Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Nodedeploy ddos for the last couple of hours? - Page 4
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Nodedeploy ddos for the last couple of hours?

124»

Comments

  • And 5 or 10x 10ge :D

  • @Zen Nah they reply to nullroute requests in around 10 minutes. They're fast and offer 24/7 phone support and ticket, we've used them a lot over the last few days and they've already replied pretty fast.

    @KuJoe They're experiencing downtime because they're starting at .2 and cycling all the way through the subnet, which means we pretty much nullrouted everyone at one point, once we remove them they start the entire process over again.

  • jarjar Patron Provider, Top Host, Veteran

    Someone tell me if I'm just being naive here, but I keep reading that it has to mostly originate from one particular datacenter that doesn't care. Is the fact that they don't care stopping people from trying to implicate them in these events? One would think that after enough complaints to upstream providers and law enforcement, eventually, something has to happen. Even if it takes years, it's better than just blowing it off.

  • BradNDBradND Member
    edited January 2013

    @Jarland Ecatel have had upstreams pulled in the past.. undoubtably they will have it pulled again. The thing is these attacks we're receiving are literally impossible to trace when you have a large network to administrate (for the datacenter this is), they probably transmit a few mbit to the DNS servers but the output is in the gigabit range (for the victim). There are other datacenters who also have spoofing issues such as netrouting so I doubt they are the only.

  • If you also get attacked after changing IP blocks the attacker probably has one or multiple VPSs with you.

  • @Zen
    "This appears to be something that RapidSwitch is offering as an option - though like you said, it won't make any difference. It will only make the amount of effort the 'attackers' go through to get your IP's a little harder."

    They will know the new IPs as soon as StormVZ switch... it's not rocket science. So, surely all this achieves is a lot of extra effort and extra downtime for VPS customers?

  • Attacks happen, to everyone.. ignoring it usually works unless the attacker is seriously annoyed at something.

  • I know the guys are working hard to resolve.

    Just very frustrating and the comms hasn't been great. If an event like this was happening in my corporate environment it would be a priority 1 case with updates going out to customers every hour.

  • @nikc
    I think your customers will be frustrating because you do not update every 30 minutes.

  • @cause
    They contact me every 15 ....

  • Have to agree, that contact has been pretty non-existant which is disappointing giving the normal excellent service. I've had two emails today, but other than that very little.

    If i'd seen this thread a few days ago / they had emailed all customers a few days ago it would have given us a chance to ensure we had backups services in place.

    I'm sure they have been swamped with resolving the issues and getting lots of tickets about it, but if they had emailed then it may have helped.

  • PhilNDPhilND Member
    edited January 2013

    There are reasons for us cutting contact on twitter that I cannot devulge. I haven't stopped receiving an almost endless stream of phone calls aswell as tickets you have to remember that with over 850 active servers it doesn't take away our daily duties with managed and other clients either I can assure you that every ticket has been looked at and the answer is the same for all of them.

    We will have a full rfo issued aswell as a personal response from someone to all active and in progress tickets. Compensation will also be issues aswell as some extras. Feel free to email me any time phil@

    Thanks.

  • Thanks for the update @PhilND

  • krs360krs360 Member
    edited January 2013

    Meh, idiots that ddos love seeing the effects and hassle/frustration it causes so constant updates may not help the situation.. as mentioned somewhere, I've had friends with game servers who've been ddossed and ultimately not feeding them attention stopped the attacks..

  • @PhilND said: Compensation will also be issues aswell as some extras.

    Looking forward to seeing what this is .... whats the ETA for it ? been over a month now with no word .....

  • AnthonySmithAnthonySmith Member, Patron Provider

    The ignoring them method sadly works more often than not.

    When you start blocking and fighting back it becomes more of a game and a challenge for them I guess.

    With Xen and KVM in a bridged set up it can affect everyone on the node, I usually take the interface off the bridge when I find the target and if it continues for much longer or switches IP's I request that the DC gets involved.

  • @gsrdgrdghd they would only trace it back to Ecatel, and Ecatel doesn't give a f*ck about being a source for spoofed packets.

    That's simple, if everyone started blocking Ecatel their service would be unusable and legitimate users would notice and complain.

  • If I were a provider, I'd start amassing IPs doing the malicious stuff and group them by country and provider.

    When/if any country / provider becomes repetitive problem, start the bulk ban hammer.

  • @pubcrawler good idea, but then when some of your customers calls complaining that their favourite porn site doesn't work with your service and works with the competitor's service - what do you tell them?

  • I think blocking is fine, even if for a time out (ala null routing --- in reverse). Null the attackers or geography, not the victims.

    Making the block info public to customers and ideally aggregating it for mass use elsewhere would put an end to DDoS finally.

  • No reason you couldn't in theory intercept outbound traffic from customers and when/if going to some place blocked notify them of such as returned page in case of HTTP traffic.

  • Oh boy.. this thread again.

    Luckily we got it all solved by pestering rapidswitch to get some ACL's in place :-)

    @Nikc would you mind dropping us a ticket and we'll sort it out for ya!

  • KuJoeKuJoe Member, Host Rep
    edited February 2013

    @pubcrawler said: I think blocking is fine, even if for a time out

    We've been doing this for Limelight Networks. We had to weigh out which was more important for our clients, getting timeouts when visiting Hulu/Amazon/Netflix or passing on the costs of a 900Mbps DDOS attack. So far only a few clients have experienced issues with this and since implemented we've had 0 bandwidth overages. :)

  • :) Thanks to @KuJoe for being forthcoming and honest.

    Bet more providers are doing this out of necessity.

    Have to ask @KuJoe, but this is for the non-DDoS protected clients only, right?

    What's interesting about a block model where users complain is essentially you are saying, that end point is blocked due to issues. If you must reach that endpoint, then you have to buy our premium network with DDoS filtering. An upsale that makes sense to everyone. Nevermind current latency perhaps with the remote DDoS service in @KuJoe's case.

  • KuJoeKuJoe Member, Host Rep
    edited February 2013

    @pubcrawler said: Have to ask @KuJoe, but this is for the non-DDoS protected clients only, right?

    Nope, it's for everybody in our Tampa location (and once we get a router setup in Denver we'll start doing it there also if the floods start there). We just setup a simple static route for the specific IP. I'm sure if I wanted to use iptables or something I could get more granular but in this case, with LLN giving us and our DC the finger, I just start blocking IPs that cause floods for a few weeks. We don't block their whole network so people can still use their services, but it looks like a handful of their CDN servers are impacted by the FreeBSD bug so we are blocking those IPs only.

  • Just to be clear, the ddos hasn't been going on for over a month, that was dealt with.

    Just waiting for the comment on it and compensation + extras that was mentioned.

  • Ugh I raised this thread ages ago..

    The attacks didn't persist for long but at the time I was a new customer to nd. Container now has 30 days uptime.

  • MaouniqueMaounique Host Rep, Veteran

    @krs360 said: Container now has 30 days uptime.

    That should not be DDoS related. Containers can be up but unreachable due to network problems, including DDoS. So, if the network fails, the container will continue to run and report uptime accordingly.

  • krs360krs360 Member
    edited February 2013

    On the day the node was taken off-line by ND, I was logged into my VPS when it when it got the signal. They also changed the subnet shortly after and that was the last downtime I had with them...
    The uptime comment was just in general to point out there had been no issues with the stability of the service. I didn't realise I would get picked up on a technicality, I didn't write in great detail as the post was written through my phone..

Sign In or Register to comment.