DDos attack null route.
-
- A regular
- Posts: 33
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Fri Dec 05, 2014 2:14 pm
DDos attack null route.
My server has been null routed twice in the past week.
First null route 16 December: -8hours
Second null route 22 December: -8hours
Total: -16hours
Is it possible to get an extra day because of the repeated attacks?
No because we don't offer SLA credits for DDoS attacks, our SLA is specifically suspended for customers who are targeted by attacks.
What can you do when a null route occurs?
Absolutely nothing you can do about it, wait the 8 hours.
Can you traffic capture the ddos?
Unfortunately you can't, because the null route was applied at a router level, before it even reaches the machine, so no traffic is going to be seen.
Events log:
"We are always upgrading our infrastructure to make sure that null-routes remain a rare, emergency measure, and we investigate every null-route to explore what we and Internap can do to filter it better."
First null route 16 December: -8hours
Second null route 22 December: -8hours
Total: -16hours
Is it possible to get an extra day because of the repeated attacks?
No because we don't offer SLA credits for DDoS attacks, our SLA is specifically suspended for customers who are targeted by attacks.
What can you do when a null route occurs?
Absolutely nothing you can do about it, wait the 8 hours.
Can you traffic capture the ddos?
Unfortunately you can't, because the null route was applied at a router level, before it even reaches the machine, so no traffic is going to be seen.
Events log:
"We are always upgrading our infrastructure to make sure that null-routes remain a rare, emergency measure, and we investigate every null-route to explore what we and Internap can do to filter it better."
Re: DDos attack null route.
We can definitely understand your frustration here :/ I just hope you can understand our frustration as well. We absolutely hate null routing customers and only use it as an emergency measure. It is deemed an emergency when your attack causes location wide issues.
We work around the clock to protect our customers and haven't stopped and won't stop doing so. I know John has personally given up countless nights of sleep working on what we can do to protect our customers. We recently rolled out a few upgrades to our Seattle location and will continue doing so with the rest of our locations. Unfortunately, rolling new hardware and hooking up additional bandwidth isn't a quick task, it's very time consuming and expensive.
We will continue doing our best to mitigate any attacks seen by our customers. For reference, we have detailed how we handle attacks http://www.nfoservers.com/forums/viewto ... =25&t=4931.
We work around the clock to protect our customers and haven't stopped and won't stop doing so. I know John has personally given up countless nights of sleep working on what we can do to protect our customers. We recently rolled out a few upgrades to our Seattle location and will continue doing so with the rest of our locations. Unfortunately, rolling new hardware and hooking up additional bandwidth isn't a quick task, it's very time consuming and expensive.
We will continue doing our best to mitigate any attacks seen by our customers. For reference, we have detailed how we handle attacks http://www.nfoservers.com/forums/viewto ... =25&t=4931.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
Re: DDos attack null route.
Just curious. With 20-30000mbps pipes feedings these datacenters, how the DEVIL is anyone able to overwhelm something like that, to a point you need to be null routed? Fortunately is had never happened to us, but damn, I would think you would need virtually the full force of the entire internet to do that.
Re: DDos attack null route.
There are many factors which can cause an attack to be devastating. Manly PPS. You can see a high PPS attack but still be relatively small. a higher PPS attack will work to overload routers and machines since it simple cannot process the all the information. There is also some attacks which are easy to launch and rely on exploited software or buggy software. NTP is one of these, due to it's protocol which has a amplification effect an attack could have a few cheap machines with a 100Mbps ports generate 20,30,40+Gbps attacks.TacTicToe wrote:Just curious. With 20-30000mbps pipes feedings these datacenters, how the DEVIL is anyone able to overwhelm something like that, to a point you need to be null routed? Fortunately is had never happened to us, but damn, I would think you would need virtually the full force of the entire internet to do that.
To put this in perspective. A solid mitigation router which can handle an extremely high PPS and that allows advanced string based filtering and rate limiting would cost upwards of 50-125K, plus most require a yearly subscription of 10-25K. I'll let you do that math, but you get the point. Mitigation incredibly expensive.
There is a reason Prolexic charges it's clients 13K to protect five IPs ( and that's doesn't come with knowledge needed to block layer 7 ).
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
Re: DDos attack null route.
Wow that is just nuts.
After such an attack, does NFO do anything as far as pressing charges against an offender? If that is even possible to determine.
After such an attack, does NFO do anything as far as pressing charges against an offender? If that is even possible to determine.
Re: DDos attack null route.
To clarify on what kraze said, most attacks don't cause problems because of PPS, but because of the pure bandwidth usage. The ones today, for instance, have mostly just overloaded our pipes and/or Internap's pipes (it's hard for us to tell sometimes where the weak link was).
preben, we make captures of the DDoS traffic on our end at the moment a null-route is put in place and I use it to analyze the attack and take appropriate next steps, as described in the KB article.
preben, we make captures of the DDoS traffic on our end at the moment a null-route is put in place and I use it to analyze the attack and take appropriate next steps, as described in the KB article.
Re: DDos attack null route.
Really not feasible. In some cases tracking down the user(s) behind the attacks isn't terribly hard, but getting law enforcement to care is near impossible. Which is understandable as it's a never ending uphill battle and it makes sense for them not to care unless a large sum of money is involved.TacTicToe wrote:Wow that is just nuts.
After such an attack, does NFO do anything as far as pressing charges against an offender? If that is even possible to determine.
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
Re: DDos attack null route.
Hello, it appears that my VDS has been null routed again.
Dec 23: -8hours.
Total: -24hours
Dec 23: -8hours.
Total: -24hours
Re: DDos attack null route.
preben, I'm sorry to hear that you're continuing to attract extremely large attacks.
It shouldn't be necessary to track them here. We see them all on our end. I spent most of my time processing DDoS attacks on behalf of our customers.
It shouldn't be necessary to track them here. We see them all on our end. I spent most of my time processing DDoS attacks on behalf of our customers.
Re: DDos attack null route.
Could you send me a couple of firewall rules.
For example: max server slots is 66. So if 150+ ip's tries to connect/send packets it will block all including real traffic so people can't connect.
For example: max server slots is 66. So if 150+ ip's tries to connect/send packets it will block all including real traffic so people can't connect.
Re: DDos attack null route.
Something like that will not help in the event you need to be null routed.
Not a NFO employee
Re: DDos attack null route.
preben, any attack that requires a null-route can't be filtered on our end or your end. Please read more about them here: http://www.nfoservers.com/forums/viewto ... 25&t=11456
Re: DDos attack null route.
You could try requesting a second ip that isnt getting targeted and use that for the time being nfo ddos ability is limited they can only handle upto 40Gbps in seattle the other locations are less.
Re: DDos attack null route.
I would like to add that null routing the servers ips for 8 to 16 hours successfully achieves the goal intended also and take the server down for hours.rd1981 wrote:You could try requesting a second ip that isnt getting targeted and use that for the time being nfo ddos ability is limited they can only handle upto 40Gbps in seattle the other locations are less.