Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Nodedeploy ddos for the last couple of hours?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Nodedeploy ddos for the last couple of hours?

krs360krs360 Member
edited January 2013 in General

@PhilND - Read on twitter with some issues last night the VPS I rent has now died, status page isn't loading and website is on and - similar issues to last night?

«134

Comments

  • Is it LA?

  • Yep. Still having issues, 1.2M PPS on the webserver -> 1.2M PPS on the UK Node... you know right when new hosts enter the uk market ;)

    Phil

  • Sorry meant to say UK - London.

    All good, just wasn't sure what was going on.. was attempting to backup my VPS.

    @PhilND I thought I left DDOS when I stopped using the msn irc servers... guessing not! Must get right on your ....

    Ben.

  • jarjar Patron Provider, Top Host, Veteran

    @PhilND said: you know right when new hosts enter the uk market ;)

    Makes me sick. You know, I used to work for a local business where I had a monthly task of calling all of the competitors in the area and checking their prices and stock so that I could keep a list on hand to send clients to when we didn't have something. Competition can be friendly, and it should.

  • @Jarland Indeed! I don't want to point any fingers but.. we've had no issues for 3-4 months with the UK node except when it launched and AFAIK some people had some pretty sore mouthes about UK services.

    We've also certainly had no DDOS attacks against our webserver since we started. We're pretty much being pounded right now applying nullroutes as fast as we can, but this is a complex attack shifting to different IP's in our range at any time.

    @krs360 Indeed, we try to shift away from attracting that kind of clientele, this attack is just out of pure spite against us.

  • There is definitely something fishy in the air, too many providers getting pounded within the last year. Especially the UK / Europe ones.

  • BradNDBradND Member
    edited January 2013

    Indeed, not sure if there is some Aura about hosting in the UK or someone is trying to dominate the market...

    But if you take a look at this offer from november (the launch of our UK location -http://www.lowendbox.com/blog/node-deploy-3-50month-1024mb-openvz-vps-in-phoenixgermany-2048mb-in-6-95-germanyuk/#comments) we had a similar attack on both our webserver and location.

    And this month as two new providers (re)enter the market, we receive a ddos attack the same as before, now they may be common place in the industry, but never on a scale like this or as targeted.

    @Patrick @AnthonySmith @Jacob any of you guys experienced anything like this in your UK location?

  • Yeah, the problem is the rotation of IP Addresses, the filter or system needs time to adjust so the attacker always gains 1-10 Minutes of downtime, It's happened all night but customers are recieving notifications from our monitoring system so know the specific times it's going down / packetloss.

  • @Jacob - can acl's be built on the type of traffic (ie udp, specific dst port etc?) curious if this attack profile is always the same-

  • @PhilND Hope no issue with your DC, like other host before where DC sent them packing home

  • @jcaleb said: @PhilND Hope no issue with your DC, like other host before where DC sent them packing home

    Agreed .... having just moved all my services across !

  • JacobJacob Member
    edited January 2013

    Having been the weekend the standard filtering passed us through, we'll ask the datacenter to filter against these attacks today, It's Spoofed DNS Amp UDP/SYN, I've had IPs from Germany, netherlands, and Italy.

    I'll get this cleared up today.

    @unused said: @Jacob - can acl's be built on the type of traffic (ie udp, specific dst port etc?) curious if this attack profile is always the same-

  • @nikc we have filtering in place to resolve them. Do not worry :)

    @jcaleb thanks we hope whatever issues these people have resolve themselves in due course.

  • jarjar Patron Provider, Top Host, Veteran

    Log every IP you can. Perhaps I'm just optimistic, but you can only hop so many times. Trace it as far as you can and treat that IP owner like the criminal until they give you what you need or show proof that they've passed on harsh abuse reports. Stop at nothing, make them fear you ;)

  • You cant track IPs as it's all spoofed in most cases.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2013

    @Jack Surely the system connected has logs. Maybe I'm naive but it seems like I hear a lot about attacks and a lot less about hunting them like dogs. I don't stop until the harassment lawsuit ;)

    Then again these attacks aren't my expertise. Not looking forward to changing that.

  • @Jarland If only it were that easy, it's 100% spoofed. There is literally no way to trace the host.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2013

    Not even with the router while its happening? It still has to originate from a legitimate source with a public IP. Sorry if I sound like a newbie here, just learning a little about something that I've not yet dealt with ;)

  • @Jarland Prehaps with deep packet inspection it's possible to determine the source, unfortunately neither we nor the DC have that kind of equipment not to mention the whole can of legal bs it opens.

    These sort of dns amp attacks send a request to a large amount of dns servers, who then query your server 100x times. It's a pretty nasty attack

  • jarjar Patron Provider, Top Host, Veteran

    Guess I better get to reading ;)

  • @jarland said: It still has to originate from a legitimate source with a public IP.

    Well it kind of doesn't have to, that's the point of spoofed IPs. Perhaps some big upstream provider could trace it back, but not the DC or the hoster.

  • @gsrdgrdghd they would only trace it back to Ecatel, and Ecatel doesn't give a f*ck about being a source for spoofed packets.

  • jarjar Patron Provider, Top Host, Veteran

    @rds100 said: they would only trace it back to Ecatel, and Ecatel doesn't give a f*ck about being a source for spoofed packets.

    About $1000-$1500 round trip. A few of us chip in, they'll be the ones filing an abuse report on us ;)

  • shovenoseshovenose Member, Host Rep

    why don't we just ddos them back so they notice something is wrong?
    Jk jk

  • Did they start it again ?

  • @shovenose said: why don't we just ddos them back so they notice something is wrong?

    Because Ecatel just automatically ACLs UDP out and has no issues with getting DDoSd...

  • Negative,

    We're testing a few things out with the dc ATM, arp cache is doing a bit of tit ATM.

  • @PhilND Hello.. I am at work at the minute, as I know you're about I was going to ask if you could possibly post the link to the vps control panel - or pm it to me.. cannot get access to the email which I've stored it in at the minute. Secondly is there some sort of backup config within the control panel (I've already rsyncd the server, is this the best option?)

    Thanks.

  • PatrickPatrick Member
    edited January 2013

    It's a shame competitors or sad kids have to involve illegal activity to grow their e-balls, we're also receiving small to large ddos attacks at random times and currently peaking 400mb/s incoming attack specifically in the UK which is not that big and isn't effecting the node itself but isn't pleasant.

  • @Patrick ..yep really sad. just had a discussion at work about it then. I guess I've been out of the hosting/online service world for a while really..reminds me of the idiots that used to plague the msn irc servers and fight over control of channel(s) #england and alike.

    Even if I had the knowledge to I wouldn't even consider entering into the market.. would be such a headache assuming it comes from all angles. DC getting angry, stopping the attack, dealing with customer complaints, etc.

Sign In or Register to comment.