Results 1 to 34 of 34
  1. #1
    Join Date
    Oct 2010
    Posts
    74

    Softlayer + Limestone abuse department is a joke

    Ok so here's the story:

    Yesterday, I contacted Softlayer first by phone, which I was quickly referred to email [email protected] about a server on their network DDosing mine, with traffic logs from my host.

    So of course, I went ahead and gave them the offending ip, my ip, and the traffic logs including down to the second timestamps.

    Over the course of the day, we took THREE more attacks from the same ip, as confirmed again by my host. I contacted Softlayer by phone, keeping a "somewhat" cool head, informing them that this was illegal, and that they've had over 24 hours notice about the offending ip, and still done nothing. I requested they speed up the abuse process, which the nice lady said she'd forward my complaint again to their legal team.

    6 hours AFTER my phone conversation, I haven't heard a word back from them, and literally 20 minutes ago, just got attacked again.

    Now onto Limestone network. Two servers from their company were also involved in this attack, and I contacted them using the proper form on their website WITH logs and timestamps to no avail. I ended up PMing a limestone rep on this site, which he said the complaint would be addressed. However, those two SAME servers, were also involved in later attacks throughout the evening.

    I'd really like to know from the hosting community guru's what it will take for me to get the offensive servers shut down, because continuously contacting these companies hasn't helped at all. Do I seriously need to sue them to resolve this or what?

  2. #2
    Probably they need a bit more information to proof the fact of attack.
    Alnitech.com - dedicated servers for your business
    Dedicated Servers, Disaster Recovery, IaaS & More.
    ✓ 24x7 h/w Support & Server Monitoring
    ✓ 21-day Money-back Guarantee

  3. #3
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by alnitech View Post
    Probably they need a bit more information to proof the fact of attack.
    They did not even attempt to contact me back asking for more information. And isn't 4 attacks over the next ~30+ hour period enough proof assuming anybody in their support staff bothered to monitor the situation?

  4. #4
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    4,845
    Quote Originally Posted by RPGamer1 View Post
    Now onto Limestone network. Two servers from their company were also involved in this attack, and I contacted them using the proper form on their website WITH logs and timestamps to no avail. I ended up PMing a limestone rep on this site, which he said the complaint would be addressed. However, those two SAME servers, were also involved in later attacks throughout the evening.

    WE've had the same thing. I contacted Mike on here and all he did was say 'it will be looked after'.

    We included full tcpdumps of said floods and they just didn't care. I already called them out in the premium section and let them know that the next step is public to get the word out and looked after. So far every single booter/botnet i've helped rip apart has a ton of limestone boxes and all of them remain online with their C&C processes/files still live.

    Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  5. #5
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by DeltaAnime View Post
    WE've had the same thing. I contacted Mike on here and all he did was say 'it will be looked after'.

    We included full tcpdumps of said floods and they just didn't care. I already called them out in the premium section and let them know that the next step is public to get the word out and looked after. So far every single booter/botnet i've helped rip apart has a ton of limestone boxes and all of them remain online with their C&C processes/files still live.

    Francisco

    Interesting. I haven't even picked through all the logs my host has given me, I just did the top few, but Limestone servers have attacked me in the past as well.

    My logs aren't full TCP dumps, but they provide more than enough information to spend 30 seconds looking at the customer's bandwidth at the time of the incident, and matching it with my logs.

    If they don't believe me, then maybe a Liquidweb rep (I'm hosted with them, and they are the most helpful people I've ever met), can verify from my ticket history that the ips and logs are genuine.

  6. #6
    Join Date
    Aug 2004
    Location
    Dallas, TX
    Posts
    3,507
    Sneaking suspicion that Softlayer's abuse dept is M-F 9-5 or something like that...?
    Dallas Colocation by Incero, 8 years and counting!
    e: sales(at)incero(dot)com • 855.217.COLO (2656)
    Colocation & Enterprise Servers, SATA/SAS/SSD, secure IPMI/KVM remote control, 100% U.S.A. Based Staff
    SSAE 16, SAS70, Redundant Power & Network, Fully Diverse Fiber

  7. #7
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,084
    Can I ask a question or two?

    What do you want them to do and in what timeframe?

    Why not just block the IP if you know its a single ip?

    Do you want the provider to contact thier client and advise them, giving them time to correct or just null route based on your email and logs that could be fabricated?

    I am not saying that I don't believe you, I do but put yourself in the shoes of the client on this server or as the host. They can't just take a phone call and start pulling cables. I know you want it to happen faster but it is reasonable for the datacenter to take your report, investigate and actually discuss with thier client.

    Franisco, I am sure you don't just turn off your customers service at the first phone call or with an email with the offending ip. I am sure you actually investigate first.
    André Allen | E: aallen(a)linovus.ca
    Linovus Holdings Inc
    Shared Hosting, Reseller Hosting, VPS, Dedicated Servers & Public Cloud | USA, Canada & UK - 24x7x365 Support

  8. #8
    Join Date
    Aug 2007
    Location
    L.A., CA
    Posts
    3,706
    Hmmm, seems like Limestone might have quite a few bad apple customers.
    We've had multiple DDOS's originating from Limestone network recently to some of our customers.

  9. #9
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    4,845
    Quote Originally Posted by Coolraul View Post
    Franisco, I am sure you don't just turn off your customers service at the first phone call or with an email with the offending ip. I am sure you actually investigate first.
    It doesn't help when it's a multi Gbit flood.

    It gets better you see. At least 2 of the times I talked to a tech where they confirmed there was a large UDP flood originating from the boxes over the phone yet still refused to even nullroute our ip's to at least assist.

    If we see a VPS launch an outbound flood they're suspended on the spot. We have monitoring systems in place that watch for suspicious process names and acts accordingly.

    We're not talking a few hours here. We're talking that some of the boxes I looked at were still dirty weeks after being reported.

    Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  10. #10
    Join Date
    May 2007
    Posts
    438
    What IP/range have you been getting attacked with? I've been getting probes from both hosts, as well.

    For both companies, I find myself filing an abuse report for a single IP multiple times. Not so much the case with other networks/hosts.

  11. #11
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by Coolraul View Post
    Can I ask a question or two?

    What do you want them to do and in what timeframe?

    Why not just block the IP if you know its a single ip?

    Do you want the provider to contact thier client and advise them, giving them time to correct or just null route based on your email and logs that could be fabricated?

    I am not saying that I don't believe you, I do but put yourself in the shoes of the client on this server or as the host. They can't just take a phone call and start pulling cables. I know you want it to happen faster but it is reasonable for the datacenter to take your report, investigate and actually discuss with thier client.

    Franisco, I am sure you don't just turn off your customers service at the first phone call or with an email with the offending ip. I am sure you actually investigate first.
    I cannot block the ips, as the softlayer box is putting out ~400mbps, limestone ones a bit less each.

    And I want the provider to prevent illegal activity by any means. It's been FOUR attacks since the reports were sent in, nothing's been done.

  12. #12
    I just think that when problem is not able to get solved, the answers are like this.

    but I've some servers with softlayer , but they are working like a charm

  13. #13
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,084
    Quote Originally Posted by RPGamer1 View Post
    I cannot block the ips, as the softlayer box is putting out ~400mbps, limestone ones a bit less each.

    And I want the provider to prevent illegal activity by any means. It's been FOUR attacks since the reports were sent in, nothing's been done.
    Fair enough. It sounded like you had sent one report in and posted after 24 hours.
    André Allen | E: aallen(a)linovus.ca
    Linovus Holdings Inc
    Shared Hosting, Reseller Hosting, VPS, Dedicated Servers & Public Cloud | USA, Canada & UK - 24x7x365 Support

  14. #14
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by Coolraul View Post
    Fair enough. It sounded like you had sent one report in and posted after 24 hours.
    2 Phone calls, 3 e-mails, one forum pm spread throughout both companies, over about 30 hours, and we still got attacked. Apparently limestone has bigger issues though.

  15. #15
    Join Date
    Dec 2001
    Location
    Atlanta
    Posts
    4,419
    Quote Originally Posted by RPGamer1 View Post
    I cannot block the ips, as the softlayer box is putting out ~400mbps, limestone ones a bit less each.

    And I want the provider to prevent illegal activity by any means. It's been FOUR attacks since the reports were sent in, nothing's been done.
    you should be able to block the ips of the originators. volume does not matter - it will shut off all traffic from that box.

    I would think they would be interested in this since its running up their network with an outbound ddos.
    Dedicated Servers
    WWW.NETDEPOT.COM
    Since 2000

  16. #16
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by sailor View Post
    you should be able to block the ips of the originators. volume does not matter - it will shut off all traffic from that box.

    I would think they would be interested in this since its running up their network with an outbound ddos.
    Not if they're sending 150% of my pipe's throughput.

  17. #17
    Join Date
    Jul 2003
    Location
    North Carolina USA
    Posts
    180
    I would be almost raging right now if my server was getting ddos and i contacted a provider where the attacks where originating from and they did nothing after 24 hours. I would start to calculate how much these attacks are causing you and maybe consider some legal assistance if the companys are refusing to do anything.

  18. #18
    Join Date
    Mar 2005
    Location
    New York City
    Posts
    2,559
    Quote Originally Posted by RPGamer1 View Post
    I cannot block the ips, as the softlayer box is putting out ~400mbps, limestone ones a bit less each.

    And I want the provider to prevent illegal activity by any means. It's been FOUR attacks since the reports were sent in, nothing's been done.
    If you send me a pm with the information necessary (including your SL account ID Number), I'll see what I can do in forwarding it to the right people. I can't make any guarantees, but I've got connections in the management over there.
    Matthew Rosenblatt, and I do lots of things.
    Currently a Master Electrician on Broadway.
    My company, BurstAV, specializes in A/V Systems Design and integration.
    I also own ConcertCables. We build power/data cables for the entertainment industry.

  19. #19
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by Matt R View Post
    If you send me a pm with the information necessary (including your SL account ID Number), I'll see what I can do in forwarding it to the right people. I can't make any guarantees, but I've got connections in the management over there.
    Thanks, but I'm not with SL, I'm with Liquidweb, and they provided me the logs from the attack including Ip, and stats etc. I contacted softlayer to shut down the attacking server.

    Is there anything you can help with about that?

  20. #20
    Join Date
    Mar 2005
    Location
    New York City
    Posts
    2,559
    Quote Originally Posted by RPGamer1 View Post
    Thanks, but I'm not with SL, I'm with Liquidweb, and they provided me the logs from the attack including Ip, and stats etc. I contacted softlayer to shut down the attacking server.

    Is there anything you can help with about that?
    Sorry -- my minds all over the place.

    If you give me the appropriate logs I'll try, but I still can't make any guarantees. Knowing people can help, but it's definitely not a guaranteed method.

    If you have a ticket ID number with Softlayer, that would definitely be helpful. A ticket should have been opened when you emailed abuse@.
    Matthew Rosenblatt, and I do lots of things.
    Currently a Master Electrician on Broadway.
    My company, BurstAV, specializes in A/V Systems Design and integration.
    I also own ConcertCables. We build power/data cables for the entertainment industry.

  21. #21
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by Matt R View Post
    Sorry -- my minds all over the place.

    If you give me the appropriate logs I'll try, but I still can't make any guarantees. Knowing people can help, but it's definitely not a guaranteed method.

    If you have a ticket ID number with Softlayer, that would definitely be helpful. A ticket should have been opened when you emailed abuse@.

    No ticket was opened, but thanks for any help you can provide. Sent the details

  22. #22
    Join Date
    Dec 2001
    Location
    Atlanta
    Posts
    4,419
    Quote Originally Posted by RPGamer1 View Post
    Not if they're sending 150% of my pipe's throughput.
    as I said - what they are sending does not matter. if you null route their ip it stops every thing.

    Any way - good luck.
    Dedicated Servers
    WWW.NETDEPOT.COM
    Since 2000

  23. #23
    Join Date
    Jan 2011
    Location
    Ohio
    Posts
    467
    sailor, how do you do this?

    Also, I'm not getting ddos attacks, im getting flipping DNS queries like no tomorrow.

  24. #24
    Join Date
    Dec 2001
    Location
    Atlanta
    Posts
    4,419
    Quote Originally Posted by bluemer View Post
    sailor, how do you do this?

    Also, I'm not getting ddos attacks, im getting flipping DNS queries like no tomorrow.

    you set up a simple acl on the routers that block the ips that are coming to you.

    If they are a handful its easy. if there are a lot then you may have to run some software or a hardware appliance that will block them out by building an on the fly acl based on an algorhythm of abusive requests or ddos etc.

    that can get pricey.


    there are some free ones out there that you can be using - you can even use one server as a filter.
    Dedicated Servers
    WWW.NETDEPOT.COM
    Since 2000

  25. #25
    Join Date
    Feb 2010
    Posts
    38
    Quote Originally Posted by sailor View Post
    you set up a simple acl on the routers that block the ips that are coming to you.

    If they are a handful its easy. if there are a lot then you may have to run some software or a hardware appliance that will block them out by building an on the fly acl based on an algorhythm of abusive requests or ddos etc.

    that can get pricey.


    there are some free ones out there that you can be using - you can even use one server as a filter.
    No offense but this sounds nonsense to me.
    Your connection is 100mbit. They flood you with 1gbps.
    There's nothing you can do as a customer.

    Datacenter can, yes. You cannot.

    Same thing for: Your connection is 100mbit. They flood you with 80mbit.
    No matter what you do, you will STILL only have 20mbit to spare.
    You're getting the traffic so afaik only thing you can do is prevent it from sending any back/out.

    If there IS a way do tell what exactly as I'm dying to know. Struggling with ddos attack myself for ages now and I'd love to be able to manage it myself without involving DC

  26. #26
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Quote Originally Posted by RRyan View Post
    No offense but this sounds nonsense to me.
    Your connection is 100mbit. They flood you with 1gbps.
    There's nothing you can do as a customer.

    Datacenter can, yes. You cannot.

    Same thing for: Your connection is 100mbit. They flood you with 80mbit.
    No matter what you do, you will STILL only have 20mbit to spare.
    You're getting the traffic so afaik only thing you can do is prevent it from sending any back/out.

    If there IS a way do tell what exactly as I'm dying to know. Struggling with ddos attack myself for ages now and I'd love to be able to manage it myself without involving DC
    Yes but what he is saying is ask liquidweb to ACL those IP's rather than wait for the providers to kill the offenders. ACL'ing them will stop the link saturation.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  27. #27
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    Another alternative, if an ACL isn't feasible, is to advertise a null route for your IP specificically to the ingress point into your provider's network. Presuming the attack is coming in through one of your provider's upstreams, your IP would still be available through their other upstreams, which would still be better than being down completely. If it's coming in through a peer, that accepts /32's, even better. If it's coming in through a peer that doesn't accept /32's however, you might be out of luck.
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  28. #28
    Join Date
    Oct 2010
    Posts
    74
    Well, I've learned a fair bit reading these replies, but I can't keep asking my host to continuously add more and more ACL rules to their routers slowing down the entire network..

  29. #29
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,552
    Quote Originally Posted by RPGamer1 View Post
    Ok so here's the story:

    Yesterday, I contacted Softlayer first by phone, which I was quickly referred to email [email protected] about a server on their network DDosing mine, with traffic logs from my host.

    So of course, I went ahead and gave them the offending ip, my ip, and the traffic logs including down to the second timestamps.

    Over the course of the day, we took THREE more attacks from the same ip, as confirmed again by my host. I contacted Softlayer by phone, keeping a "somewhat" cool head, informing them that this was illegal, and that they've had over 24 hours notice about the offending ip, and still done nothing. I requested they speed up the abuse process, which the nice lady said she'd forward my complaint again to their legal team.

    6 hours AFTER my phone conversation, I haven't heard a word back from them, and literally 20 minutes ago, just got attacked again.

    Now onto Limestone network. Two servers from their company were also involved in this attack, and I contacted them using the proper form on their website WITH logs and timestamps to no avail. I ended up PMing a limestone rep on this site, which he said the complaint would be addressed. However, those two SAME servers, were also involved in later attacks throughout the evening.

    I'd really like to know from the hosting community guru's what it will take for me to get the offensive servers shut down, because continuously contacting these companies hasn't helped at all. Do I seriously need to sue them to resolve this or what?
    LSN abuse department is not a joke, I know that since I used to work for them. They take abuse extremely serious. It must be an isolated issue, maybe you should ask to be transferred to Ryan G if he's available since he is head of abuse?
    Jacob Wall - GetCloak.com

  30. #30
    Join Date
    Jun 2007
    Location
    Los Angeles, CA
    Posts
    318
    Contact ARIN / RIPE directly, goto the source, also make a complaint on the response time from SL LS.....
    Richard Perez | PureWeb
    Dedicated Servers - cPanel Web Hosting - cPanel Reseller Hosting
    6 Nationwide Locations. 100% Network SLA. Established in 2007. True 24/7/365 Support.
    Follow us on Twitter: @purewebtech. Network POPS in: LAX - CHI - DFW - NYC - SEA - ATL

  31. #31
    Join Date
    Jan 2011
    Location
    Ohio
    Posts
    467
    I actually contacted ARIN for China directly.. I know it's called something else, but anyway I forget.. I emailed them regarding a IP address from a University in China sending DNS queries to me like 1,000 times a hour from the same ip.. They wouldn't do anything. They told me to contact the university directly. Alright.. I'm in good ol US, speak english only, and I am suppose to contact some university in China... Gee thanks world!

  32. #32
    Join Date
    Nov 2003
    Posts
    538
    Don't forget also that even if your datacenter blocks the attack at their edge someone still has to pay for the bandwidth the attack is consuming between the your provider's edge and their provider.

    It will only get worse with hosting companies now offering 10Gbps connections on single servers. My main thing is you are going to give someone what is essentially a weapon and only have your abuse department open 9-5 monday-friday that seems like a huge oversight but that is just my 0.02 =)
    XLHost.com
    Dedicated Servers, Virtual Private Servers, and more since 1995.
    drew @ xlhost.com

  33. #33
    Join Date
    Jan 2011
    Location
    India
    Posts
    1,446
    sue them or give them warning over phone or email that you are going to take strict step against if they don't resolve this within your given time it may be 1 day. If they don't take any action then you should surely sue them

  34. #34
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    Quote Originally Posted by RichardPerez View Post
    Contact ARIN / RIPE directly, goto the source, also make a complaint on the response time from SL LS.....
    They deal with IP Addressing, and have absolutely no control over any network traffic. If there's going to be any escalations to third parties, it should be to the source network's upstream where the attack is going through.
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

Similar Threads

  1. Net4.in abuse department
    By Spamcat in forum Web Hosting
    Replies: 6
    Last Post: 08-29-2012, 02:51 AM
  2. softlayer abuse department are they alive ?
    By cpanellover in forum Hosting Security and Technology
    Replies: 6
    Last Post: 11-21-2010, 01:26 PM
  3. Fdcservers.net Abuse department
    By Rolclub in forum Dedicated Server
    Replies: 12
    Last Post: 08-20-2007, 07:51 PM
  4. question for abuse department
    By hello_x in forum Dedicated Server
    Replies: 4
    Last Post: 07-01-2006, 11:13 PM
  5. ThePlanet Abuse Department
    By coight in forum Dedicated Server
    Replies: 10
    Last Post: 10-11-2004, 11:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •