Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Null-routed by DC after ICMP "flood"
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Null-routed by DC after ICMP "flood"

The Netfilter/iptables ICMP limiter didn't work as I expected and so it was sending out ICMP replies to a requesting IP address at the rate the ICMP requests were received.

  • The requests came from a single IP (it wasn't spoofed)
  • The "flood" peaked at around 1-2 Mbit/s
  • Answering ICMP requests is standard (Linux) behaviour, I didn't know there was a requirement to limit/lock down ICMP in a software firewall

The DC now null-routed the IP address and wants an explanation. I'm kind of wondering if the DC is being overly sensitive in this case? What do you guys think?

image
(This is all Bit/s)

Comments

  • It was probably automated and started to see the growth and null routed in anticipation of it getting too large.

    Have you spoke to them about it, what have they said or is it still in the automated null route process awaiting a response.

  • Yes, they want some kind of explanation to un-null-route the IP even though the flood isn't ongoing and the last packets were answered more than 14 hours ago.

  • wychwych Member

    @pechspilz said:
    Yes, they want some kind of explanation to un-null-route the IP even though the flood isn't ongoing and the last packets were answered more than 14 hours ago.

    Explain to them your rate limiting failed and you will make modifications to prevent it from happening again in the future?

  • AnthonySmithAnthonySmith Member, Patron Provider

    pechspilz said: The "flood" peaked at around 1-2 Mbit/s

    That is around 3k packet per second though, which while should not cause any issues at all is high enough to trigger an alert in some cases.

    Just let them know you will be fixing your rate limiting and you don't know why you were targeted specifically.

  • If you think a provider is being overly sensitive, time to move on.

    Tell them you cut and pasted some crap you knew nothing about. It's more common with these incidents than you think.

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    3k pps seems way too low to trigger an alert for DDoS. Neither should cause any problems on their network.

  • ClouviderClouvider Member, Patron Provider

    That shouldn't really cause an issue to the network, so I don't believe null routing was necessary. You normally null route to prevent adverse effect on another Customer or to help Customer to not exceed the bandwidth allowance by an attack.

  • jarjar Patron Provider, Top Host, Veteran

    Weird. Did you ask them if their monitors saw it differently than what you saw? Because from what you saw, that would be a really odd thing to null route over. That said, they may have seen something your monitor didn't.

  • AnthonySmithAnthonySmith Member, Patron Provider

    oh wait that image is from your server?

    It is entirely possible if your on a bridged interface your only seeing a very small proportion of the traffic then as the attack may have overwhelmed the bridge interface before even reaching you.

  • Why would the ICMP traffic be growing so linearly? It looks like a small amplification if anything.

    Who was originating the ICMP traffic, was it you or another host? What type of ICMP was this? Who was the target of the ICMP traffic?

  • MaouniqueMaounique Host Rep, Veteran
    edited June 2015

    It does grow too linearly, indeed, however, this shows the attack did not overwhelm the bridge before, otherwise would have plateaued instead.

    3k pps is far from normal in ICMP's case, unless you are a serious router, it is possible the alerts for this trigger way earlier than UDP or TCP ones. After all, we set alerts based on certain percentage of acceptable usage, if you go well above that, the DC has the right to ask for an explanation, even if no neighbour suffers, there might be other things going on, including hacking which the customer may not know about at all.

  • pechspilzpechspilz Member
    edited June 2015

    It was just a botched cron job:

    * * * * * root ping 4.2.2.1 > /dev/null 2>&1

  • pechspilz said: * * * * * root ping 4.2.2.1 > /dev/null 2>&1

    That would explain the linear growth.

Sign In or Register to comment.