Results 1 to 23 of 23
-
03-27-2011, 09:26 PM #1Web Hosting Master
- Join Date
- Mar 2002
- Location
- •
- Posts
- 785
SoftLayer now limiting high traffic servers with bogus DDoS alerts
They have a secret 500Mbit limit on incoming traffic.
If you go over they nullroute IP's cutting off my traffic.
Note there is no DDoS, the connections are legitimate and it is normal for my server to receive alot of incoming traffic.
I will also point out that this also happens to my servers that I have paid for their gigabit unmetered upgrade.
This has happened several times already.
Hello,
2011-Mar-27 19:41 (GMT-0600)
Due to the large amount of traffic targeted to your IP address 173.193.202.xxx,
SoftLayer has automatically injected the IP address into our Cisco Guard
Protection system. This system diverts traffic destined to the IP address
173.193.202.xxx through hardware devices that will try to identify and block the
specific packets and flows responsible for the attack while allowing legitimate
transactions to pass. The injection of 173.193.202.xxx will remain in place
until this attack subsides and then be automatically removed once traffic levels
reach a normal level.
Details of the event follow:
Exceeded Bits In: 507.4 M (Threshold: 500 M)
-- Best Regards Ramon Server engineer Hosting Services, Inc.
Because of the way I use my server alot of incoming traffic is normal.
This is not a DDoS.
Hello,
Due to the large amount of traffic targeted to your IP address 173.193.202.xxx, SoftLayer has automatically injected the IP address into our Cisco Guard Protection system. We are unable to remove this null route until the time frame.
-- Best Regards Ramon Server engineer Hosting Services, Inc.
-
03-27-2011, 09:36 PM #2Web Hosting Master
- Join Date
- Jun 2006
- Location
- London, Arizona, Utah
- Posts
- 654
Please send me an e-mail to tom@100tb.com and I will look into it. I just picked out some random servers right now - and they are doing way over 500mbit, so I'm not sure it's "servers" and more something to do with the cisco guard automation in place. You can see them here http://i52.tinypic.com/2e5jm01.png, I could pull a good few hundred or maybe more doing way over 500mbit - so this is not the case from what I can see.
Last edited by Thomas; 03-27-2011 at 09:43 PM.
General Manager, 100TB100TB.com -> 21 Datacenter Locations
-
03-27-2011, 10:06 PM #3Web Hosting Master
- Join Date
- May 2008
- Posts
- 858
I believe he's talking about INCOMING traffic (from Internet to server). Looking at the graphs in the picture, they all show high outgoing bandwidth, not incoming.
-
03-27-2011, 11:07 PM #4Junior Guru
- Join Date
- Jan 2010
- Location
- so cal
- Posts
- 234
I don't see why they would limit your incoming traffic. I would assume that incoming traffic is cheaper than outgoing(to them). It would make more sense to limit outgoing traffic instead, if that's even true anyways. I wouldn't blame them for thinking that was a ddos attack.
-
03-27-2011, 11:19 PM #5Web Hosting Master
- Join Date
- Mar 2002
- Location
- •
- Posts
- 785
Yes its incoming traffic (internet to server) that is the problem.
I can see why they do it, that large incoming traffic is unusual.
But what I do not understand is their response that they cannot do anything about it and I should just wait it out.
Bandwidth graph of my server, you can see the big drop in traffic at 19:40 where they speed capped my server.
http://img16.imageshack.us/img16/8761/100tb.png
-
03-27-2011, 11:28 PM #6Web Hosting Master
- Join Date
- Oct 2005
- Location
- United States
- Posts
- 1,405
I don't think they limited your incoming traffic. They just set this policy in their automated system to block large incoming traffic which they assume DDoS attacks. If you can't live with this then find other providers that don't have this automated system and allow high incoming traffic for your server.
Tommy Tran - tommy @ vinax.net ::: VINAX, LLC ::: http://vinax.net ::: Since 2004
Premium Dedicated Servers and Colocation in downtown Chicago (350 E. Cermak Rd)
Premium Bandwidth, 100% Network & Power Uptime SLA, 24/7 Prompt Tech Support
-
03-27-2011, 11:30 PM #7Web Hosting Master
- Join Date
- Oct 2005
- Location
- United States
- Posts
- 1,405
Tommy Tran - tommy @ vinax.net ::: VINAX, LLC ::: http://vinax.net ::: Since 2004
Premium Dedicated Servers and Colocation in downtown Chicago (350 E. Cermak Rd)
Premium Bandwidth, 100% Network & Power Uptime SLA, 24/7 Prompt Tech Support
-
03-27-2011, 11:33 PM #8Junior Guru
- Join Date
- Jan 2010
- Location
- so cal
- Posts
- 234
I thought that 100TB was a small provider...Don't they resell for softlayer?
-
03-28-2011, 12:42 AM #9I route, therefore I am
- Join Date
- Dec 2010
- Location
- Good question
- Posts
- 697
100TB is part of the huge Uk2 Interactive. They're anything but small ;]
And yeah, their US solutions are based on Softlayer.
-
03-28-2011, 12:45 AM #10Web Hosting Master
- Join Date
- Jul 2005
- Location
- Australia - NSW
- Posts
- 1,053
-
03-28-2011, 12:54 AM #11Web Hosting Guru
- Join Date
- Nov 2007
- Posts
- 346
However, actually it does looks like a ddos, why do you have so much incoming traffic?
-
03-28-2011, 03:24 AM #12Junior Guru
- Join Date
- Jan 2006
- Posts
- 245
-
03-28-2011, 03:25 AM #13CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
-
03-28-2011, 04:42 AM #14The Guru!
- Join Date
- Nov 2007
- Location
- India, USA and Amsterdam
- Posts
- 2,581
We have servers with 100tb(softlayer DC) with sites that uses a lot of bandwidth. We have no problem with them at all Pushing avg 600-700mbps is no problem at all. They have done a great job so far. If you have proof for legit traffic, Tom would definitely get this sorted out for you.
-
03-28-2011, 05:06 AM #15Junior Guru
- Join Date
- Dec 2004
- Posts
- 210
-
03-28-2011, 08:15 AM #16Junior Guru Wannabe
- Join Date
- Feb 2010
- Posts
- 71
yes, we can see that as well.
we have lot of server at 100tb, i'm not sure how they can define attack, but sometime, i think that will useful, as if you hosted lot of website / domain at one server...if one domain / dedicated ip receive high attack, your server will become unstable.
if they blocked the ip, it will help us , but ofcouse, this will depends on your need.
but so far..i'm really happy they do the null route, as sometime..our client also receive attack, if blocked the ip will help us a lot
Thanks
-
03-28-2011, 09:21 AM #17Web Hosting Master
- Join Date
- Apr 2007
- Location
- United Kingdom
- Posts
- 1,861
From what I remember it isn't 100TB that enforces this, it's put in place by Softlayer. If a server is receiving 500mbps incoming it's usually a good indication that something is wrong so unless you've notified them in advance you can't really blame them for thinking you're being attacked.
-
03-28-2011, 11:41 AM #18Web Hosting Master
- Join Date
- Feb 2003
- Location
- Kuala Lumpur, Malaysia
- Posts
- 4,980
I don't get it, if they move the IP onto cisco guard, why would it get null routed?
-
03-28-2011, 11:41 AM #19Retired Moderator
- Join Date
- Nov 2002
- Location
- WebHostingTalk
- Posts
- 8,901
Yep.... this is an issue with the automation that's in place around the Cisco Guard at Softlayer. I believe we ran in to this as well, both before we went with 100tb and even after.
Unfortunately, you have to get a softlayer level 2 tech to do something about it. The front line guys are not super helpful.I support the Human Rights Campaign!
Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.
-
03-28-2011, 11:49 AM #20Web Hosting Master
- Join Date
- Sep 2005
- Location
- London
- Posts
- 2,409
-
03-28-2011, 12:18 PM #21Web Hosting Master
- Join Date
- Mar 2002
- Location
- •
- Posts
- 785
To be more specific they did not null route the server, but they blocked the IPs that were sending alot of traffic to my server (which was legitimate).
Tom from 100TB replied to my email that he has asked softlayer to whitelist my server IP's so it wont happen again, he will reply to me when he gets a response from softlayer.
-
03-28-2011, 12:33 PM #22Junior Guru Wannabe
- Join Date
- Feb 2010
- Posts
- 71
-
03-28-2011, 01:30 PM #23Web Hosting Master
- Join Date
- Feb 2003
- Location
- Kuala Lumpur, Malaysia
- Posts
- 4,980
pardon me for the stupidity
makes sense.
Similar Threads
-
Hetzner DDOS Alerts - What to do?
By ITUT in forum Running a Web Hosting BusinessReplies: 9Last Post: 12-14-2010, 07:27 PM -
SoftLayer Powered | 1Gbps Unmetered _Dedicated_ Servers | DDos Protection | FREE OS
By WizzSupport in forum Dedicated Hosting OffersReplies: 1Last Post: 08-12-2010, 02:13 PM -
High traffic low budget servers with dutch quality traffic
By xs-24 in forum Dedicated Hosting OffersReplies: 12Last Post: 08-26-2007, 08:50 AM -
Enhance.com pay per click, good or bogus traffic?
By apexio in forum Running a Web Hosting BusinessReplies: 4Last Post: 11-27-2005, 04:03 PM