DDos attack null route.

Ask questions about dedicated servers here and we and other users will do our best to answer them. Please also refer to the self-help section for tutorials and answers to the most commonly asked questions.
preben
A regular
A regular
Posts: 33
Joined: Fri Dec 05, 2014 2:14 pm

DDos attack null route.

Post by preben » Mon Dec 22, 2014 2:17 pm

My server has been null routed twice in the past week.

First null route 16 December: -8hours
Second null route 22 December: -8hours

Total: -16hours

Is it possible to get an extra day because of the repeated attacks?
No because we don't offer SLA credits for DDoS attacks, our SLA is specifically suspended for customers who are targeted by attacks.

What can you do when a null route occurs?
Absolutely nothing you can do about it, wait the 8 hours.

Can you traffic capture the ddos?
Unfortunately you can't, because the null route was applied at a router level, before it even reaches the machine, so no traffic is going to be seen.

Events log:
"We are always upgrading our infrastructure to make sure that null-routes remain a rare, emergency measure, and we investigate every null-route to explore what we and Internap can do to filter it better."
Image

User avatar
kraze
Staff
Staff
Posts: 4359
Joined: Fri Sep 17, 2010 9:06 am
Location: California

Re: DDos attack null route.

Post by kraze » Mon Dec 22, 2014 2:28 pm

We can definitely understand your frustration here :/ I just hope you can understand our frustration as well. We absolutely hate null routing customers and only use it as an emergency measure. It is deemed an emergency when your attack causes location wide issues.

We work around the clock to protect our customers and haven't stopped and won't stop doing so. I know John has personally given up countless nights of sleep working on what we can do to protect our customers. We recently rolled out a few upgrades to our Seattle location and will continue doing so with the rest of our locations. Unfortunately, rolling new hardware and hooking up additional bandwidth isn't a quick task, it's very time consuming and expensive.

We will continue doing our best to mitigate any attacks seen by our customers. For reference, we have detailed how we handle attacks http://www.nfoservers.com/forums/viewto ... =25&t=4931.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!

preben
A regular
A regular
Posts: 33
Joined: Fri Dec 05, 2014 2:14 pm

Re: DDos attack null route.

Post by preben » Mon Dec 22, 2014 2:39 pm

Alright, thank you.

I hope it doesn't happen again.
Image

User avatar
TacTicToe
This is my homepage
This is my homepage
Posts: 846
Joined: Fri Feb 18, 2011 1:08 pm
Location: USA
Contact:

Re: DDos attack null route.

Post by TacTicToe » Mon Dec 22, 2014 4:31 pm

Just curious. With 20-30000mbps pipes feedings these datacenters, how the DEVIL is anyone able to overwhelm something like that, to a point you need to be null routed? Fortunately is had never happened to us, but damn, I would think you would need virtually the full force of the entire internet to do that.
Image

User avatar
kraze
Staff
Staff
Posts: 4359
Joined: Fri Sep 17, 2010 9:06 am
Location: California

Re: DDos attack null route.

Post by kraze » Mon Dec 22, 2014 4:53 pm

TacTicToe wrote:Just curious. With 20-30000mbps pipes feedings these datacenters, how the DEVIL is anyone able to overwhelm something like that, to a point you need to be null routed? Fortunately is had never happened to us, but damn, I would think you would need virtually the full force of the entire internet to do that.
There are many factors which can cause an attack to be devastating. Manly PPS. You can see a high PPS attack but still be relatively small. a higher PPS attack will work to overload routers and machines since it simple cannot process the all the information. There is also some attacks which are easy to launch and rely on exploited software or buggy software. NTP is one of these, due to it's protocol which has a amplification effect an attack could have a few cheap machines with a 100Mbps ports generate 20,30,40+Gbps attacks.

To put this in perspective. A solid mitigation router which can handle an extremely high PPS and that allows advanced string based filtering and rate limiting would cost upwards of 50-125K, plus most require a yearly subscription of 10-25K. I'll let you do that math, but you get the point. Mitigation incredibly expensive.

There is a reason Prolexic charges it's clients 13K to protect five IPs ( and that's doesn't come with knowledge needed to block layer 7 ).
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!

User avatar
TacTicToe
This is my homepage
This is my homepage
Posts: 846
Joined: Fri Feb 18, 2011 1:08 pm
Location: USA
Contact:

Re: DDos attack null route.

Post by TacTicToe » Mon Dec 22, 2014 5:10 pm

Wow that is just nuts.

After such an attack, does NFO do anything as far as pressing charges against an offender? If that is even possible to determine.
Image

User avatar
Edge100x
Founder
Founder
Posts: 12424
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: DDos attack null route.

Post by Edge100x » Mon Dec 22, 2014 6:42 pm

To clarify on what kraze said, most attacks don't cause problems because of PPS, but because of the pure bandwidth usage. The ones today, for instance, have mostly just overloaded our pipes and/or Internap's pipes (it's hard for us to tell sometimes where the weak link was).

preben, we make captures of the DDoS traffic on our end at the moment a null-route is put in place and I use it to analyze the attack and take appropriate next steps, as described in the KB article.

User avatar
kraze
Staff
Staff
Posts: 4359
Joined: Fri Sep 17, 2010 9:06 am
Location: California

Re: DDos attack null route.

Post by kraze » Mon Dec 22, 2014 9:23 pm

TacTicToe wrote:Wow that is just nuts.

After such an attack, does NFO do anything as far as pressing charges against an offender? If that is even possible to determine.
Really not feasible. In some cases tracking down the user(s) behind the attacks isn't terribly hard, but getting law enforcement to care is near impossible. Which is understandable as it's a never ending uphill battle and it makes sense for them not to care unless a large sum of money is involved.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!

preben
A regular
A regular
Posts: 33
Joined: Fri Dec 05, 2014 2:14 pm

Re: DDos attack null route.

Post by preben » Wed Dec 24, 2014 2:07 am

Hello, it appears that my VDS has been null routed again.

Dec 23: -8hours.

Total: -24hours
Image

User avatar
Edge100x
Founder
Founder
Posts: 12424
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: DDos attack null route.

Post by Edge100x » Wed Dec 24, 2014 2:41 am

preben, I'm sorry to hear that you're continuing to attract extremely large attacks.

It shouldn't be necessary to track them here. We see them all on our end. I spent most of my time processing DDoS attacks on behalf of our customers.

preben
A regular
A regular
Posts: 33
Joined: Fri Dec 05, 2014 2:14 pm

Re: DDos attack null route.

Post by preben » Wed Dec 24, 2014 4:07 am

Could you send me a couple of firewall rules.

For example: max server slots is 66. So if 150+ ip's tries to connect/send packets it will block all including real traffic so people can't connect.
Image

User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: DDos attack null route.

Post by soja » Wed Dec 24, 2014 4:53 am

Something like that will not help in the event you need to be null routed.
Not a NFO employee

User avatar
Edge100x
Founder
Founder
Posts: 12424
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: DDos attack null route.

Post by Edge100x » Wed Dec 24, 2014 1:37 pm

preben, any attack that requires a null-route can't be filtered on our end or your end. Please read more about them here: http://www.nfoservers.com/forums/viewto ... 25&t=11456

rd1981
A regular
A regular
Posts: 31
Joined: Sat Jan 28, 2012 11:58 pm

Re: DDos attack null route.

Post by rd1981 » Fri Dec 26, 2014 12:39 am

You could try requesting a second ip that isnt getting targeted and use that for the time being nfo ddos ability is limited they can only handle upto 40Gbps in seattle the other locations are less.

rd1981
A regular
A regular
Posts: 31
Joined: Sat Jan 28, 2012 11:58 pm

Re: DDos attack null route.

Post by rd1981 » Fri Dec 26, 2014 12:40 am

rd1981 wrote:You could try requesting a second ip that isnt getting targeted and use that for the time being nfo ddos ability is limited they can only handle upto 40Gbps in seattle the other locations are less.
I would like to add that null routing the servers ips for 8 to 16 hours successfully achieves the goal intended also and take the server down for hours.

Post Reply