Hi,
I've been advised by Simon to post here.
I have multiple connections (through various offices) with IDNet (FTTC, ADSL and leased line fiber), at approx 20:09 tonight I saw packet loss alerts for FTTC and ADSL connections in Surrey and a fiber connection in Brighton.
The packet loss lasted until 20:25 approx. Now all seems fine.
I wondered if this might be related to the recent DDOS attacks caused by DERP Trolling that have been causing me headaches at RapidSwitch data center in the UK, and Linode's Dallas and Newark DCs too.
This February has been the worst month for DDOS that I can remember.
http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/
Thanks, Tomp. Just wanted to keep it all together. :)
Just had confirmation from IDNet support (from Simon) that it was a DDOS to one of their customers.
Thanks Simon for the update.
I know that RapidSwitch have been hit by DDOS exceeding 50Gbps, what sort of uplink speeds does IDnet have to say, LINX?
Portal is also unavailable atm
From the Status page:
QuoteOne of our customers, a large downstream hosting network, was the target of a DDoS attack this evening. We have blackholed the traffic to protect them but while the traffic flood was in progress it adversely affected our network for a while also.
Posted: 2014-02-20 21:30:45 Updated: 2014-02-20 21:30:45
Doesn't explain the loss of email, maybe that got caught in the cross-fire.
It's not going well at the moment, is it? :sigh:
I hope you've all firewall your NTP servers so you're not part of the problem :)
Well, it's better than watching the Olympics :evil:
Quote from: tomp on Feb 20, 2014, 21:51:46
I hope you've all firewall your NTP servers so you're not part of the problem :)
My ntp server is firewalled on IPv4 but not on IPv6... and as I only got a big hit on the IPv6 BQM, you've got me worried!
Probably not related, but good to protect it anyway.
More likely the larger packets of IPv6 were more affected when the packet loss kicked in.
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
Quote from: tomp on Feb 20, 2014, 22:02:13
Probably not related, but good to protect it anyway.
I would if I could find a step-by-step idiot's guide how to do it on OS X, I'm not too happy on the CLI... especially when the commands start with
sudo :(
QuoteMore likely the larger packets of IPv6 were more affected when the packet loss kicked in.
Makes sense.
I setup a firewall on my router so I didn't have to worry about individual devices. Does your router have a firewall?
Quote from: tomp on Feb 20, 2014, 22:37:17
I setup a firewall on my router so I didn't have to worry about individual devices. Does your router have a firewall?
Yes, but that only works for IPv4 and incoming port 123 requests are blocked on that.
But with no NAT on IPv6 each device has to sort out its own problems. (edit- as I understand it)
Breaking news- email appears to be up again. No mail yet, but no error messages either!
Thats not strictly accurate.
Yes there is no NAT any more, but your router should provide some sort of firewall so that you can block unsolicited packets inbound - like corporate or data center networks do.
If not, as you say, you've got to worry about every device as its out on the internet directly!
Infact many IPv4 routers support inbound firewalls too - otherwise all your ports would show as "closed" not "filtered".
After all your router is still the central point packets flow through, so it can block packets that are inbound without your internal devices needing a firewall.
Quote from: tomp on Feb 20, 2014, 22:50:30but your router should provide some sort of firewall so that you can block unsolicited packets inbound - like corporate or data center networks do.
They probably use more expensive routers than I do :P
I'll have a closer look around but I think all it does with IPv6 packets is to squirt them out the appropriate LAN port.
Missed this bit:
Quote from: tomp on Feb 20, 2014, 22:50:30
If not, as you say, you've got to worry about every device as its out on the internet directly!
Well, that's one of the points about IPv6- every device
does have its own address direct on the internet! The router doesn't need to be much more than a switch.
QuoteInfact many IPv4 routers support inbound firewalls too - otherwise all your ports would show as "closed" not "filtered".
Yes, it does, by default (nearly) all ports are closed unless I explicitly forward them to a specific device, but as far as I can tell it works on IPv4 only.
Email coming through now, in trickles as the backlog clears I assume.
(http://www.thinkbroadband.com/ping/share-thumb/e7cffb8cf5c1804736e9a97fc547d6f3-20-02-2014.png) (http://www.thinkbroadband.com/ping/share/e7cffb8cf5c1804736e9a97fc547d6f3-20-02-2014.html)
So when did this extra bandwidth provision kick in then?
Not all on Craig's are like that though Zap. :-\ Tbh i think its getting hard to tell fault from DDoS to congestion now in this thread :sigh: Not good.
This topic has been split from the packet loss thread.
Quote from: Simon on Feb 21, 2014, 08:34:40
This topic has been split from the packet loss thread.
Good move, Simon. :thumb:
It was a large DDoS attack which measured around 12Gbps at its peak. It was all NTP traffic aimed at a downstream network customer of ours (they host the Rasberry Pi project).
The path of the traffic through our network got in the way of the link between our POP3 server and the Database server that authenticates mail logins, which made them both upset for a while.
Quote from: Simon_idnet on Feb 21, 2014, 10:48:31
It was a large DDoS attack which measured around 12Gbps at its peak. It was all NTP traffic aimed at a downstream network customer of ours (they host the Rasberry Pi project).
The path of the traffic through our network got in the way of the link between our POP3 server and the Database server that authenticates mail logins, which made them both upset for a while.
Thanks for the info, Simon.
Had to happen this week, didn't it! ::) Has someone at IDNet Towers walked under a ladder recently? ;)
Quote from: Simon on Feb 21, 2014, 11:53:42
Had to happen this week, didn't it! ::) Has someone at IDNet Towers walked under a ladder recently? ;)
Or spilt some salt ;D
... on a black cat... :whistle:
Interesting that it was Raspberry Pi under attack.
Quote from: colirv on Feb 21, 2014, 12:26:12
Interesting that it was Raspberry Pi under attack.
I tend to attack apple pies and chocolate cake myself!
But warning noted,
I'll keep my pie offline for now keep it online, as I'm happy to share that kind of slick of pie. ;D