Is anyone else having sporadic network problems with Burst/Nocster? My pings are getting about 12-20% packet loss, and a script I've setup to monitor a server in their datacenter has reported 13 failed attempts to contact them between 1PM and 4PM EST.

Due to the time of day, and the fact that the packet loss is slowly getting worse, I suspect that they are running out of bandwidth somewhere (or maybe its a switch, one phase of their power, or an elephant, as previously suggested).

My real concern, though, is whether it is because Burst is simply running out of bandwidth during peak times because of poor planning and/or trying to skimp on bandwidth costs.

It seems like a much more realistic explanation than them being under a gag order from the feds since they're hosting terrorist sites. I know if I was under a gag order, I'd post messages on here telling people about it. I'm sure terrorists would *never* think to use the internet to figure out whether their hosting provider is in with the feds.

Anyway, is anyone else running into this problem?

[note for Burst: NO, its not my internet connection. Every other site I ping gets 0% packet loss, try another excuse.]

If you'll see my thread (Burst rant), I am also (again) having the problems you are having. I am about half an hour away from becoming a fastservers.net customer

It is tempting. Does Burst really expect people to believe lame excuses that make no sense, or to respect a company whose answer to everything network related is "check your isp".

Please.

FYI, Burst, since I'm sure you're wondering, a much better response would be "Go to status.nocster.com and you can see the results of an *external* machine in another datacenter far, far away trying to contact some of our servers every 1-2 minutes. It doesn't show any problems, can you show us a traceroute to help isolate the problem?"

they aren't even up long enough for me to leave them before going down again and again...I will be a happy ex customer.

It's down again :bawling: :bawling: :bawling:

yeah I'm down too :(

Yes, its down here as well. 6 hours downtime last night due to hardware failure or whatever. and now its down again.

:bawling:

I got 3 ping packets back in the last 10 minutes or so, it appears to be some sort of DoS

10 p6-0.br01.lax10.atlas.psi.net (154.54.1.30) 60.855 ms 61.128 ms 60.624 ms
11 p6-0.br01.dca01.atlas.psi.net (154.54.1.62) 91.825 ms 95.032 ms 91.817 ms
12 p1-0.br01.dca02.atlas.psi.net (154.54.1.226) 91.826 ms 102.588 ms 98.471 ms
13 154.13.66.18 (154.13.66.18) 98.174 ms 102.134 ms 100.966 ms
14 0.so-4-0-0.XL1.DCA6.ALTER.NET (152.63.38.134) 94.770 ms 94.987 ms 93.485 ms
15 0.so-0-0-0.XR1.DCA6.ALTER.NET (152.63.35.113) 93.580 ms 97.124 ms 99.232 ms
16 185.at-0-1-0.CL1.DCA1.ALTER.NET (152.63.33.13) 99.614 ms 94.789 ms 99.055 ms
17 195.ATM4-0.GW8.PHL1.ALTER.NET (152.63.39.209) 107.192 ms 105.276 ms 105.127 ms
18 * * *

Yep, Nocster down :(

i'm back up..

In my attempt to preserve bandwidth, I propose starting a "Nocster is up" thread. Based on past network performance this will surely limit new Nocster threads to say, one or two per week.

Noctser- 99.6% Uptime guarantee*

*Guarantee does not apply to service outages as a result of network problems, power outages, terrorism, hedonism, Norm the night watchman yanking out your NIC in a vain attempt to exact revenge on us for not giving him a Christmas bonus last year, acts of God, Allah, Buddha, Vishnu or other extraneous deities. In the event of a network outage please remain calm -these things happen all the time. You'll get used to it.

I'm still not convinced that its a DOS instead of them just over-using their bandwidith. I've seen the following during 1 hr time periods starting at the times listed (EST, checks ever 2 mins):

1PM - 3 checks fail
2PM - 5 checks fail
3PM - 5 checks fail
4PM - 6 checks fail
5PM - 5 checks fail
6PM - 9 checks fail

During periods of extended failure, the traceroute's can't get past hostnoc-gw.customer.alter.net (157.130.223.162), and never make it inside Burst/nocster. It could be a DOS, but from my experience, hosting traffic starts to pick up around noon and slowly increased until early evening... If it is a DOS, it should be blocked by now, and I also wouldn't expect the problems to get worse as time goes on but to improve as Burst is able to block more and more of the attack.

We'll see what happens as the night goes on...

Originally posted by skiingyac
During periods of extended failure, the traceroute's can't get past hostnoc-gw.customer.alter.net (157.130.223.162), and never make it inside Burst/nocster. If it is a DOS, it should be blocked by now, and I also wouldn't expect the problems to get worse as time goes on but to improve as Burst is able to block more and more of the attack.


Well alter.net and DOS arent good words to hear... the way alter.net deals with DOS attacks is rather lame they will null route anything that moves instead of getting off there ass and doing something to stop it.. this is likely why they dont allow IRC servers/bots because they would be null routed 24/7

so name someone then who can seriously stop dos attacks
name a provider where you can run a irc server, and not have to worry about dos attacks becuase the provider will block them.

even if its a major synflood, or something like that.
???

could you name some =/

No one can "stop" DOS attacks, but there are better ways to deal with them than what Faggle described alter.net as doing (though I dont know if that's what alter.net really does)


But you're right. A DOS attack is a big problem, regardless of the provider.

i like your domain name dude
frontdrive.com
sounds cool

Almost all dos attacks against irc servers are from windows trojaned machines being commanded on private irc servers... they can only send icmp and udp packets (until some real loser comes out and writes something better to use the raw sockets crap in like xp) if you want to stop (well not stop but it would lose all effectiveness) it drop all icmp and all udp for everything but dns... and I don’t mean setup a software firewall on your machine and do this all that does is save outgoing bandwidth replying to the packets.. (but it would lessen the effect in that you wouldn’t be helping the dos attack sending replys out)

What would really help is if every backbone would drop icmp ping packets larger than say like 1kilobyte (I don’t know much about icmp but I can’t recall anything that uses real large packets) as why do you need to ping hosts with really large packet sizes? that would cut many ddos attacks using icmp down alot...

-FDrive every alter.net machine which knew of which got dos'ed they always null routed

-clocker1996
httpd.net would be the only provider I know of which does block dos attacks well

Originally posted by cxreg
I got 3 ping packets back in the last 10 minutes or so, it appears to be some sort of DoS

How you got form point A to point B on that is beyond me.

That makes no sense.

Thanks though, pretty funny reading.

-davidu

Originally posted by Faggle


Well alter.net and DOS arent good words to hear... the way alter.net deals with DOS attacks is rather lame they will null route anything that moves instead of getting off there ass and doing something to stop it.. this is likely why they dont allow IRC servers/bots because they would be null routed 24/7

It's funny then that the IRC server I idle on is not only on the uu.net network but it is run by uu.net security.

Oh yeah, it's linked to EfNET too, by far the most packeted network around.

Thanks for the story though, it kinda made me smile.

-davidu

Originally posted by FDrive
No one can "stop" DOS attacks, but there are better ways to deal with them than what Faggle described alter.net as doing (though I dont know if that's what alter.net really does)


But you're right. A DOS attack is a big problem, regardless of the provider.

For you guys who wanted to know if anyone can stop ddos attacks there is one company. Httpd.net (a.k.a FooNet) they aren't cheap but they can stop any ddos attack up to 2 GB/s and it has been tested at that.

foonet's filtering:
basically foonet has 2 cisco 10000's connected via dual OC12's to qwest backbone. This allows them to filter traffic directly on qwests backbone before it gets to their pipe. Ask any guy who users irc or runs a shell company foonet is the best, not only for shells but for websites to.

If your wondering how I knew this I use to sell servers for them.

haha

bull**** man
FOONET/HTTPD will just NULL ROUTE just like faggle said

If you buy a server from them, and then run a ircd on it, they will just will just null route the IP thats being hit, if the traffic is high enough

Why do i say this ??
Becuase, ive been looking for a good firewall solution for quite some time now.

I decided, instead of risking $250+ on getting a server from FOONET/httpd and running a ircd, i thought id just get a IRCD shell account from jeah.net

since jeah.net uses httpd/foo - i figure it will be easier and cheaper

guess what?
I run a ircd
it gets packeted (no idea why, and NO, FOR ALL you people out there that are about to say "you must of attracted it" WE DIDNT do anything. WEE as in the little community that i run.)

it gets packeted, and what happens, it gets null routed. the ip gets null routed. jeah said that the traffic was too much. and that if they didnt null route it it would be a big bill for me.

see what im saying
WHAT WOULD BE SO different if i got a server at foonet/httpd and ran the ircd mYSELF

the difference would be that i just lost out on $250+

For what I have seen Burstnet is running out of excuses. Lets see what they will come up with next. I'm glad that we did not picked them as a provider. They are extremely unstable and the worst thing is that they never recognize their mistakes they always blame it on something else.

Originally posted by DavidU


It's funny then that the IRC server I idle on is not only on the uu.net network but it is run by uu.net security.

Oh yeah, it's linked to EfNET too, by far the most packeted network around.

Thanks for the story though, it kinda made me smile.

-davidu

wow you have to be one of the stupidest persons around...

traceroute to irc.secsup.uu.net (63.98.19.242), 30 hops max, 38 byte packets
....allallalal
12 501.ATM6-0.GW5.IAD5.ALTER.NET (152.63.43.149) 43.887 ms 44.118 ms 44.250 ms
13 * * *
14 *

uh..duh.. are they not blocking ICMP LIKE I SAID ???? DUH! UH

--- irc.secsup.uu.net ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

duh uh duuuh

Originally posted by clocker1996
haha

bull**** man
FOONET/HTTPD will just NULL ROUTE just like faggle said

If you buy a server from them, and then run a ircd on it, they will just will just null route the IP thats being hit, if the traffic is high enough

Why do i say this ??
Becuase, ive been looking for a good firewall solution for quite some time now.

I decided, instead of risking $250+ on getting a server from FOONET/httpd and running a ircd, i thought id just get a IRCD shell account from jeah.net

since jeah.net uses httpd/foo - i figure it will be easier and cheaper

guess what?
I run a ircd
it gets packeted (no idea why, and NO, FOR ALL you people out there that are about to say "you must of attracted it" WE DIDNT do anything. WEE as in the little community that i run.)

it gets packeted, and what happens, it gets null routed. the ip gets null routed. jeah said that the traffic was too much. and that if they didnt null route it it would be a big bill for me.

see what im saying
WHAT WOULD BE SO different if i got a server at foonet/httpd and ran the ircd mYSELF

the difference would be that i just lost out on $250+

they only do that for shell companies that get attacked excessively. He will be changing that back though.

so you're telling me that when they "change back" or whatever

I can buy a dedicated server with them, with the advanced firewall protection (That costs $150 or whatever)
and i would be able to run a ircd, and i wouldnt get null routed ??

or what
because i would just lik eto be able to run a ircd without having it being taken down easily (taken down as in, whether by null routing, or packeting)

becasue think about it

say i were to get a server right now..

All somebody has to do man, is just PACKET hard, then foonet/httpd will AUTOMATICALLY null route.

Then its down.

Either way, the attacker has accomplished what they wanted. They wanted the irc server DOWN. INACCESSIBLE

So all they have to do, is packet hard for a few mins, then stop

it makes it easier for them
Either way, your stuff is down now

Get what ims aying?

Originally posted by Faggle


wow you have to be one of the stupidest persons around...

traceroute to irc.secsup.uu.net (63.98.19.242), 30 hops max, 38 byte packets
....allallalal
12 501.ATM6-0.GW5.IAD5.ALTER.NET (152.63.43.149) 43.887 ms 44.118 ms 44.250 ms
13 * * *
14 *

uh..duh.. are they not blocking ICMP LIKE I SAID ???? DUH! UH

--- irc.secsup.uu.net ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

duh uh duuuh

I'm stupid for reading what you wrote and pointing out how you were wrong?

You said:

Originally posted by Faggle

the way alter.net deals with DOS attacks is rather lame they will null route anything that moves instead of getting off there ass and doing something to stop it.. this is likely why they dont allow IRC servers/bots because they would be null routed 24/7


Obviously you were wrong in that statement as irc.secsup.uu.net has some of the best uptime around. The fact that they drop ICMP has nothing to do anything. A null route is just that, an entry to null0 -- it has nothing to do with filtering ICMP packets. I made no mention of ICMP packets nor did you in the post I responded to, please don't put words in my mouth.

-davidu

Originally posted by DavidU


I'm stupid for reading what you wrote and pointing out how you were wrong?

You said:



Obviously you were wrong in that statement as irc.secsup.uu.net has some of the best uptime around. The fact that they drop ICMP has nothing to do anything. A null route is just that, an entry to null0 -- it has nothing to do with filtering ICMP packets. I made no mention of ICMP packets nor did you in the post I responded to, please don't put words in my mouth.

-davidu

If you read my second post you would see why they don't null route themselfs they already block most the packets filtering icmp ... and why would a company null route themself?

Originally posted by Faggle


If you read my second post you would see why they don't null route themselfs they already block most the packets filtering icmp ... and why would a company null route themself?

a) Your second post has nothing to do with anything we're talking about but assuming it does...

b) If irc.secsup.uu.net was being packeted with gbps-like traffic you can bet they would null route themselves. I know a few of the people who help run it and I imagine they would work pretty hard to eliminate the effects of a DoS but if their bosses told them to pull the cat5 (not literally) then they would. Also, you seem to think that being null routed is permenant or has some sprawling effect. It doesn't. UU.Net could null route one IP and leave the rest of the network intact.

One of the boxes I help manage at verio was being packeted with a small 10meg/second DoS and verio took care of it in about 30 minutes without null routing me. (not spoofed, obviously)

Originally posted by Faggle
Almost all dos attacks against irc servers are from windows trojaned machines being commanded on private irc servers...


Actually if you check with dshield, they will disagree with you. I don't really disagree with you though since overall windows is probably most responsible but lately that hasn't been the case.

Originally posted by Faggle
What would really help is if every backbone would drop icmp ping packets larger than say like 1kilobyte (I don’t know much about icmp but I can’t recall anything that uses real large packets) as why do you need to ping hosts with really large packet sizes? that would cut many ddos attacks using icmp down alot...

Lots of things use UDP. Lots of streaming audio and video applications. Lots of gaming, if not all gaming. Lots of sync applications. ICMP is also used for other various reasons besides just checking a traceroute. Blindly dropping ICMP is dumb. Do it at your border but don't expect anyone else to do it.

-davidu

Originally posted by DavidU

Also, you seem to think that being null routed is permenant or has some sprawling effect. It doesn't. UU.Net could null route one IP and leave the rest of the network intact.

I know its not permenant and I know they can null 1 ip and the rest of the network would be intact I had uunet irc servers linked before and that was always the case.

Actually if you check with dshield, they will disagree with you. I don't really disagree with you though since overall windows is probably most responsible but lately that hasn't been the case.

Whats dshield?

Lots of things use UDP. Lots of streaming audio and video applications. Lots of gaming, if not all gaming. Lots of sync applications. ICMP is also used for other various reasons besides just checking a traceroute. Blindly dropping ICMP is dumb. Do it at your border but don't expect anyone else to do it.

I know lots of things use udp.. running an irc server and hosting game servers isnt the smartest thing to do on the same machine keeping the servers on different ips would still let you drop udp to the irc ip

I never said to blindly drop icmp I said icmp ping packets hehe..

btw im not claiming to know everything or anything in a few days ill be starting school for "cis - network specialist" to learn more about networks n **** most of the time i post out of experence I run a irc network and every uunet server we had always got null routed (this was back in the day though gladly we havent been packeted in a really long time) hehe thats why I said that.. Im not here to start flame wars like every other post on wht has .. just like every post seems to go off topic like this one has if you want to yell at me about anything else just pm me..

Wow.

Simply dropping a protocol, or filtering certain packets isn't going to make you bullet-proof. If you're getting 10 million packets per second thrown at your box and it is stopped at the router, the router is going to bog down.

Originally posted by clockwork
Wow.

Simply dropping a protocol, or filtering certain packets isn't going to make you bullet-proof. If you're getting 10 million packets per second thrown at your box and it is stopped at the router, the router is going to bog down.

Yep. You're right.

In fact, Verio in San Diego no longer blocks packets -- I found out that almost all security-based filtering happens in LA now where I assume they have bigger routers with more ram/cpu to filter.

I'm also guessing that the routers in San Diego might just be too busy doing all the rate-limiting and accounting to be busy filtering packets for DoS reasons.

I'd think they would want to filter as far down on the chain as possible but maybe someone with more router experience knows why they do it in LA rather than at the colo in San Diego.

-davidu