Results 1 to 11 of 11
  1. #1
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561

    Getting IP's Blocked by your ISP

    As the title says, I am wondering how willing your ISP/carrier is to block one or multiple IP addresses that have may have been causing issues for you such as DDoS attacks, hackings etc.

    What has been your experience? Please provide as much detail on your experience as possible.

    Thanks in advance.
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  2. #2
    Join Date
    Nov 2005
    Location
    Michigan, USA
    Posts
    3,872
    Do you mean block an external IP from their routers or do you mean disable on of your IP's that is attracting the DDOS's?


  3. #3
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    Well initially, I was speaking of blocking an external IP that is not in our network. I would also be curious on disabling an IP that is attracting a DDoS as well.
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  4. #4
    Join Date
    Aug 2004
    Posts
    616
    When we used to be at Peer1 NYC a couple years ago, they would block the ip for us without a problem. It was as simple as creating an ACL for it and it only took a couple seconds while I was on the phone with them.

    The facility where we are now, it takes them a little longer to do things like that but we don't really need it anymore since we got our own IPS system in place.
    BGP GRID
    UNetLab Network Simulator Hosting
    Prepare for your CCNA/CCNP/CCIE certifications today!

  5. #5
    Join Date
    Oct 2004
    Location
    Nevada
    Posts
    887
    If you 'own' the IP, if it is under your control, simply email or call the NOC and tell them to null route the IP being used in the DDoS against you. You will need to provide logs documenting the request

    That said, sometimes it is difficult to determine the actual IP used, as they forge headers, etc.

  6. #6
    Join Date
    Nov 2005
    Location
    Michigan, USA
    Posts
    3,872
    Well, I can say I have had one of my IP's disabled for attracting a DDOS. They would even let me turn it back on after the problem was resolved. I'll keep the colo company unnamed for now.

    As for external IP's, the same company was pretty helpful in setting up rules on the routers that I needed, so if I had any issues with an external IP they would help me block it.


    However, most of the colo companies I have been with would do neither. They would warn me of problems with an IP and I would have it resolved before any action would be taken and I would have to set my own rules on my router if I wanted an IP blocked.

    I guess it depends on the size of the companies, smaller companies might be easier to have things like this done, but also can be more affected by DDOS's which leads to more problems for you.

    Hope that helps


  7. #7
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    Thanks for the feedback so far, and please keep it coming.

    My provider is very hesitant on blocking IP's even though we provided them with a log and proof of a few static IP's attacking us. Though they were static, they were still spoof, so contacting the abuse contact on the whois would not help.

    The NOC tech told me that they had to go into their core router to put in the block, which I think is understandable for them to not want to do that, however note that there is still the router that we are plugged into. The NOC tech said that if it was blocked on their router that we were physically plugged into, then we would still be getting traffic from that IP, which logically this does not seem like a valid statement. Maybe I am missing something.
    Last edited by VN-Ken; 12-30-2007 at 01:50 PM.
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  8. #8
    Join Date
    Jan 2004
    Location
    Pennsylvania
    Posts
    939
    InterNAP, Colo4Dallas, and GNAX is who I use. So far never an issue with getting temporary rules added quickly. InterNAP/Colo4Dallas are pretty good at me telling them I'm getting a DoS and then finding the attack and blocking in 5-10 minutes.
    Matt Ayres - togglebox.com
    Linux and Windows Cloud Virtual Datacenters powered by Onapp / Xen
    Instant Setup, Instant Scalability, Full Lifecycle Hosting Solutions

    www.togglebox.com

  9. #9
    A colo provider I work with will block outside IPs that are impacting the customer's service, materially affecting the customer's billable bandwidth, or consuming some network resource (e.g. skewing Netflow stats at the aggregation level or higher).

    However, some colo customers make ACL requests in response to every-day scans; for example "IP x.x.x.x is trying to dictionary attack my sshd, please block/blackhole it". Unfortunately, there is no end to the list of IPs that execute these nuisance attacks, and responding manually to each scan and probe does nothing to prevent tomorrow's scans.

    If you have an effective firewall, you can probably block those IPs without even talking to the colo provider. For example, some colo customers place a layer-3 switch between their firewall and the colo provider's network, with an IDS listening inside and outside the firewall. The IDS can respond to hacking attempts by modifying ACLs on the L3 switch, adding a high-performance layer of protection in front of the firewall.

    Generally, it's more important to focus on securing the colo environment against all such attacks, rather than trying to manually respond to each new probe individually. Of course, if an attack is screwing-up your 95th percentile billing, then that's another matter, as only the colo provider can help you there.
    Last edited by Zitibake; 12-31-2007 at 12:42 AM.

  10. #10
    Join Date
    Apr 2005
    Posts
    1,711
    It's best to blocks these sorts of attacks at the application or transport layer, and collect logs of it, so that you can email the abuse department of the provider of that IP instead of begging your NOC to block it. Take care of the problem, don't just block it from yourself.
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  11. #11
    Join Date
    Nov 2005
    Location
    Portland, Oregon
    Posts
    1,080
    Our datacenter's NOC has never had a problem blocking IPs for us, but that was just for our cage and not the entire network. Are you running your own facility or are you doing colo? Some new switches allow you to view and null route certain ips - have you check into that?
    VPSFuze.com - Performance should be noticeable - VPS Hosting at its best.
    HostingFuze.com - Affordable & Reliable Shared & Master Reseller hosting services

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •