Page 1 of 3 123 LastLast
Results 1 to 25 of 56
  1. #1
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052

    12 hours nullroute policy?

    Anybody ever faced a 12 hours null route policy after being DDOSed?

    Today one of my servers has been attacked and from the datacenter on where the server is I was told that a "12hr null-route policy" has been impossed to all the IPs of my block.

    Having servers in over a dozen of different datacenters for over 12 years never faced such as ridiculous policy before. Anybody else had a similar issue before? is this common?
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  2. #2
    Join Date
    Sep 2012
    Posts
    253
    Haven't received one, no. But have handed them out, several times, and for 24 hours not 12. Although they were for the /32 being attacked and not an entire block. But if the entire block was being attacked, then yeah, definitely.

  3. #3
    Join Date
    Mar 2008
    Location
    Los Angeles, CA
    Posts
    555
    If they blocked your entire subnet then I would not consider that acceptable.

    To me it sounds like they don't have a very well managed networking (no netflow setup) and basically were unable to tell which IP address it was going to and are only going by port (and thus customer) and thus blocking your entire subnet.

    I would probably try to find a different host after that.

  4. #4
    Join Date
    Aug 2007
    Location
    Datacenter
    Posts
    4,414
    Most of the times a DDOS keeps on going, even if the IP is nullrouted. The 12 hour period is quite 'normal' if you ask me.
    Although, if the attack has stopped, they could also lift the nullroute for you
    » www.InstantDedicated.com - Online in no time
    » Dedicated Servers in [EU] Netherlands + Belgium with DAILY support, also on weekends
    » 3.2 Tbit/s Network AS49453 with only 100 Gbit/s uplink backbone
    » 1G/10G/40G/100 Gbit ports available | 99,99% Network Uptime goal

  5. #5
    Join Date
    Nov 2001
    Location
    London
    Posts
    4,931
    Quote Originally Posted by Jedito View Post
    Anybody ever faced a 12 hours null route policy after being DDOSed?

    Today one of my servers has been attacked and from the datacenter on where the server is I was told that a "12hr null-route policy" has been impossed to all the IPs of my block.

    Having servers in over a dozen of different datacenters for over 12 years never faced such as ridiculous policy before. Anybody else had a similar issue before? is this common?
    Which facility?

    Nullrouting 1 IP I can understand. You should distribute accounts across multiple IPs on your server as a precautionary measure, or install extended DDoS mitigation equipment. But all of the IPs seems a little rough.
    Matthew Russell | Namecheap
    Twitter: @mattdrussell

    www.easywp.com - True Managed WordPress, made easy

  6. #6
    Join Date
    Aug 2008
    Posts
    536
    Quote Originally Posted by mdrussell View Post
    Which facility?

    Nullrouting 1 IP I can understand. You should distribute accounts across multiple IPs on your server as a precautionary measure, or install extended DDoS mitigation equipment. But all of the IPs seems a little rough.
    You don't know how they attacked. It's possible that they don't attack one IP but multiple IP's in the same range.

    We can only assume why they blocked a whole subnet. You can always ask them why they blocked the full subnet and not just one IP.
    Regards,
    Yourwebhoster.eu [NL] based hosting
    Shared | Reseller | KVM VPS | Reseller VPS

  7. #7
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    Quote Originally Posted by 24x7group View Post
    Most of the times a DDOS keeps on going, even if the IP is nullrouted. The 12 hour period is quite 'normal' if you ask me.
    Although, if the attack has stopped, they could also lift the nullroute for you

    Seems a little unfair to keep a block for 12 hours instead of monitor if the attack keeps going, in my eyes, looks like lazyness and lack of interest on the customer.

    They said that the attack was over the entire IP block.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  8. #8
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    On the first attack it's a bit harsh; typically longer null routes like this are the result of frequent and very large attacks.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  9. #9
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    Quote Originally Posted by FastServ View Post
    On the first attack it's a bit harsh; typically longer null routes like this are the result of frequent and very large attacks.
    Yes, it was the first attack in years.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  10. #10
    Join Date
    Jul 2011
    Location
    Sittingbourne, Kent, UK
    Posts
    197
    12hours seems a bit excessive but you don't know how large the attack was, whether the null route actually stopped it and what it was aimed at and if anything your providers saving you a potentially massive overage bill, 12 hours does seem a tad excessive however.

    Hope you get your kit back online soon!
    RackSRV Communications Limited
    UK specialists in Dedicated Servers & Server Colocation
    Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444

  11. #11
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    12 hours later, still blocked, their solution is to allow connection to one IP to migrate accounts... ridiculous if you think it, because that's my hardware, I need to buy a new one and colo somewhere else, then configure everything, move the data, and wait for the DNS propagation, with that ridiculous suggestion I guess that they don't want me there anymore.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  12. #12
    Join Date
    Nov 2001
    Location
    London
    Posts
    4,931
    Jedito,

    You've been around here long enough... Why not

    - get your own IP blocks / ASN
    - use a service like BlackLotus so you can filter any DDoS attacks yourself

    Then no longer are you at the whim of these types of policy. Are you going to name the service provider?
    Matthew Russell | Namecheap
    Twitter: @mattdrussell

    www.easywp.com - True Managed WordPress, made easy

  13. #13
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    Datacenter is IC2NET, but I'm leasing space through another company, which told me that the datacenter forced them to the 12 hours nullroute policy.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  14. #14
    Join Date
    Feb 2012
    Posts
    276
    Quote Originally Posted by Jedito View Post
    Datacenter is IC2NET, but I'm leasing space through another company, which told me that the datacenter forced them to the 12 hours nullroute policy.
    You're using WEBNX then?

  15. #15
    Join Date
    Jul 2003
    Location
    Atlanta
    Posts
    337
    I can understand 12 and 24 hour null routes on offending IP's, though a full block is a bit extreme. There are exceptions such as someone moving the attacking site's dns to every IP within the block causing the entire subnet to be attacked. In this instance the entire subnet would need to be null routed. If you are paying the provider for a ddos mitigation service I would see requesting them to monitor the situation, however if it is just a transit service then I would not expect that.
    Gary Simat
    Total Server Solutions - Bare Metal - Private Cloud - Managed Infrastructure - Colocation - US Based Support
    Atlanta - Dallas - Phoenix - Los Angeles - Seattle - Chicago - Weehawken - New York City - Vancouver - Toronto - London - Amsterdam - Tokyo - Sydney

  16. #16
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    We do use Webnx too, but in this case, is not Webnx.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  17. #17
    Join Date
    May 2010
    Location
    Ohio
    Posts
    393
    12 hour nullroute on a entire IP Range, that seems pretty extreme. Did they tell you anymore details about the attack and who/what may of caused it?

  18. #18
    Join Date
    Feb 2005
    Location
    localhost
    Posts
    5,473
    The attack could be affecting other customers and maybe that is why they decided to keep it in place?
    Respectfully,
    Mr. Terrence

  19. #19
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    They say that affected to other customers too, and still did not removed it.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  20. #20
    Join Date
    Jul 2005
    Posts
    3,784
    Softlayer tried to null route us for 24 hours for a DDOS once.

    I wasn't amused.

  21. #21
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525

    Re: 12 hours nullroute policy?

    Quote Originally Posted by stablehost View Post
    Softlayer tried to null route us for 24 hours for a DDOS once.

    I wasn't amused.
    This is pretty standard outside of DDoS mitigation services.

  22. #22
    Join Date
    Jul 2005
    Posts
    3,784
    Quote Originally Posted by IRCCo Jeff View Post
    This is pretty standard outside of DDoS mitigation services.
    Meh, I'm used to owning our own IP space and having multiple transit providers ;-)

    I'm all for keeping an IP that is being DDOS'd null routed, however atleast in my experience, most DDOS attacks end after an hour if not less and therefore the attack has stopped, keeping the null route in place is silly.

  23. #23
    Join Date
    Nov 2001
    Location
    London
    Posts
    4,931
    Quote Originally Posted by stablehost View Post
    Meh, I'm used to owning our own IP space and having multiple transit providers ;-)
    This.

    A customer would be wise choosing an established host who has invested in their network. Unless you were of Gator's size with SoftLayer, few hosts based of dedicated servers will have much traction with their upstreams in these types of incidents.

  24. #24
    Join Date
    Feb 2005
    Location
    localhost
    Posts
    5,473
    Quote Originally Posted by Jedito View Post
    They say that affected to other customers too, and still did not removed it.
    So if it affecting other customers that may be why they are not removing it.
    Respectfully,
    Mr. Terrence

  25. #25
    Join Date
    Sep 2012
    Posts
    253
    Quote Originally Posted by Jedito View Post
    Seems a little unfair to keep a block for 12 hours instead of monitor if the attack keeps going, in my eyes, looks like lazyness and lack of interest on the customer.
    They most likely pushed the null route to their upstreams. Once that happens, the traffic isn't coming to them anymore so it's not like they can look at the non existent traffic and determine it's over.

    In my experience even getting reporting data from the upstreams is like pulling teeth and can be a major pita to get. It just not an easy task to know when the attack actually stops. Plus a lot of times it will just start back up again.

    The not knowing if it's actually over, presents the risk of letting an attack affect your entire network again by lifting the null route to soon. Risking the disruption of all your customers vs. the needs of a single customer getting back online asap is not lazy, nor anything other than just good business sense.

Page 1 of 3 123 LastLast

Similar Threads

  1. EU Dedicated Provider That Will Just Nullroute
    By spencerocks in forum Dedicated Server
    Replies: 4
    Last Post: 01-17-2013, 10:25 PM
  2. Is it normal for a datacenter to nullroute IP for DDOS?
    By chasebug in forum Dedicated Server
    Replies: 30
    Last Post: 03-21-2011, 03:08 PM
  3. PayPal Policy Update- New Recurring Payment Cancellation Policy
    By rickb12 in forum Running a Web Hosting Business
    Replies: 7
    Last Post: 04-22-2010, 08:40 AM
  4. Hetzner Nullroute Dedicated Server by Network Scan Alert
    By andreyka in forum Dedicated Server
    Replies: 15
    Last Post: 09-24-2009, 04:31 AM
  5. Nullroute
    By danclough in forum Dedicated Server
    Replies: 5
    Last Post: 06-13-2005, 11:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •