Results 1 to 23 of 23
  1. #1
    Join Date
    Mar 2002
    Location
    Posts
    785

    SoftLayer now limiting high traffic servers with bogus DDoS alerts

    They have a secret 500Mbit limit on incoming traffic.
    If you go over they nullroute IP's cutting off my traffic.

    Note there is no DDoS, the connections are legitimate and it is normal for my server to receive alot of incoming traffic.

    I will also point out that this also happens to my servers that I have paid for their gigabit unmetered upgrade.

    This has happened several times already.

    Hello,

    2011-Mar-27 19:41 (GMT-0600)

    Due to the large amount of traffic targeted to your IP address 173.193.202.xxx,
    SoftLayer has automatically injected the IP address into our Cisco Guard
    Protection system. This system diverts traffic destined to the IP address
    173.193.202.xxx through hardware devices that will try to identify and block the
    specific packets and flows responsible for the attack while allowing legitimate
    transactions to pass. The injection of 173.193.202.xxx will remain in place
    until this attack subsides and then be automatically removed once traffic levels
    reach a normal level.

    Details of the event follow:

    Exceeded Bits In: 507.4 M (Threshold: 500 M)


    -- Best Regards Ramon Server engineer Hosting Services, Inc.
    My reply

    Because of the way I use my server alot of incoming traffic is normal.
    This is not a DDoS.
    Their reply

    Hello,

    Due to the large amount of traffic targeted to your IP address 173.193.202.xxx, SoftLayer has automatically injected the IP address into our Cisco Guard Protection system. We are unable to remove this null route until the time frame.
    -- Best Regards Ramon Server engineer Hosting Services, Inc.
    High Quality Web Hosting from Host Ultra
    Visit us online at www.hostultra.com

  2. #2
    Join Date
    Jun 2006
    Location
    London, Arizona, Utah
    Posts
    654
    Quote Originally Posted by Host Ultra View Post
    They have a secret 500Mbit limit on incoming traffic.
    If you go over they nullroute IP's cutting off my traffic.

    Note there is no DDoS, the connections are legitimate and it is normal for my server to receive alot of incoming traffic.

    I will also point out that this also happens to my servers that I have paid for their gigabit unmetered upgrade.

    This has happened several times already.



    My reply



    Their reply
    Please send me an e-mail to [email protected] and I will look into it. I just picked out some random servers right now - and they are doing way over 500mbit, so I'm not sure it's "servers" and more something to do with the cisco guard automation in place. You can see them here http://i52.tinypic.com/2e5jm01.png, I could pull a good few hundred or maybe more doing way over 500mbit - so this is not the case from what I can see.

    Last edited by Thomas; 03-27-2011 at 09:43 PM.
    General Manager, 100TB
    100TB.com -> 21 Datacenter Locations

  3. #3
    Join Date
    May 2008
    Posts
    858
    I believe he's talking about INCOMING traffic (from Internet to server). Looking at the graphs in the picture, they all show high outgoing bandwidth, not incoming.

  4. #4
    Join Date
    Jan 2010
    Location
    so cal
    Posts
    232
    I don't see why they would limit your incoming traffic. I would assume that incoming traffic is cheaper than outgoing(to them). It would make more sense to limit outgoing traffic instead, if that's even true anyways. I wouldn't blame them for thinking that was a ddos attack.

  5. #5
    Join Date
    Mar 2002
    Location
    Posts
    785
    Yes its incoming traffic (internet to server) that is the problem.
    I can see why they do it, that large incoming traffic is unusual.
    But what I do not understand is their response that they cannot do anything about it and I should just wait it out.

    Bandwidth graph of my server, you can see the big drop in traffic at 19:40 where they speed capped my server.
    http://img16.imageshack.us/img16/8761/100tb.png
    High Quality Web Hosting from Host Ultra
    Visit us online at www.hostultra.com

  6. #6
    Join Date
    Oct 2005
    Location
    United States
    Posts
    1,403
    I don't think they limited your incoming traffic. They just set this policy in their automated system to block large incoming traffic which they assume DDoS attacks. If you can't live with this then find other providers that don't have this automated system and allow high incoming traffic for your server.
    Tommy Tran - tommy @ vinax.net ::: VINAX, LLC ::: http://vinax.net ::: Since 2004
    Premium Dedicated Servers and Colocation in downtown Chicago (350 E. Cermak Rd)
    Premium Bandwidth, 100% Network & Power Uptime SLA, 24/7 Prompt Tech Support

  7. #7
    Join Date
    Oct 2005
    Location
    United States
    Posts
    1,403
    Quote Originally Posted by Host Ultra View Post
    But what I do not understand is their response that they cannot do anything about it and I should just wait it out.
    This is one of the reasons why you should go with smaller providers.
    Tommy Tran - tommy @ vinax.net ::: VINAX, LLC ::: http://vinax.net ::: Since 2004
    Premium Dedicated Servers and Colocation in downtown Chicago (350 E. Cermak Rd)
    Premium Bandwidth, 100% Network & Power Uptime SLA, 24/7 Prompt Tech Support

  8. #8
    Join Date
    Jan 2010
    Location
    so cal
    Posts
    232
    I thought that 100TB was a small provider...Don't they resell for softlayer?

  9. #9
    Join Date
    Dec 2010
    Location
    Good question
    Posts
    693
    100TB is part of the huge Uk2 Interactive. They're anything but small ;]
    And yeah, their US solutions are based on Softlayer.

  10. #10
    Join Date
    Jul 2005
    Location
    Australia - NSW
    Posts
    990
    Quote Originally Posted by TinyVox View Post
    I thought that 100TB was a small provider...Don't they resell for softlayer?
    They do.
    It's not the first time something like this has happened though. There was a CDN provider shut down for using lots of bandwidth.
    Recommended: Stablehost, Hivelocity, Fused

  11. #11
    Join Date
    Nov 2007
    Posts
    346
    However, actually it does looks like a ddos, why do you have so much incoming traffic?

  12. #12
    Quote Originally Posted by vincent91326 View Post
    However, actually it does looks like a ddos, why do you have so much incoming traffic?
    Why does it matter. What he uses his server for is really none of our business.

  13. #13
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Quote Originally Posted by vincent91326 View Post
    However, actually it does looks like a ddos, why do you have so much incoming traffic?
    I disagree, unless your criteria is that anyone with an ingress dominant traffic pattern is receiving a DDoS?

  14. #14
    Join Date
    Nov 2007
    Location
    Chennai, India
    Posts
    2,370
    We have servers with 100tb(softlayer DC) with sites that uses a lot of bandwidth. We have no problem with them at all Pushing avg 600-700mbps is no problem at all. They have done a great job so far. If you have proof for legit traffic, Tom would definitely get this sorted out for you.

  15. #15
    Join Date
    Dec 2004
    Posts
    209
    Its Incoming traffic, not outgoing. There is no problem pushing 1Gbit with 100Tb
    Problem lays in incoming traffic, and SL has a security feature.
    In some cases this would be a great feature, but maybe not for thread owner.
    Busy, busy, busy

  16. #16
    Join Date
    Feb 2010
    Posts
    71

    *

    yes, we can see that as well.

    we have lot of server at 100tb, i'm not sure how they can define attack, but sometime, i think that will useful, as if you hosted lot of website / domain at one server...if one domain / dedicated ip receive high attack, your server will become unstable.

    if they blocked the ip, it will help us , but ofcouse, this will depends on your need.

    but so far..i'm really happy they do the null route, as sometime..our client also receive attack, if blocked the ip will help us a lot

    Thanks

  17. #17
    Join Date
    Apr 2007
    Location
    United Kingdom
    Posts
    1,686
    From what I remember it isn't 100TB that enforces this, it's put in place by Softlayer. If a server is receiving 500mbps incoming it's usually a good indication that something is wrong so unless you've notified them in advance you can't really blame them for thinking you're being attacked.
    EZPZ Hosting - Dependable and Affordable Web Hosting
    LiteSpeed SSD Powered cPanel Shared & Reseller Hosting | Budget VPS, Managed VPS and Dedicated
    Reseller Hosting Specialists | WHMCS-Based End User Support | Unlimited SSLs | UK and USA
    99.9% Uptime Guarantee | 24/7 Support | 30 Day Money Back Guarantee

  18. #18
    Join Date
    Feb 2003
    Location
    Kuala Lumpur, Malaysia
    Posts
    4,974
    I don't get it, if they move the IP onto cisco guard, why would it get null routed?

  19. #19
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,878
    Quote Originally Posted by Dan_EZPZ View Post
    From what I remember it isn't 100TB that enforces this, it's put in place by Softlayer. If a server is receiving 500mbps incoming it's usually a good indication that something is wrong so unless you've notified them in advance you can't really blame them for thinking you're being attacked.
    Yep.... this is an issue with the automation that's in place around the Cisco Guard at Softlayer. I believe we ran in to this as well, both before we went with 100tb and even after.

    Unfortunately, you have to get a softlayer level 2 tech to do something about it. The front line guys are not super helpful.
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.

  20. #20
    Join Date
    Sep 2005
    Location
    London
    Posts
    2,404
    Quote Originally Posted by wheimeng View Post
    I don't get it, if they move the IP onto cisco guard, why would it get null routed?
    at a certain level the guards give up and they null it (think it's 50k packets)
    Ditlev Bredahl. CEO,
    OnApp.com & SolusVM.com + Cloud.net & CDN.net

  21. #21
    Join Date
    Mar 2002
    Location
    Posts
    785
    To be more specific they did not null route the server, but they blocked the IPs that were sending alot of traffic to my server (which was legitimate).

    Tom from 100TB replied to my email that he has asked softlayer to whitelist my server IP's so it wont happen again, he will reply to me when he gets a response from softlayer.
    High Quality Web Hosting from Host Ultra
    Visit us online at www.hostultra.com

  22. #22
    Join Date
    Feb 2010
    Posts
    71
    Quote Originally Posted by wheimeng View Post
    I don't get it, if they move the IP onto cisco guard, why would it get null routed?
    because the cisco guard can not 100% block the attack..if the attack to much..they will also do the null route on your ip.

  23. #23
    Join Date
    Feb 2003
    Location
    Kuala Lumpur, Malaysia
    Posts
    4,974
    pardon me for the stupidity

    makes sense.

Similar Threads

  1. Hetzner DDOS Alerts - What to do?
    By papa_face in forum Running a Web Hosting Business
    Replies: 9
    Last Post: 12-14-2010, 07:27 PM
  2. Replies: 1
    Last Post: 08-12-2010, 02:13 PM
  3. High traffic low budget servers with dutch quality traffic
    By xs-24 in forum Dedicated Hosting Offers
    Replies: 12
    Last Post: 08-26-2007, 08:50 AM
  4. Enhance.com pay per click, good or bogus traffic?
    By apexio in forum Running a Web Hosting Business
    Replies: 4
    Last Post: 11-27-2005, 04:03 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •