Results 1 to 25 of 56
Thread: 12 hours nullroute policy?
-
07-03-2013, 02:48 AM #1Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
12 hours nullroute policy?
Anybody ever faced a 12 hours null route policy after being DDOSed?
Today one of my servers has been attacked and from the datacenter on where the server is I was told that a "12hr null-route policy" has been impossed to all the IPs of my block.
Having servers in over a dozen of different datacenters for over 12 years never faced such as ridiculous policy before. Anybody else had a similar issue before? is this common?█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-03-2013, 02:55 AM #2Web Hosting Guru
- Join Date
- Sep 2012
- Posts
- 253
Haven't received one, no. But have handed them out, several times, and for 24 hours not 12. Although they were for the /32 being attacked and not an entire block. But if the entire block was being attacked, then yeah, definitely.
-
07-03-2013, 03:30 AM #3Web Hosting Master
- Join Date
- Mar 2008
- Location
- Los Angeles, CA
- Posts
- 555
If they blocked your entire subnet then I would not consider that acceptable.
To me it sounds like they don't have a very well managed networking (no netflow setup) and basically were unable to tell which IP address it was going to and are only going by port (and thus customer) and thus blocking your entire subnet.
I would probably try to find a different host after that.
-
07-03-2013, 04:13 AM #4Cable Director
- Join Date
- Aug 2007
- Location
- Datacenter
- Posts
- 4,414
Most of the times a DDOS keeps on going, even if the IP is nullrouted. The 12 hour period is quite 'normal' if you ask me.
Although, if the attack has stopped, they could also lift the nullroute for you» www.InstantDedicated.com - Online in no time
» Dedicated Servers in [EU] Netherlands + Belgium with DAILY support, also on weekends
» 3.2 Tbit/s Network AS49453 with only 100 Gbit/s uplink backbone
» 1G/10G/40G/100 Gbit ports available | 99,99% Network Uptime goal
-
07-03-2013, 04:48 AM #5Web Hosting Master
- Join Date
- Nov 2001
- Location
- London
- Posts
- 4,931
Matthew Russell | Namecheap
Twitter: @mattdrussell
www.easywp.com - True Managed WordPress, made easy
-
07-03-2013, 04:58 AM #6Web Hosting Evangelist
- Join Date
- Aug 2008
- Posts
- 536
-
07-03-2013, 08:36 AM #7Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-03-2013, 09:16 AM #8Randy
- Join Date
- Aug 2006
- Location
- Ashburn VA, San Diego CA
- Posts
- 4,615
On the first attack it's a bit harsh; typically longer null routes like this are the result of frequent and very large attacks.
Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
Since 2003 - Ashburn VA + San Diego CA Datacenters
-
07-03-2013, 09:20 AM #9Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-03-2013, 10:02 AM #10Junior Guru
- Join Date
- Jul 2011
- Location
- Sittingbourne, Kent, UK
- Posts
- 197
12hours seems a bit excessive but you don't know how large the attack was, whether the null route actually stopped it and what it was aimed at and if anything your providers saving you a potentially massive overage bill, 12 hours does seem a tad excessive however.
Hope you get your kit back online soon!RackSRV Communications Limited
UK specialists in Dedicated Servers & Server Colocation
Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 111 4444
-
07-03-2013, 12:36 PM #11Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
12 hours later, still blocked, their solution is to allow connection to one IP to migrate accounts... ridiculous if you think it, because that's my hardware, I need to buy a new one and colo somewhere else, then configure everything, move the data, and wait for the DNS propagation, with that ridiculous suggestion I guess that they don't want me there anymore.
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-03-2013, 12:39 PM #12Web Hosting Master
- Join Date
- Nov 2001
- Location
- London
- Posts
- 4,931
Jedito,
You've been around here long enough... Why not
- get your own IP blocks / ASN
- use a service like BlackLotus so you can filter any DDoS attacks yourself
Then no longer are you at the whim of these types of policy. Are you going to name the service provider?Matthew Russell | Namecheap
Twitter: @mattdrussell
www.easywp.com - True Managed WordPress, made easy
-
07-03-2013, 12:51 PM #13Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
Datacenter is IC2NET, but I'm leasing space through another company, which told me that the datacenter forced them to the 12 hours nullroute policy.
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-03-2013, 12:59 PM #14Web Hosting Guru
- Join Date
- Feb 2012
- Posts
- 276
-
07-03-2013, 01:10 PM #15Web Hosting Guru
- Join Date
- Jul 2003
- Location
- Atlanta
- Posts
- 337
I can understand 12 and 24 hour null routes on offending IP's, though a full block is a bit extreme. There are exceptions such as someone moving the attacking site's dns to every IP within the block causing the entire subnet to be attacked. In this instance the entire subnet would need to be null routed. If you are paying the provider for a ddos mitigation service I would see requesting them to monitor the situation, however if it is just a transit service then I would not expect that.
Gary Simat
Total Server Solutions - Bare Metal - Private Cloud - Managed Infrastructure - Colocation - US Based Support
██ Atlanta - Dallas - Phoenix - Los Angeles - Seattle - Chicago - Weehawken - New York City - Vancouver - Toronto - London - Amsterdam - Tokyo - Sydney
-
07-03-2013, 02:12 PM #16Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
We do use Webnx too, but in this case, is not Webnx.
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-03-2013, 03:51 PM #17Aspiring Evangelist
- Join Date
- May 2010
- Location
- Ohio
- Posts
- 393
12 hour nullroute on a entire IP Range, that seems pretty extreme. Did they tell you anymore details about the attack and who/what may of caused it?
-
07-03-2013, 04:36 PM #18Web Hosting Guru
- Join Date
- Feb 2005
- Location
- localhost
- Posts
- 5,473
The attack could be affecting other customers and maybe that is why they decided to keep it in place?
Respectfully,
Mr. Terrence
-
07-03-2013, 04:41 PM #19Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
They say that affected to other customers too, and still did not removed it.
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-03-2013, 04:43 PM #20Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
Softlayer tried to null route us for 24 hours for a DDOS once.
I wasn't amused.
-
07-03-2013, 05:04 PM #21CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
-
07-03-2013, 05:08 PM #22Web Hosting Master
- Join Date
- Jul 2005
- Posts
- 3,784
Meh, I'm used to owning our own IP space and having multiple transit providers ;-)
I'm all for keeping an IP that is being DDOS'd null routed, however atleast in my experience, most DDOS attacks end after an hour if not less and therefore the attack has stopped, keeping the null route in place is silly.
-
07-03-2013, 05:21 PM #23Web Hosting Master
- Join Date
- Nov 2001
- Location
- London
- Posts
- 4,931
-
07-03-2013, 05:23 PM #24Web Hosting Guru
- Join Date
- Feb 2005
- Location
- localhost
- Posts
- 5,473
-
07-03-2013, 08:44 PM #25Web Hosting Guru
- Join Date
- Sep 2012
- Posts
- 253
They most likely pushed the null route to their upstreams. Once that happens, the traffic isn't coming to them anymore so it's not like they can look at the non existent traffic and determine it's over.
In my experience even getting reporting data from the upstreams is like pulling teeth and can be a major pita to get. It just not an easy task to know when the attack actually stops. Plus a lot of times it will just start back up again.
The not knowing if it's actually over, presents the risk of letting an attack affect your entire network again by lifting the null route to soon. Risking the disruption of all your customers vs. the needs of a single customer getting back online asap is not lazy, nor anything other than just good business sense.
Similar Threads
-
EU Dedicated Provider That Will Just Nullroute
By spencerocks in forum Dedicated ServerReplies: 4Last Post: 01-17-2013, 10:25 PM -
Is it normal for a datacenter to nullroute IP for DDOS?
By chasebug in forum Dedicated ServerReplies: 30Last Post: 03-21-2011, 03:08 PM -
PayPal Policy Update- New Recurring Payment Cancellation Policy
By rickb12 in forum Running a Web Hosting BusinessReplies: 7Last Post: 04-22-2010, 08:40 AM -
Hetzner Nullroute Dedicated Server by Network Scan Alert
By andreyka in forum Dedicated ServerReplies: 15Last Post: 09-24-2009, 04:31 AM -
Nullroute
By danclough in forum Dedicated ServerReplies: 5Last Post: 06-13-2005, 11:34 PM