So what happened this time, VDI? :(

It wasn't fully down.
The ping was 8000 ms so it was VERY slow.
Glad I'm not with VDI

I also noticed last night around 11 PM this board and VDI.net were unreachable for about an hour. I did a traceroute from Yahoo! and it came back with "unknown host," so I know it wasn't just me.

Glad Im not with VDI.

Joe

I think VDI should have a network status page on their site, so we'll know what's going on when there's a problem like this.

:(

Originally posted by energy
It wasn't fully down.
The ping was 8000 ms so it was VERY slow.


It depends on which router you came through.

The Alter.net router through NYC seems to be the one that dropped out. Have a look at
http://www.sitepointforums.com/showthread.php?s=e04059b3f9f87434fefb07921487fe3f&threadid=19391 for all the traceroutes that a no. of us ran.

Originally posted by acetate
I think VDI should have a network status page on their site, so we'll know what's going on when there's a problem like this.

:(

... And preferably mirrored off a different network so that the status page doesn't go down if VDI goes down.

Wow - that's a lot of downtime for VDI. I am sure that a lot of people are pretty upset. Even though it was only 25 minutes or so, it affected everyone on their network, and I think they are a little skeptical about whether VDI can make good on their promise of not having this happen again.

It looks like VDI came through it without too much damage. That's good news for everyone.

VDI will be adding many many needed features..

Very very shortly :)

We are working day and night to rid the several DOS attacks that are hitting the network.

VDI will get the issues back to the way they were a few weeks ago. We are seeing some retaliation in the last few weeks from competitors and "several annoying dos attacks".

VDI Will continue to improve very quickly, and wipe the dirt off the knee caps so to speak. I`m just shocked on how zealous the compitition is getting......

Nice to see all that redundancy, etc. etc. being useful.

not. >_<

I'm starting to seriously wonder if we should setup our own NOC. I mean, sure OC100000000 connections are great.....when they are there and functional. Otherwise, might as well hook our servers to a dialup. :angry:

It wouldn`t matter if there were 26 oc3`s lined from MCI and 36 providers. A dos attack will bring down any data center. just need to have the cooperation of the upstreams and backbones to trace the ips and Filter it.

Bill,

If you offer inexpensive dedicated server/colo prices chances are that there will be a LOT of jealous competitors those people that cannot compete with VDI's prices, that is prolly one of the reasons why VDI's network was attack and i don't think it will go away.

The solution, why don't we do something about :) maybe a small backup data center. and get Rid of the attackers
for good, you know what i mean ;)

So if VDI doubles prices the DOS attacks will stop ? :)

WEll, I don`t think we are "CHEAP" , just offer wholesale hosting for hosting companies.

elijah it has nothing to do with the pricing trust me..

:beer:

ps: i edited it and change to inexpensive prices :P

DOS attacks bite big time.... a few months ago, my isp had one, and I was unable to get a trace out of their network.....

jayglate, you know something i don`t ?

I know nothign you don't but, nobody attacks NOCs for having "cheap prices" please. That makes no sense, any noc can match your pricing or beat it if htey wanted to but, but that is not the point of DoS, it is most likely script kiddies, looking to play, off of hacked boxen. You have the ips, you know where they are coming from.

Originally posted by William
jayglate, you know something i don`t ?

:beer: lol

btw:i am ready to colo one of my servers to VDI but im still waiting for my other contract at another place to expire then i will colo a 1U at VDI.

I know you would never do anything like that :)


......................................* Ssssssssss

We fight hackers and script kiddies, we had 2 thrown in jail already and one on trial pretty soon.

We don't promote it..:)

Originally posted by jayglate
We fight hackers and script kiddies, we had 2 thrown in jail already and one on trial pretty soon.

We don't promote it..:)

that is good to hear , glad you guys are doing something about it :)

I've noticed it not just last night but a couple of other times as well. Didn't know if it was just me or not, but I checked other sites at that time and they were pulling up. I remember one of the times being in the morning and I think the other was late at night as well.

I'm on VDI network and my server gets attack everyday by some arse from china. =( Here's a sample:

Mar 23 13:29:34 degree portsentry[1100]: attackalert: Connect from host: 61.133.95.253/61.133.95.253 to TCP port: 1080
Mar 23 13:29:34 degree portsentry[1100]: attackalert: Host 61.133.95.253 has been blocked via wrappers with string: "ALL: 61.133.95.253"

Mar 23 13:29:34 degree portsentry[1100]: attackalert: Host 61.133.95.253 has been blocked via dropped route using command: "/sbin/route add -host 61.133.95.253 gw 127.0.0.1"

and it goes on and on.. Every single day.. :( argh!!

:uzi: :karate: <-- arse from china

Have VDI block it at there routers. Problem solved.

"If you offer inexpensive dedicated"
I disagree, there are MANY companies who have much more inexpensive prices than VDI.

Problem is it's a different ip everyday.. Can't have VDI block everyone from china. Right?

You can..

jay could you explain in your own words what a syn and a smurf attack is. Could you block a smurf ? also how do you block spoofed ips ?

A syn attacked is an outdated attack method. Nobody does that anymore because every OS since 1998 has protection against it. It is sending a large sum of spoofed source SYN-OPEN packets at a webserver, clogging it with OPEN-CONN tcp connections.

A smurf attack is spoofed source ICMP echo response sh$% , amplifying ICMP responses to make for a very heavy attack.

And to protect against spoofed ips is generally hard.

Originally posted by William
jay could you explain in your own words what a syn and a smurf attack is. Could you block a smurf ? also how do you block spoofed ips ?

William,

A smurf attack is when a punk kid sends a forged ICMP request to a broadcast address. The broadcast address distrubtes the information to all of the IPs in that netblock which floods the network with responses. Those responses are all directed to the forged address. Flooding that network as well.

The simplest way to block a smurf attack is to set the following statement in your router (assuming Cisco IOS):

no ip directed-broadcast

A syn attack is a little more complicated. Anytime 2 hosts establish a connection a 3-way "handshake" has to occur:

The first host send an ACK.
The second host accepts the ACK, queues it, and sends a response to to the first host.
The first host replies to the ACK and the transmission continues.

In a syn attack, a punk kid sends a lot of requests using fake addresses. The host receives them and waits for the reply, queuing each request. The problem is the host sends his ACK to the wrong server (spoofed IP address) so its ACK request is never responded to. Eventually he drops the packet and moves on. However, if several 100,000 requests like this come in simultaneously the host tries to queue them all and is unable, so it cannot respond to regular traffic, and appears to the outside world to be down.

This is also harder to defend against without using a firewall. However you can try to configure TCP Intercept as a means of controlling syn attacks:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scdenial.htm#17817

That definition works also..:)

UULAN
"Quote
no ip directed-broadcast

This is how you Prevent your self from being a amplifier, not blocking a smurf attack. Since Smurf is ICMP based it can be directed, but in most cases the bandwdith is just to much to bother dumping. Since many foriegn countries do not put the no ip directed-broadcast in thier routers and do not keep up with the times. "They become amplifiers for smurf attacks.

If everyone actully cooperated, there would be little room for dos attacks and no one to amplifiy off of.

I would like to turn off all icmp on the VDI network, but "we all know how clients feel about that.

The most anoying thing is most dos attacks are irc based, channel take overs. so those servers that run eggdrops, tend to be slammed quite often.

I got the impression that Bill knew what a Smurf and Syn attack was, but was asking you to explain it to other's, perhaps better explain it than he could? Also, asking how and if you could block spoofed IP's? Maybe I'm wrong, but that's what I got out of it. However, I will say, the only true method to stop Smurf and other attacks, is really to stop it on the other side. I.e., configure servers to not allow this to happen on the other end. That is the only real way to stop this sort of stupidity from happening, but that's not a likely solution.

It's too unrealistic to have every large and insecure data center on the Internet take these measures so other's don't have to suffer. Though, there are steps to take, as someone mentioned, which I believe there's information about on both CERT's site and on Cisco's support/documentation. There's some other information about steps to take as well, but, just like SPAM, it's an issue people on the other side need to take measures against, which is really unfortunate for the rest of the Internet.