DDoS Attack 20/02/14

Started by tomp, Feb 20, 2014, 21:30:45

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

tomp

Hi,

I've been advised by Simon to post here.

I have multiple connections (through various offices) with IDNet (FTTC, ADSL and leased line fiber), at approx 20:09 tonight I saw packet loss alerts for FTTC and ADSL connections in Surrey and a fiber connection in Brighton.

The packet loss lasted until 20:25 approx. Now all seems fine.

I wondered if this might be related to the recent DDOS attacks caused by DERP Trolling that have been causing me headaches at RapidSwitch data center in the UK, and Linode's Dallas and Newark DCs too.

This February has been the worst month for DDOS that I can remember.

http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/

Simon

Thanks, Tomp.  Just wanted to keep it all together.  :)
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

tomp

Just had confirmation from IDNet support (from Simon) that it was a DDOS to one of their customers.

Thanks Simon for the update.

I know that RapidSwitch have been hit by DDOS exceeding 50Gbps, what sort of uplink speeds does IDnet have to say, LINX?

JohnH

Portal is also unavailable atm

Bill

From the Status page:

QuoteOne of our customers, a large downstream hosting network, was the target of a DDoS attack this evening. We have blackholed the traffic to protect them but while the traffic flood was in progress it adversely affected our network for a while also.


Posted: 2014-02-20 21:30:45 Updated: 2014-02-20 21:30:45

Doesn't explain the loss of email, maybe that got caught in the cross-fire.
Bill
BQMs-  IPv4  IPv6

Simon

It's not going well at the moment, is it?  :sigh:
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

tomp

I hope you've all firewall your NTP servers so you're not part of the problem :)

Bill

Well, it's better than watching the Olympics :evil:
Bill
BQMs-  IPv4  IPv6

Bill

Quote from: tomp on Feb 20, 2014, 21:51:46
I hope you've all firewall your NTP servers so you're not part of the problem :)

My ntp server is firewalled on IPv4 but not on IPv6... and as I only got a big hit on the IPv6 BQM, you've got me worried!
Bill
BQMs-  IPv4  IPv6

tomp

Probably not related, but good to protect it anyway.

More likely the larger packets of IPv6 were more affected when the packet loss kicked in.


Bill

Quote from: tomp on Feb 20, 2014, 22:02:13
Probably not related, but good to protect it anyway.

I would if I could find a step-by-step idiot's guide how to do it on OS X, I'm not too happy on the CLI... especially when the commands start with sudo :(

QuoteMore likely the larger packets of IPv6 were more affected when the packet loss kicked in.

Makes sense.
Bill
BQMs-  IPv4  IPv6

tomp

I setup a firewall on my router so I didn't have to worry about individual devices. Does your router have a firewall?

Bill

Quote from: tomp on Feb 20, 2014, 22:37:17
I setup a firewall on my router so I didn't have to worry about individual devices. Does your router have a firewall?

Yes, but that only works for IPv4 and incoming port 123 requests are blocked on that.

But with no NAT on IPv6 each device has to sort out its own problems. (edit- as I understand it)



Breaking news- email appears to be up again. No mail yet, but no error messages either!
Bill
BQMs-  IPv4  IPv6

tomp

Thats not strictly accurate.

Yes there is no NAT any more, but your router should provide some sort of firewall so that you can block unsolicited packets inbound - like corporate or data center networks do.

If not, as you say, you've got to worry about every device as its out on the internet directly!

Infact many IPv4 routers support inbound firewalls too - otherwise all your ports would show as "closed" not "filtered".


tomp

After all your router is still the central point packets flow through, so it can block packets that are inbound without your internal devices needing a firewall.

Bill

Quote from: tomp on Feb 20, 2014, 22:50:30but your router should provide some sort of firewall so that you can block unsolicited packets inbound - like corporate or data center networks do.

They probably use more expensive routers than I do :P

I'll have a closer look around but I think all it does with IPv6 packets is to squirt them out the appropriate LAN port.
Bill
BQMs-  IPv4  IPv6

Bill

Missed this bit:

Quote from: tomp on Feb 20, 2014, 22:50:30
If not, as you say, you've got to worry about every device as its out on the internet directly!

Well, that's one of the points about IPv6- every device does have its own address direct on the internet! The router doesn't need to be much more than a switch.

QuoteInfact many IPv4 routers support inbound firewalls too - otherwise all your ports would show as "closed" not "filtered".

Yes, it does, by default (nearly) all ports are closed unless I explicitly forward them to a specific device, but as far as I can tell it works on IPv4 only.
Bill
BQMs-  IPv4  IPv6

Bill

Email coming through now, in trickles as the backlog clears I assume.
Bill
BQMs-  IPv4  IPv6

zappaDPJ



So when did this extra bandwidth provision kick in then?
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Gary

#20
Not all on Craig's  are like that though Zap.  :-\ Tbh i think its getting hard to tell fault from DDoS to congestion now in this thread :sigh: Not good.
Damned, if you do damned if you don't

Simon

This topic has been split from the packet loss thread.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Simon on Feb 21, 2014, 08:34:40
This topic has been split from the packet loss thread.
Good move, Simon.  :thumb:
Damned, if you do damned if you don't

Simon_idnet

It was a large DDoS attack which measured around 12Gbps at its peak. It was all NTP traffic aimed at a downstream network customer of ours (they host the Rasberry Pi project).

The path of the traffic through our network got in the way of the link between our POP3 server and the Database server that authenticates mail logins, which made them both upset for a while.

Gary

Quote from: Simon_idnet on Feb 21, 2014, 10:48:31
It was a large DDoS attack which measured around 12Gbps at its peak. It was all NTP traffic aimed at a downstream network customer of ours (they host the Rasberry Pi project).

The path of the traffic through our network got in the way of the link between our POP3 server and the Database server that authenticates mail logins, which made them both upset for a while.
Thanks for the info, Simon.
Damned, if you do damned if you don't