal to 25mbps). It's not huge bandwidth usage.
Its the development box with the least usage...
~Image now removed due to DDoS against my blog.
An "attack on our network infrastructure" can be proven.
Have online.net prove that or sue them to hell.
I had a similar situation with another dedicated provider that advertises here. They were kind enough to send all sorts of "proof". Problem was that I was supposedly attacking one of my own VPSes, which was run by Dan from nodewatch. So I asked Dan if he showed the attack on his end. He did not, which did not make any difference to the provider in question. It was understandable to me that any DC will be more concerned with their network integrity then any one customer.
Best to just move on.
graph shows a mean of 50k pps,
actually it was more but it was burst stuff (graphs only poll every 5 minutes), so more likely a few hundreds of thousands per second every minute for a few seconds (20 seconds something like that) which could not be seen easily on graphs at first hand but we have other internal tools to debug that which give the IP/mac addresses involved)
"out" means coming out of the server (in/out was inverted a few months back because customers did not understood it was the switch point-of-view, so now it's server's view
understand we don't kick out customers for pleasure (of course ...), we all have better things to do in our daily life,
but those affecting the service for thousands of other customers we don't question it a second, we accept to loose one "suspicious" server in the favor of the other thousands around it
Cheers,
Mik
@bsdguy did you miss the graphs?
50k pps isn't anything too spectacular. With a 1Gb/s port and an assumed MTU of 1500, anything at ~80k pps can be acceptable.
That isn't what I'm seeing from the graph you've posted here.
You can see the graph steps up to ~50k pps and levels off slightly after, indicating sustained usage at ~50k pps.
I guess he's saying it went higher, but within the 5 minutes that it didn't poll, hence why it isn't showing.
a) No. But they don't say "attack on infrastructure" or "evil attacks". They merely say "packets/s" - which can be anything from a stupid config error going havoc up to an indeed evil attack.
b) I'm not pro client - anti online.net (or vice versa).
My point is: You can't just kill a clients payed service without good reason and proof.
If that client did indeed run an attack, then online.net was right to terminate his server but then they should also be able to show proof.
Because, you see, what the hell is an "attack on our infrastructure"? That's something that can be pretty well defined and shown.
And, pardon me, but I'm wondering how concerned any provider is about his infrastructure who has no more to offer than a weekly packets/s graph/log/whatever.
A simple request for proof transformed into a 2 pages topic, where Online.Net image gets more and more dirty with inconsistent graphs to backup their customer suspensions.
Something smells fishy inside Online.Net management, because a detailed proof or a simple apology could have solved this days ago. Now this topic attracts a lot of attention, and I am very curious what will be the outcome.