New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Wow, who did you piss off?
"Robert;
This ticket is notification that your recent order for a new filtered IP has been cancelled, and a refund issued. At this time we are still debating whether to continue your filtered service with us, as the attack last night has caused extensive damage between us and our upstream providers. More information will be given once we have reached a decision.
Aldryic C'boäs, Frantech Staff
[Email/MSN] [email protected]
[IRC] irc.frantech.ca / #frantech
** Then later on: **
Robert;
We will make our decision oncel we get the final word back on which IP brought in the attack that will likely get us kicked out of Awknet.
Aldryic C'boäs, Frantech Staff
[Email/MSN] [email protected]
[IRC] irc.frantech.ca / #frantech"
@RobertClarke
So are you saying that, is related to this?
http://www.webhostingtalk.com/showthread.php?t=1248884
@FlipHost If they confirm that I was the one taking the attack, then probably.
GJ, kill all our buyvm why don't you >:|
Wow. You pissed someone off pretty badly. Apparently someone with a VERY large botnet.
@RobertClarke ouch, that doesn't look fun at all
. If all method fails, it is going to be a bit costly but take a look at blacklotus or at the minimum, Liquidweb.
Far as I know, awk decided to change around some stuff last night because someone got their teeth knocked in. He claims some of it was at a client of ours but I don't know how much of it. As of right now he added no new nulls but he keeps claiming we account for most of his flood traffic.
I highly question this though because for 8+ hours today I didn't have awknet linked up and was announcing the filtering range out of LV and we applied a handful of nulls, all for pretty simple stuff (< 1Gbit/sec, < 100k pps spoofed syn, etc).
We're parting ways with them as of this week most likely and going to have to fork 5x more at probably CNServers since they at least answer emails. I like Justin and think he does a great job, but it's a problem when I have to beg/spam his cell to even get a reply about something.
Francisco
FYI.
For Rob's case I put NGINX + extra sauce in place to help him out. It was chewing through his HTTP flood just fine.
I'll be honest, I think if cloudflare was feeling 20gbit/sec and saw the huge HTTP flood Rob was getting, they would have put 2 & 2 together.
There's a guy in #awknet right now that got a < 2M pps ICMP flood that also got nulled so it isn't just us that has seen some oddly placed nullroutes.
Francisco
I would love to know what the "extra sauce" is as I would love to make my server less prone to a full DDOS attack. PM me if you need.
Wait so Awknet is kicking BuyVM out because of a 20Gbps attack? All I have to say is Welcome to Portland!
That's what I was thinking, but I have always wanted the know how on how to stop an attack in case it ever came.
Where was this?
That was our main website. There was a little packet loss during the 30Gbps part but it stayed online for the most part. I did request a nullroute after an hour so the alerts would stop generating since it wasn't on our money making websites.
Not kicking, we're just needing to find someone who is willing to actually talk to us when we need to handle things.
We don't market 20gbit of protection anywhere, even the times we mention 10gbit/sec we mention it's burst only and anything sustained will end up with you getting a refund and an escort to the door.
The problem is Justin can take multiple months to reply to things. Infact, I got an ACL ticket that's been sitting for 3 months now that's still not handled. I've resorted to just doing local box ACL's and hoping that Justin's standard queues handle anything big.
It's a known, big, issue when working with him alas. If you have deep pockets to spend with him he'll do things, no sweat, but If I'm spending $3000/m like he wants, I'd just go give it to the CN guys and get myself 10gbit+ of protection as well as pretty quick support.
We've been talking/working with CN for about 2 weeks now just getting the kinks of what we want done out of the system. We're the first client to have a full BGP session with them and are hosting our own GRE, that way we have room to apply whatever additional filters we need.
It's annoying but we've had issues since more or less the first week we signed up.
TL;DR - UDP? Awknet is awesome. TCP? Better learn iptables and fast.
Francisco
Want to go 50/50 on a cabinet with them? $7500/month for 10Gbps.
If I ever got into trying to offer 10gbit/sec sustained I'd likely just get a drop in FH and do it myself ;p
Our own pricing is going up 5x from awk->CN but that's mostly because we're buying a fair bit of sustained protection "just incase". Customer pricing won't go up at all since even at a 5x bump we're still making a very healthy profit on the IP's alone.
Francisco
I want that type of bandwidth
but I will never use it
There's only 20A. I've been considering Black Lotus instead who's dropped Cogent. Their new DC in Wilshire Annex has lots of power available.
Big thanks to @Francisco for helping migrate the DDOS attacks today, been taking spoofed SYN all night, and he's been fantastic at helping migrate.
@Voss I thought about dropping CraftStats onto @Kujoe's thing, but I'm not sure he would have appreciated it lol.
@RobertClarke - "mitigate" not "migrate". Unless you are moving DDoS across the Internet.
Move to an EU filtering place and it'll migrate
Anyways, you're welcome. He isn't getting much SYN/UDP, it's the webserver smashing that's causing the real headaches. The UDP/SYN end are only a couple gigs at best where as the constant webserver slamming is more like 50k pps.
Its taken a lot of tuning but I got it pretty good so far.
Francisco
@Francisco usually upstream providers have special BGP sessions where you can send them ip's to null at their edges. IE anything added to community 666 is sent to your upstreams to null. Cogent, L3, Verizon are a few that do this.
Right, to null your own IP. That's how ponynull works, it uses BGP to send the info.
They aren't going to let you null random source ip's like that.
Francisco