DDoS Attack 20/02/14

tomp · Feb 20, 2014, 21:30:45

Hi,

I've been advised by Simon to post here.

I have multiple connections (through various offices) with IDNet (FTTC, ADSL and leased line fiber), at approx 20:09 tonight I saw packet loss alerts for FTTC and ADSL connections in Surrey and a fiber connection in Brighton.

The packet loss lasted until 20:25 approx. Now all seems fine.

I wondered if this might be related to the recent DDOS attacks caused by DERP Trolling that have been causing me headaches at RapidSwitch data center in the UK, and Linode's Dallas and Newark DCs too.

This February has been the worst month for DDOS that I can remember.

http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/

Simon · Feb 20, 2014, 21:38:37

Thanks, Tomp. Just wanted to keep it all together.

tomp · Feb 20, 2014, 21:40:28

Just had confirmation from IDNet support (from Simon) that it was a DDOS to one of their customers.

Thanks Simon for the update.

I know that RapidSwitch have been hit by DDOS exceeding 50Gbps, what sort of uplink speeds does IDnet have to say, LINX?

JohnH · Feb 20, 2014, 21:42:48

Portal is also unavailable atm

Bill · Feb 20, 2014, 21:46:29

From the Status page:

QuoteOne of our customers, a large downstream hosting network, was the target of a DDoS attack this evening. We have blackholed the traffic to protect them but while the traffic flood was in progress it adversely affected our network for a while also.

Posted: 2014-02-20 21:30:45 Updated: 2014-02-20 21:30:45

Doesn't explain the loss of email, maybe that got caught in the cross-fire.

Simon · Feb 20, 2014, 21:50:25

It's not going well at the moment, is it?

tomp · Feb 20, 2014, 21:51:46

I hope you've all firewall your NTP servers so you're not part of the problem

Bill · Feb 20, 2014, 21:53:40

Well, it's better than watching the Olympics

Bill · Feb 20, 2014, 21:57:15

Quote from: tomp on Feb 20, 2014, 21:51:46
I hope you've all firewall your NTP servers so you're not part of the problem

My ntp server is firewalled on IPv4 but not on IPv6... and as I only got a big hit on the IPv6 BQM, you've got me worried!

tomp · Feb 20, 2014, 22:02:13

Probably not related, but good to protect it anyway.

More likely the larger packets of IPv6 were more affected when the packet loss kicked in.

tomp · Feb 20, 2014, 22:03:23

http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack

Bill · Feb 20, 2014, 22:06:30

Quote from: tomp on Feb 20, 2014, 22:02:13
Probably not related, but good to protect it anyway.

I would if I could find a step-by-step idiot's guide how to do it on OS X, I'm not too happy on the CLI... especially when the commands start with sudo

QuoteMore likely the larger packets of IPv6 were more affected when the packet loss kicked in.

Makes sense.

tomp · Feb 20, 2014, 22:37:17

I setup a firewall on my router so I didn't have to worry about individual devices. Does your router have a firewall?

Bill · Feb 20, 2014, 22:47:41

Quote from: tomp on Feb 20, 2014, 22:37:17
I setup a firewall on my router so I didn't have to worry about individual devices. Does your router have a firewall?

Yes, but that only works for IPv4 and incoming port 123 requests are blocked on that.

But with no NAT on IPv6 each device has to sort out its own problems. (edit- as I understand it)

Breaking news- email appears to be up again. No mail yet, but no error messages either!

tomp · Feb 20, 2014, 22:50:30

Thats not strictly accurate.

Yes there is no NAT any more, but your router should provide some sort of firewall so that you can block unsolicited packets inbound - like corporate or data center networks do.

If not, as you say, you've got to worry about every device as its out on the internet directly!

Infact many IPv4 routers support inbound firewalls too - otherwise all your ports would show as "closed" not "filtered".

tomp · Feb 20, 2014, 22:51:21

After all your router is still the central point packets flow through, so it can block packets that are inbound without your internal devices needing a firewall.

Bill · Feb 20, 2014, 22:55:00

Quote from: tomp on Feb 20, 2014, 22:50:30but your router should provide some sort of firewall so that you can block unsolicited packets inbound - like corporate or data center networks do.

They probably use more expensive routers than I do

I'll have a closer look around but I think all it does with IPv6 packets is to squirt them out the appropriate LAN port.

Bill · Feb 20, 2014, 23:08:30

Missed this bit:

Quote from: tomp on Feb 20, 2014, 22:50:30
If not, as you say, you've got to worry about every device as its out on the internet directly!

Well, that's one of the points about IPv6- every device does have its own address direct on the internet! The router doesn't need to be much more than a switch.

QuoteInfact many IPv4 routers support inbound firewalls too - otherwise all your ports would show as "closed" not "filtered".

Yes, it does, by default (nearly) all ports are closed unless I explicitly forward them to a specific device, but as far as I can tell it works on IPv4 only.

Bill · Feb 20, 2014, 23:14:58

Email coming through now, in trickles as the backlog clears I assume.

zappaDPJ · Feb 20, 2014, 23:17:34

So when did this extra bandwidth provision kick in then?

Gary · Feb 20, 2014, 23:24:50

Not all on Craig's are like that though Zap. $:-\$ Tbh i think its getting hard to tell fault from DDoS to congestion now in this thread

Not good.

Simon · Feb 21, 2014, 08:34:40

This topic has been split from the packet loss thread.

Gary · Feb 21, 2014, 08:54:59

Quote from: Simon on Feb 21, 2014, 08:34:40
This topic has been split from the packet loss thread.

Good move, Simon.

Simon_idnet · Feb 21, 2014, 10:48:31

It was a large DDoS attack which measured around 12Gbps at its peak. It was all NTP traffic aimed at a downstream network customer of ours (they host the Rasberry Pi project).

The path of the traffic through our network got in the way of the link between our POP3 server and the Database server that authenticates mail logins, which made them both upset for a while.

Gary · Feb 21, 2014, 11:33:33

Quote from: Simon_idnet on Feb 21, 2014, 10:48:31
It was a large DDoS attack which measured around 12Gbps at its peak. It was all NTP traffic aimed at a downstream network customer of ours (they host the Rasberry Pi project).

The path of the traffic through our network got in the way of the link between our POP3 server and the Database server that authenticates mail logins, which made them both upset for a while.

Thanks for the info, Simon.

Simon · Feb 21, 2014, 11:53:42

Had to happen this week, didn't it!

Has someone at IDNet Towers walked under a ladder recently?

Gary · Feb 21, 2014, 11:59:25

Quote from: Simon on Feb 21, 2014, 11:53:42
Had to happen this week, didn't it! Has someone at IDNet Towers walked under a ladder recently?

Or spilt some salt

Simon · Feb 21, 2014, 12:02:49

... on a black cat...

colirv · Feb 21, 2014, 12:26:12

Interesting that it was Raspberry Pi under attack.

Technical Ben · Feb 21, 2014, 15:55:52

Quote from: colirv on Feb 21, 2014, 12:26:12
Interesting that it was Raspberry Pi under attack.

I tend to attack apple pies and chocolate cake myself!

But warning noted, ~~I'll keep my pie offline for now~~ keep it online, as I'm happy to share that kind of slick of pie.