Results 1 to 31 of 31
  1. #1
    Join Date
    Apr 2009
    Posts
    1,320

    Question Is it normal for a datacenter to nullroute IP for DDOS?

    If my server is being DDOS and I am on a unmetered dedicated port, is it normal for datacenter to nullroute my server's IP?

  2. #2
    Join Date
    Mar 2011
    Location
    UK - England
    Posts
    82
    As far as I am aware it is, it is a quick fail-safe to prevent their systems being bogged down with the traffic.

  3. #3
    Join Date
    Jan 2011
    Location
    Varna, Bulgaria
    Posts
    1,270
    Yes, it is normal. Unless you are explicitly paying for specialized DDoS protection service, but this is expensive.

  4. #4
    Join Date
    Apr 2009
    Posts
    1,320
    But I am on a dedicated port, how does this affect the rest of their network?

  5. #5
    Join Date
    Jan 2011
    Location
    Varna, Bulgaria
    Posts
    1,270
    Your dedicated port may be 1000Mbps but the datacenter may be receiving 20x1000Mbps of DDoS (or higher)... so yes, it can affect their other customers.

  6. #6
    Join Date
    Apr 2009
    Posts
    1,320
    If only my secondary IP is being DDOS shouldn't the datacenter only nullroute that particular secondary IP?

  7. #7
    Quote Originally Posted by chasebug View Post
    If only my secondary IP is being DDOS shouldn't the datacenter only nullroute that particular secondary IP?
    that would be the normal way of doing things, yes.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  8. #8
    Join Date
    Jan 2011
    Location
    Varna, Bulgaria
    Posts
    1,270
    Yes, nullroute can be per IP. If only one IP is being attacked, it is logical to nullroute only that IP.

  9. #9
    Join Date
    Apr 2009
    Posts
    1,320
    If my main server's IP is being nullroute will my other sites that are on secondary IP still load?

  10. #10
    Join Date
    Jan 2011
    Location
    Varna, Bulgaria
    Posts
    1,270
    It depends on many things. To know what is nullrouted just try to ping all your IPs and see if you receive any answers.

  11. #11
    Join Date
    Feb 2008
    Posts
    829
    Yes it's normal, and yeah, it sucks. Until the goverment actually makes DDoS illegal when it's not against multi billion dollar corporations, not much can be done. Basically have to hope the ones doing it get bored. Not worth switching to another host either as they'll just DDoS the new IP. Can't win against these.

  12. #12
    Join Date
    Dec 2005
    Location
    The Netherlands
    Posts
    107
    If possible they block the incoming IP (so source address) for DoS attacks, however for DDoS (which stands for Distributed Denial of Service) it are often (too) many IP's to block (for example; a botnet) and then they block the destination IP.

    So yes; for a DDoS it's common practice they block your server IP (because it's the destination) and the source comes from more than one IP.
    Last edited by Mikej0h; 03-19-2011 at 06:06 PM.

  13. #13
    Join Date
    Apr 2009
    Posts
    1,320
    I was logged into my server while the supposed DDOS was taking place, I noticed nothing abnormal, the load, CPU usage, and memory usage remained the same.

    I am wondering if the server is just getting more traffic and they mistakenly thought it is a DDOS instead. This is a load balanced site and none of my other servers are getting any DDOS activity.

  14. #14
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Many companies can and will filter the attack before making the decision to null route.

  15. #15
    Join Date
    Jun 2007
    Posts
    99
    Quote Originally Posted by chasebug View Post
    I was logged into my server while the supposed DDOS was taking place, I noticed nothing abnormal, the load, CPU usage, and memory usage remained the same
    What data center

  16. #16
    Join Date
    Mar 2009
    Posts
    3,807
    Quote Originally Posted by chasebug View Post
    I was logged into my server while the supposed DDOS was taking place, I noticed nothing abnormal, the load, CPU usage, and memory usage remained the same.

    I am wondering if the server is just getting more traffic and they mistakenly thought it is a DDOS instead. This is a load balanced site and none of my other servers are getting any DDOS activity.
    Spewing bandwidth at you doesn't mean you'll get HTTP requests or anything

  17. #17
    O boy, I miss getting DDos'ed and having my stuff down for hours. . .

  18. #18
    Join Date
    May 2006
    Location
    NJ, USA
    Posts
    6,456
    I've never seen a main IP be nulled and the others work
    Last edited by Dougy; 03-19-2011 at 09:35 PM. Reason: grammar
    simplywww: directadmin and cpanel hosting that will rock your socks
    Need some work done in a datacenter in the NYC area? NYC Remote Hands can do it.

    Follow my "deals" Twitter for hardware specials.. @dougysdeals

  19. #19
    Join Date
    Apr 2009
    Posts
    1,320
    Quote Originally Posted by brandonsf View Post
    O boy, I miss getting DDos'ed and having my stuff down for hours. . .
    Over 10 hours downtime and still down. No communication from the datacenter about nullroute, my own monitoring picked it up that my server is down.

    Disappointed.

  20. #20
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,301
    Quote Originally Posted by chasebug View Post
    Over 10 hours downtime and still down. No communication from the datacenter about nullroute, my own monitoring picked it up that my server is down.

    Disappointed.
    Sorry to hear about your experience. I can say that null routing is pretty normal when a provider gets a big attack. That being said, they should at least be communicating with you about the situation.
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  21. #21
    if an IP is getting DDOSed, is it possible to just limit or cap the speed on that IP so it will not consume too much bandwidth?

  22. #22
    Join Date
    Jul 2000
    Posts
    2,063
    Quote Originally Posted by shinjikenny View Post
    if an IP is getting DDOSed, is it possible to just limit or cap the speed on that IP so it will not consume too much bandwidth?
    Easier to be said than done. If a DDOS attack is maxing out your line, they might as well nullroute your IP address.
    Now, if they limit your line and an attack is completely maxing out your limited bandwidth, you won't be able to access your site anyway and it will use up your bandwidth allowance.
    I choose not to use my signature for advertising.

    It doesn't matter how much you claim how important your data is. If it's not backed up, it's not important.

  23. #23
    so when will a DDOS attack stop? until they consumed their bandwidth on the server they use?

    is it possible to counter attack?
    say, DDOS each of their servers that they use for DDOSing?

  24. #24
    Join Date
    Jul 2000
    Posts
    2,063
    Quote Originally Posted by shinjikenny View Post
    so when will a DDOS attack stop? until they consumed their bandwidth on the server they use?

    is it possible to counter attack?
    say, DDOS each of their servers that they use for DDOSing?
    DDoS is almost always from a collection of computers. (or zombies they call.) Those computers are infected with viruses without its owner knowing.

    Now, a mastermind (or a group) behind an attack will send a command to his (or their) infected zombies to connect to a target continually.
    A single connection alone is nothing but when there are hundred/thousands of computers hitting a site simultaneously non-stop, then it starts to max out one's bandwidth.

    That is the most basic form of DDoS attack.

    Which means unless you know who the mastermind is, it's almost impossible to "counter-attack". Even if you do know, it's hard to get back at them.
    I choose not to use my signature for advertising.

    It doesn't matter how much you claim how important your data is. If it's not backed up, it's not important.

  25. #25
    The ddos attacks are typically done by kiddies who have nothing better to do, or if you have a shop or important business - to demand money. If not, there might be some disgruntled user of your service.

    The ddos attacks are usually done with botnets, or hacked servers, so there is no such thing as "the bandwidth runs out". It stops either when the server admins of the servers where the ddos comes from - figure out that their machines were hacked, and just pull the plug and clean their stuff, or when the kiddie that does the ddos simply stops.

    "Counter attack" "DDoS the servers where they send ddos" is illegal, because by sending ddos, you would have to hack machines. I assume no decent isp would willingfully allow you to ddos from your own machines, so this option is way out of the question.

    If you have a serious business, and you are losing money for having your services down, then you have to look into ddos protected services - which are not very cheap.
    XSBackup - keeping your data secure. Offsite redundant backups - RAID6 storage / rSync / SSH / FTP access. Whitelabel services / Reseller accounts available.
    NEW! - If you need awesome admins to secure, optimize and maintain your servers, you're in the right place.

  26. #26
    Join Date
    Mar 2009
    Posts
    3,807
    Quote Originally Posted by shinjikenny View Post
    so when will a DDOS attack stop? until they consumed their bandwidth on the server they use?

    is it possible to counter attack?
    say, DDOS each of their servers that they use for DDOSing?
    - It can go on forever - if you annoy the wrong group it might never stop. Ever.

    - Illegal

    - They aren't their servers, they're hacked, you're taking out legitimate normal systems, illegal

  27. #27
    how about blocking all IP except for the IP of the clients?
    for example, a game server...
    all IP's are initially blocked from accesing the server, then when a client registers, his IP will be unblocked and he will now be able to access the server..

    is this possible?

  28. #28
    No it's not possible, because the ddos attack will still fill up your network port. Only small ddos attacks under let's say 50 mb/s can be filtered somewhat properly at server level, and that requires some extensive knowledge as well. And it's not a guarantee they can be filtered either, because a 50 mbps attack can send about 200 000 pps and that will hog the cpu, and it's no joy.

    You have 2 solutions:

    If you have pissed someone off, just let it go, and try to ignore them. At some point they get bored.

    If it's a customer that pissed someone off, ask that customer to stop whatever he's doing, or in an extreme case, if he keeps going on willingly, that is just bad behavior and the customer has to be removed.
    XSBackup - keeping your data secure. Offsite redundant backups - RAID6 storage / rSync / SSH / FTP access. Whitelabel services / Reseller accounts available.
    NEW! - If you need awesome admins to secure, optimize and maintain your servers, you're in the right place.

  29. #29
    what if the server provider advertises that their servers have DDOS protection? Does that mean I'll be safe from DDOS attacks?
    this one says it has DDOS protection:

    Operating system: All linux
    (see the upgrade section for Windows)
    CPU: Intel Pentium G6950
    Cores: 2
    Threads: 2
    Memory: 4GB
    Harddrive: 500GB SATA
    Raid: none
    Bandwidth: 25TB
    IP addresses: 4
    Portspeed: 1000 mbit
    Management: Full managed
    DDOS Protection: Yes
    Price per month: $199.00
    Setup fee: $0.00
    Buy now



  30. #30
    ddos protection costs money based on how large the attacks are. what you are getting there is some basic level of ddos protection, and it's not a real ddos protection that can help you when attacks go past a certain level, or become complex.

    ddos attacks vary in complexity and techniques.

    use common sense, there is no wiggling around it, no blaming anyone. only the 2 solutions i have provided above will work. i have been doing shell hosting and ddos protection for more than 8 years now, and things are just the way they are. ddos protection costs money.

    1gbps / 100 000 pps firewall that will protect you for real, is about 500 $/mo.
    XSBackup - keeping your data secure. Offsite redundant backups - RAID6 storage / rSync / SSH / FTP access. Whitelabel services / Reseller accounts available.
    NEW! - If you need awesome admins to secure, optimize and maintain your servers, you're in the right place.

  31. #31
    Join Date
    Aug 2010
    Posts
    238
    Quote Originally Posted by chasebug View Post
    I was logged into my server while the supposed DDOS was taking place, I noticed nothing abnormal, the load, CPU usage, and memory usage remained the same.

    I am wondering if the server is just getting more traffic and they mistakenly thought it is a DDOS instead. This is a load balanced site and none of my other servers are getting any DDOS activity.
    If your DC has blocked the target IP and you're able to access the server using any other IP or means then that's the case you won't see anything strange.

Similar Threads

  1. Hetzner Nullroute Dedicated Server by Network Scan Alert
    By andreyka in forum Dedicated Server
    Replies: 15
    Last Post: 09-24-2009, 04:31 AM
  2. which datacenter has good ddos protection?
    By Brave in forum Dedicated Server
    Replies: 3
    Last Post: 04-26-2008, 06:42 PM
  3. Nullroute
    By danclough in forum Dedicated Server
    Replies: 5
    Last Post: 06-13-2005, 11:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •