Results 1 to 40 of 40
  1. #1

    HiVelocity: Been falsely accused of DDOS attack

    It has now been 49 hours from when HiVelocity decieded put my server offline, falsely accusing me of DDOS attacking. Which was a shock to see seeing as I don't even know how to DDOS and all I was using the server for was serving out .swf files.

    Is this a common occurence, hosting companys just completly cutting you off like this?

    There demanding I explain myself what I do in the future make sure this doesn't happen again. Luckly I have platinumservermangament as I had limited knowledge in server security. There ticketing system is also riddled with php errors.

  2. #2
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,200
    Do they have proof (logs) of the attack? Perhaps your server was exploited?

  3. #3
    Join Date
    Mar 2009
    Location
    InfoPark, Cochin, India
    Posts
    986

  4. #4
    Quote Originally Posted by Orien View Post
    Do they have proof (logs) of the attack? Perhaps your server was exploited?
    No they just said they determined there was an outbound DDOS attack. The only explanation I see for it was someone gained unauthorized access.
    Last edited by voidfunction; 09-24-2009 at 04:28 AM. Reason: add quotes

  5. #5
    Join Date
    Mar 2003
    Location
    WebHostingTalk
    Posts
    16,947
    Did you also check your server if there is some outbound connection?
    Specially 4 You
    .
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  6. #6
    They said I was doing 60mbit outbound,... "Be advised that it was found that your server was pushing about 76,000 packets/sec. and resulted in high utilization on the switch which in turn caused service issues for others on the switch. Your servers port has been disabled. "

  7. #7
    Join Date
    Mar 2003
    Location
    WebHostingTalk
    Posts
    16,947
    It seems valid to me.

    They can track this per ip for sure so you need to investigate your server.
    Specially 4 You
    .
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  8. #8
    Join Date
    Aug 2005
    Location
    UK
    Posts
    654
    Quote Originally Posted by voidfunction View Post
    They said I was doing 60mbit outbound,... "Be advised that it was found that your server was pushing about 76,000 packets/sec. and resulted in high utilization on the switch which in turn caused service issues for others on the switch. Your servers port has been disabled. "
    Have they said what kinda of traffic it even was?

    Also what kinda of sustained bandwidth usage is acceptable at HiVelocity?

  9. #9
    Join Date
    Aug 2007
    Location
    L.A., CA
    Posts
    3,706
    The issue is more about the packets per second (PPS) then his 60Mbps of bandwidth, I'm sure.

  10. #10
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,200
    Quote Originally Posted by voidfunction View Post
    They said I was doing 60mbit outbound,... "Be advised that it was found that your server was pushing about 76,000 packets/sec. and resulted in high utilization on the switch which in turn caused service issues for others on the switch. Your servers port has been disabled. "
    I would ask for the traffic logs. However, it's starting to sound highly plausible that your server was exploited.

  11. #11
    Join Date
    Jun 2004
    Location
    Bay Area
    Posts
    1,320
    Quote Originally Posted by VIPoint View Post
    yes Before they can take action like suspension of your account they must inform you about the activities from your website.
    They 'must' do nothing. There is no law that says how to handle these cases. At best they list in their TOS how these cases are handled.
    Powered by Level3, GBLX and AT&T

  12. #12
    Join Date
    Apr 2006
    Posts
    1,120
    It sounds like your server has likely been exploited.

    You say you have platinum support, so if I were you I'd check to see if that covers the set up of the server security. If so, and you have suffered a security exploit that was the result of Hivelocity's server management, you should be entitled to some form of compensation.

  13. #13
    Join Date
    Oct 2008
    Location
    Singapore
    Posts
    4,521
    Quote Originally Posted by Daniel_G View Post
    You say you have platinum support, so if I were you I'd check to see if that covers the set up of the server security. If so, and you have suffered a security exploit that was the result of Hivelocity's server management, you should be entitled to some form of compensation.
    I think he meant PlatinumServerManagement.
    LIMENEX WEB HOSTING
    Affordable High Performance Web Hosting in United States & United Kingdom
    Web Hosting | Reseller Hosting | Managed VPS | Managed Dedicated Servers | Cheap SSL Certificates

  14. #14
    OP- I am sure you were not maliciously attacking our network, chances are you server was compromised. You included some text from the correspondence you have had with our abuse team already on this. If you require more information simply ask them for it. I am sure my guys will give you as much as they can. Are you running Joomla on your server by any chance? We have noticed a recent increase in Joomla exploits over the last couple of weeks.
    Steve Eschweiler- Hivelocity- Director of Operations
    Bare Metal Servers. Colocation. Private Cloud.
    Customers in over 130 countries. Privately owned and operated data centers.
    Limited Supply Outlet Server Specials

  15. #15
    Quote Originally Posted by HivelocityGM View Post
    OP- I am sure you were not maliciously attacking our network, chances are you server was compromised. You included some text from the correspondence you have had with our abuse team already on this. If you require more information simply ask them for it. I am sure my guys will give you as much as they can. Are you running Joomla on your server by any chance? We have noticed a recent increase in Joomla exploits over the last couple of weeks.
    I have but they keep telling me to open a restore ticket, yet they won't point in the direction of the right form. I tried going to the link where I used for reloading the first time but it just showed details of my old reload and no form.




    The reason why HiVelocity wants me to restore this is beacause they believe Platinum has messed up the server..

    Hi,

    It appears the server management company has hosed the system. I will install a KVM for your use, and you can have them log in to fix what they broke.

    If they are unable to do so, you will need a reload of the Operating System.

    I gave this to Platinum and their response was..

    We did not do anything that would break the server. The server was working perfectly fine when we replied. If we did anything to break it, it would have stopped when we worked on it. We finished at 20:31 last night. The server went down 2 hours later at 22:42.

    Also, we have not touched anything with the network/kernel at all.

    I have been trying to access **** but it does not come up. Are you able to get to it?

    I would suggest changing hosts as their false accusation is pretty unprofessional and unhelpful.
    HiVelocity have now suggested I buy Managment service off them instead.

  16. #16
    Join Date
    Mar 2003
    Location
    WebHostingTalk
    Posts
    16,947
    Pointing fingers heh...

    It is not good. Try to check the history in your server if no one deleted it though.
    Specially 4 You
    .
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  17. #17
    Quote Originally Posted by voidfunction View Post
    I have but they keep telling me to open a restore ticket, yet they won't point in the direction of the right form. I tried going to the link where I used for reloading the first time but it just showed details of my old reload and no form.




    The reason why HiVelocity wants me to restore this is beacause they believe Platinum has messed up the server..




    I gave this to Platinum and their response was..



    HiVelocity have now suggested I buy Managment service off them instead.
    You can request a reload right from the trouble ticket system within SPEED. I cant PM you yet so please just email me your server IP # and I will look into this issue and making sure we give you all the evidence we can to ensure you we are valid in our actions.
    Steve Eschweiler- Hivelocity- Director of Operations
    Bare Metal Servers. Colocation. Private Cloud.
    Customers in over 130 countries. Privately owned and operated data centers.
    Limited Supply Outlet Server Specials

  18. #18
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Quote Originally Posted by CGotzmann View Post
    The issue is more about the packets per second (PPS) then his 60Mbps of bandwidth, I'm sure.
    76,000 PPS is inline with 60 Mbps of potentially legitimate traffic. It's still worth determining whether or not the system has been compromised or is being used unknowingly for DDoS.

  19. #19
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    ya i was going to say, 60mbps/76kpps isn't that unrealistic for legitimate low-bitrate streaming traffic. The OP already mentioned he is streaming. I'm surprised that professional switch gear would fall over due to that.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  20. #20
    Join Date
    Feb 2004
    Location
    USA
    Posts
    1,571
    You should ask them to give you all the proof they have eg: logs, screenshots, if your server has been compromised then there no other option then reload...

    Since they wont connect your server back online they must sent you proof.

    In either case i would double check and see what happend and if your server was truly compromised i would ask your server management why your server was compromised since arent they suppose to protect you from attacks?

    Cheers
    Last edited by TheServerExperts; 09-24-2009 at 02:45 PM.

  21. #21
    I requested OP email me this morning with information as to who he/she is so I could reply with more information. I have not received any such contact so there is not much I can do to clear the air.
    Steve Eschweiler- Hivelocity- Director of Operations
    Bare Metal Servers. Colocation. Private Cloud.
    Customers in over 130 countries. Privately owned and operated data centers.
    Limited Supply Outlet Server Specials

  22. #22
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    Quote Originally Posted by FastServ View Post
    ya i was going to say, 60mbps/76kpps isn't that unrealistic for legitimate low-bitrate streaming traffic. The OP already mentioned he is streaming. I'm surprised that professional switch gear would fall over due to that.
    No decent modern switch should have any problems unless you exceed line rate, which should not be possible to do on outbound traffic from a server, unless your traffic is going to another port on the same switch with a lower capacity.
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  23. #23
    Join Date
    Jun 2008
    Posts
    204
    Quote Originally Posted by HivelocityGM View Post
    I requested OP email me this morning with information as to who he/she is so I could reply with more information. I have not received any such contact so there is not much I can do to clear the air.
    OP has only posted in this thread, 4 posts as of this post, and a new user so beware. But I would like to know if you think this is a legit report (has someone DDOS'ed lately and you completely cut them off) or not because I've just started to notice this sort of pattern.

    I have another question, when and if you block a port, can your switch/router cut off just one particular TCP port / packet type and/or just outgoing packets only?

    I think most hosting companies can do that, and it should be standard so that you don't have to completely "cut off" a customer and he can still get in via SSH and/or still serve web pages and access a control panel.

    Can you throttle a connection with the router? Would that keep the customer online but at a reduced speed?

  24. #24
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    It is possible that your server is compromised, meaning hacked into and sending out traffic via scripts running on the server.

    As previously mentioned, you may want to hire a system administrator to look into your server.
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  25. #25
    Join Date
    Jul 2002
    Location
    St. Louis, MO
    Posts
    1,652
    Quote Originally Posted by VN-Ken View Post
    It is possible that your server is compromised, meaning hacked into and sending out traffic via scripts running on the server.

    As previously mentioned, you may want to hire a system administrator to look into your server.
    Did you actually read the whole thread? OP advises he used PSM for the server security. More info is needed, odd that HVGM doesn't have this info available to him. I'm sure the ticket system is searchable for disconnected server cases, ddoses, priority 1 cases,ect.
    Happily hosting @ Dathorn.com (Since 3/2003), Ispeeds.net (Since 2004), & Quadspeedi.net (Since 7/2005)!
    Hosted @ FDC for 9 Years

  26. #26
    Join Date
    Jun 2009
    Location
    Manila
    Posts
    958
    Quote Originally Posted by VN-Ken View Post
    It is possible that your server is compromised, meaning hacked into and sending out traffic via scripts running on the server.

    As previously mentioned, you may want to hire a system administrator to look into your server.
    He hired platinumservermanagement.com to manage his servers.

  27. #27
    Join Date
    Sep 2009
    Location
    Dallas
    Posts
    29
    It hasn't even been a day since the OP responded last, I would give this thread more time to evolve.
    Porsus.com
    The Simple Server Provider.
    Low cost 1U servers.
    Located in Dallas

  28. #28
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Well a server really doesn't need a restore if joomla was compromised and used to send out packets. The only problem might be that a packet script was downloaded to tmp or somewhere else and ran, via someones website.

    The nice thing to do would be to chuck a KVM/IP on it and let the server management or staff have a look at it. Any decent sys admin will be able to work out within a short period if a website was hacked or the box was hacked.

    Reminds me of rackshack days, 'Your server has been shutdown, open ticket for restore' - That is what you get with unmanaged hosting though, not saying Hivelocity is wrong, but it's the nice thing to do anyway I think.

  29. #29
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    Quote Originally Posted by web-1 View Post
    I have another question, when and if you block a port, can your switch/router cut off just one particular TCP port / packet type and/or just outgoing packets only?

    I think most hosting companies can do that, and it should be standard so that you don't have to completely "cut off" a customer and he can still get in via SSH and/or still serve web pages and access a control panel.

    Can you throttle a connection with the router? Would that keep the customer online but at a reduced speed?
    PPS limiting, if done, is usually at layer 2 through storm-control on Cisco switches. This allows you to define a rising limit and a falling limit. If packets/s exceeds the rising, the switch port will go into blocking mode, and all traffic will be dropped. However, once traffic falls back down below the falling limit, the port will become unblocked again. You can also configure storm-control to send an snmp trap, but not actually block the port, which would inform of you attacks but allow you to take action manually.

    It's not very practical to block traffic of this kind at the router level (layer 3), or firewall level (3/4/*) as the traffic is already hitting the switch. It's also much more computationally intensive at that point, as the router or firewall would have to evaluate every packet that travels that path, so not only your traffic but every other customer on that trunk as well. TCP (layer 4) would be even worse, as it requires even more processing, as packet inspection would have to be done at an additional level of encapsulation, as well as having to check state for stateful firewalls.
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  30. #30
    Join Date
    May 2009
    Location
    Ft. Lauderdale, Florida
    Posts
    1,473
    I was with Hivelocity for one month and had purchased their management plan. We were still null routed 3 times that month. It was a waste of money. I had decided to go back to Softlayer where if there was an issue they would always give you time (24 hrs) to resolve rather then just pulling the plug immediately.

    In my experience, datacenters are not so "trigger happy" to pull servers offline like Hivelocity. I would certainly go with another dc like Planet or Softlayer.
    Last edited by JixHost; 09-25-2009 at 07:20 PM.

  31. #31
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    @JixHost
    Were they incoming dos attacks that caused you to get null routed or was it a problem from your server?

    I can understand being null routed for an incoming dos attack to a degree, on the managed plan.. but what does their managed plan include sys admin wise with problems originating from your server?

  32. #32
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,552
    Quote Originally Posted by StevenG View Post
    @JixHost
    Were they incoming dos attacks that caused you to get null routed or was it a problem from your server?

    I can understand being null routed for an incoming dos attack to a degree, on the managed plan.. but what does their managed plan include sys admin wise with problems originating from your server?
    He didn't get management from HiVelocity. He got it from PSM.

  33. #33
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    @Jacob Wall

    I was with Hivelocity for one month and had purchased their management plan
    My comment was directed @JixHost , as above.

  34. #34
    Join Date
    May 2009
    Location
    Ft. Lauderdale, Florida
    Posts
    1,473
    I was immediately null routed because I had an account that was copyright infringement and another account that was a phishing website. With 1800 plus accounts on that server, these things happen.

    I had Hivelocity platinum management plan, they will do things per request only so you have to know what to ask for.

    My experience was short as I decided not to continue service with them. They were quick to blame you for everything and were not conducive to wanting one to succeed. I was also terrified about what had happened to other hosting companies.

  35. #35
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,552
    Quote Originally Posted by JixHost View Post
    I was immediately null routed because I had an account that was copyright infringement and another account that was a phishing website. With 1800 plus accounts on that server, these things happen.

    I had Hivelocity platinum management plan, they will do things per request only so you have to know what to ask for.

    My experience was short as I decided not to continue service with them. They were quick to blame you for everything and were not conducive to wanting one to succeed. I was also terrified about what had happened to other hosting companies.
    Having had my IPs null routed many times, it gets very annoying but they only do it when a huge abuse complaint has arose not just phising world of warcraft passwords, e.g. Stealing bank info, etc.

  36. #36
    Join Date
    May 2009
    Location
    Ft. Lauderdale, Florida
    Posts
    1,473
    My impression was that they are "trigger happy" to null route and terminate servers without warning. In my case I run a paid hosting company and any downtime is detrimental to my business.

    When I gave full authorization the the general manager to terminate any account on-the-spot and bill me for the tech time, he refused...so I guess its easier to null route the entire server. Too many hosting companies were Terminated (killed) by Hivelocity for me to even consider staying.

  37. #37
    Join Date
    Mar 2006
    Posts
    264
    i think we have to see if HiVelocity has a maximum bandwidth rate or pps in their terms and conditions. it would suck if they did. if they do i don't think youtube or google could be hosted with HiVelocity.

  38. #38
    Join Date
    Oct 2008
    Location
    Singapore
    Posts
    4,521
    Quote Originally Posted by ryan14 View Post
    i think we have to see if HiVelocity has a maximum bandwidth rate or pps in their terms and conditions. it would suck if they did. if they do i don't think youtube or google could be hosted with HiVelocity.
    C'mon, be realistic, it is impossible for YouTube or Google to be hosted with these guys, or other DCs, as Google is running their own DC!
    LIMENEX WEB HOSTING
    Affordable High Performance Web Hosting in United States & United Kingdom
    Web Hosting | Reseller Hosting | Managed VPS | Managed Dedicated Servers | Cheap SSL Certificates

  39. #39
    Join Date
    Jun 2004
    Location
    London, ON
    Posts
    385
    Quote Originally Posted by LaptopFreak View Post
    Google is running their own DC!
    Google is running tens to hundreds of their own DC's worldwide

  40. #40
    Join Date
    Jun 2008
    Posts
    204
    Quote Originally Posted by hhw View Post
    PPS limiting, if done, is usually at layer 2 through storm-control on Cisco switches. This allows you to define a rising limit and a falling limit. If packets/s exceeds the rising, the switch port will go into blocking mode, and all traffic will be dropped. However, once traffic falls back down below the falling limit, the port will become unblocked again. You can also configure storm-control to send an snmp trap, but not actually block the port, which would inform of you attacks but allow you to take action manually.

    It's not very practical to block traffic of this kind at the router level (layer 3), or firewall level (3/4/*) as the traffic is already hitting the switch. It's also much more computationally intensive at that point, as the router or firewall would have to evaluate every packet that travels that path, so not only your traffic but every other customer on that trunk as well. TCP (layer 4) would be even worse, as it requires even more processing, as packet inspection would have to be done at an additional level of encapsulation, as well as having to check state for stateful firewalls.
    Thanks, that makes a lot of sense. I always thought those high end routers had a lot of hardware built in to do that sort of stuff without major CPU overhead.

    Couldn't you program a router to send packets for a attacking IP to a particular ethernet port and then put a router programmed to filter on that physical port just for this type of problem?

    I know it would be some trouble to do that, but how often does this happen and does it go away in a day or two? (in your experience).

    This question is for incoming DDOS attacks, is there a standard system in place where you can contact your upstream providers and possibly have them stop an attack? I am thinking they have contact farther up and should have something in place to stop attacks at the source IP.

Similar Threads

  1. SYN Attack / Hivelocity
    By hypebucks in forum Hosting Security and Technology
    Replies: 5
    Last Post: 08-23-2009, 11:03 PM
  2. Support a falsely accused web designer
    By HD Web Solutions in forum Web Hosting Lounge
    Replies: 1
    Last Post: 04-07-2009, 12:07 AM
  3. DDOS attack
    By habibjr in forum Dedicated Server
    Replies: 7
    Last Post: 09-03-2008, 09:24 AM
  4. Man accused of inflatable ghost attack
    By The Dude in forum Web Hosting Lounge
    Replies: 0
    Last Post: 10-14-2007, 10:22 PM
  5. Falsely accused of spamming - possible causes?
    By agro10 in forum Web Hosting
    Replies: 18
    Last Post: 03-26-2006, 09:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •