Results 26 to 50 of 140
Thread: 30+ Gbps Attack Anyone?
-
07-23-2010, 08:34 PM #26Web Hosting Master
- Join Date
- Nov 2009
- Location
- Cincinnati
- Posts
- 1,585
-
07-24-2010, 12:02 AM #27Web Hosting Master
- Join Date
- Aug 2007
- Location
- L.A., CA
- Posts
- 3,710
Why isn't ChinaTelecom doing anything about it on their end? After all thats 30Gbps they are paying for into the USA...
EasyDCIM.com - DataCenter Infrastructure Management - HELLO DEDICATED SERVER & COLO PROVIDERS! - Reach Me: chris@easydcim.com
Bandwidth Billing | Inventory & Asset Management | Server Control
Order Forms | Reboots | IPMI Control | IP Management | Reverse&Forward DNS | Rack Management
-
07-24-2010, 12:29 AM #28Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
A) Yes it's a "gynormas" attack we do have the pipe for it. However, our carriers do not have the pipe for it as peer to peer connection with China Telecom
B) You are absolutely right why isn't China Telecom doing something about it but considering they are "almost" the main carrier in China and we know how big is China. I am sure they are extremely overloaded to try to find a resolution.
-
07-24-2010, 03:18 AM #29Web Hosting Master
- Join Date
- May 2003
- Location
- Canada
- Posts
- 671
Tim,
We had this situation before with an Escort site of Switzerland. Had over 30Gbps+ attack as well. Issue was it was originating from Europe and even Above net transatlantic pipes got full due to the size. Interesting we with the help of DC and upstream were able to filter the attack. Then The attackers started Random Ips on the network hitting every other ip.
In your case i am assuming those sites are gaming sites that's what we mostly get requests. Advantage you have is direct peering which is able to give probably the best speed there.
What my recommendation in your limited Scenario will be to first find out which cient is being hit. I do know you said multiple ips. But there must be something common in all those ips being hit. Either they are from same industry or they are for same client may be or there friends.
Last i believe Matt from Staminus or Ameen from Gigenet may be able to give some more useful information or share something with you guys as i donot know any one else in WHT who is strong enough to handle such things. May be Arbor Or Tata or Tinet may be able to do somethingServer4Sale
Dirt CHEAP Servers coming soon
-
07-24-2010, 05:04 AM #30Web Hosting Master
- Join Date
- Jun 2003
- Location
- London, UK
- Posts
- 1,765
What connectivity do you have and what routers are you using?
Darren Lingham - Stablepoint Hosting
Stablepoint - Cloud Web Hosting without compromise
We provide industry-leading cPanel™ web hosting in 80+ global cities.
-
07-24-2010, 06:40 AM #31Web Hosting Master
- Join Date
- Jun 2009
- Location
- UK: Oxford
- Posts
- 1,259
What about taking the hit and block ALL of the eastern-hemisphere? Stopping the attack and will your system time to recover.
█ Garbott Ltd - Exceptional web development, hosting & consultancy services
-
07-24-2010, 07:00 AM #32Junior Guru
- Join Date
- Mar 2009
- Location
- New Mexico - USA
- Posts
- 224
Talk about a handful, someone must really have it in for your company. Good luck getting it stopped!
-
07-24-2010, 07:53 AM #33Disabled
- Join Date
- Jan 2006
- Location
- United States
- Posts
- 1,386
The sad thing is, you can stop it. But unless you can block the person absolutely it's going to happen again, and again, and again. They will hit you at random times
-
07-24-2010, 02:39 PM #34WHT Addict
- Join Date
- Jul 2008
- Location
- Dallas, TX
- Posts
- 107
We have had some very large attacks from China in the past but not many this month. The target was always a Chinese based client as well and null routing or blackholing the target IP(s) was our resolution.
-
07-24-2010, 03:12 PM #35Web Hosting Master
- Join Date
- Oct 2002
- Location
- Vancouver, B.C.
- Posts
- 2,699
Hi Tim,
Tedious as it may be, I would try to contact the sources of the attacks. Are they actually on Chinatel's network, or are they just going through Chinatel for transit? Contacting source networks may not be the most effective recourse, from a technical standpoint, for a large and well distributed attack. However, by reducing the numbers of the attacker's botnet, you will at least incur some cost for them, even if it's only little by little. Keep it up and the attacker will most definitely take notice, and may consider moving on to a new target that doesn't result in their botnet shrinking.ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami
-
07-24-2010, 03:52 PM #36Now renamed!
- Join Date
- May 2009
- Location
- Vaduz/LI
- Posts
- 2,778
B) You are absolutely right why isn't China Telecom doing something about it but considering they are "almost" the main carrier in China and we know how big is China. I am sure they are extremely overloaded to try to find a resolution.
-
07-24-2010, 07:17 PM #37Web Hosting Guru
- Join Date
- Jul 2010
- Location
- Kansas City, MO, US
- Posts
- 292
Best bet? Get some media attention. Call it a national security crisis. Call it a homeland security issue. Get it on CNN and Fox News. I'm completely serious here. There are people with the power to fix this problem through non-technical channels.
China Telecom's hand can be forced.
-
07-24-2010, 07:20 PM #38Now renamed!
- Join Date
- May 2009
- Location
- Vaduz/LI
- Posts
- 2,778
China Telecom's hand can be forced.
-
07-24-2010, 08:27 PM #39Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
Contacting the attacker is not going to help. This is a DDoS-for-lease service. From our investigation we found the attackers and caused some major blows to them, but since they have a service that they are selling for 1K+ for customers they had the financial means to recover.
I can't share much of what we have done against the botnet but I can tell you we have given enough damage to them that any common botnet would cease to exist (all legal ofcourse). But this one it took them less than 2 weeks to recover.
Getting the media's attention is a good idea, but I am afraid that no media want to run such a complicated peice of tech info. I remember when we had the DNS Reflective Attack it took us for ever to convince media outlets to run the story. I trully don't blame China Telecom for this problem, they are an ISP and they are doing the best they can to handle this, but when you are being told 100K+ of your clients are infected and being used to launch DDOS attacks. It is an overwhelming number to say the least their only solution for this problem is contacting these systems one at a time and cleaning them. It's a daunting task.
Ryan, we have done that multiple times blackholing with limit results since the IP ranges keep on changing, but nullrouting is one of the methods that is keeping our network alive. I am afraid again I can not venture into the methods we are using in public in fear of the attacker finding out.
-
07-24-2010, 09:32 PM #40Web Hosting Master
- Join Date
- Jun 2004
- Location
- Oregon
- Posts
- 1,315
All I can say is I'm sure this attack is targeting gaming sites/game servers. but it's hard to find and kick out those chinese clients who is hosting gaming sites/game servers. good luck.
-
07-25-2010, 10:42 AM #41Junior Guru
- Join Date
- Oct 2003
- Location
- Orlando, FL
- Posts
- 245
Look at your list of providers, They all seem to support the common BGP community 65000:XXXX
Why not just stop the advertising of the prefix to the peer AS that the attack is flowing thru? It'll be the most optimized way to do things and will take the load off of your providers also.
Edit:
Just read "Regarding blocking or not announcing to China. We have a big customer base in China if it was all possible to do that we would have but it isn't." so this wouldn't work.
A possible solution, Sadly we are still a few years away from provider support
http://tools.ietf.org/html/draft-ietf-idr-flow-spec-05Last edited by Paul; 07-25-2010 at 10:46 AM.
Paul
-
07-25-2010, 11:51 AM #42CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
5+ Gbps attacks tend to fizzle quickly, the more they run their course the more net operators begin to pay attention to the fact that they have infected resources.
The smart attackers are the ones that come in with a small attack, just enough to financially burden the target without really alarming the carriers in between. Also, the botnets are easier to recharge as the drones blow their cover.
-
07-25-2010, 02:48 PM #43Web Hosting Master
- Join Date
- Dec 2000
- Location
- The Woodlands, Tx
- Posts
- 5,974
Can you put China traffic into a lower priority? Or block all of China, but allowing only select China traffic in, your customers there for example.
-
07-25-2010, 03:42 PM #44Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
Hello,
Yes we can stop announcing our blocks to China Telecom. However, as I mentioned before we have a considerable customer base in China using China Telecom
Regarding smart attacks and network operators catching them. As I mentioned before this is not your normal kind of attack which we receive one or more of everyminute. This attack every NOC that it passes through is aware of it but there isn't much they can do because as I mentioned over 100k machines involved in it. Common attacks have systems that has more bandwidth than others and once blocked it cuts attack in half. Not the case here China Telecom is aware of it first hand and they are struggling with it. The sad part of it all is the attackers advertise their Dado service on a website that looks like a legitimate business and that's what shocks me. If it was in the us they'd be in jail in a couple of weeks.
-
07-25-2010, 04:06 PM #45
I must be missing something....
Why are they attacking you? Botnets like that get shut down pretty quickly and to sustain something of that magnitude you'd need to keep refreshing the drone count constantly. Someone is spending a lot of resources to get at you and putting thier whole network at risk of being shut down.
You must have some idea about why this attack is targeting you. Maybe if you share it we could help better.Aaron Wendel
Wholesale Internet, Inc. - http://www.wholesaleinternet.net
Kansas City Internet eXchange - http://www.kcix.net
-
07-25-2010, 04:50 PM #46Junior Guru
- Join Date
- Oct 2003
- Location
- Orlando, FL
- Posts
- 245
" If so we would be willing to join forces to try to get this resolved. "
You seem to want to work with other providers to help fight the attack but you seem unwilling to provide any usable vectors to the attack (We still don't even know the protocol they are using nevermind anything specific) that could help others in the future.Paul
-
07-25-2010, 10:39 PM #47Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
Hello,
I think I have provided more than enough information that incase you are receiving this specific attack you would know about it. I don't know about you Paul but attacks in this magnitude don't come in everyday. If you are receiving a 30Gbps+ attacks and most of the hosts are from China it is safe to assume it's the same kind. The pattern of the attack protocol/port/..etc can change at any given time especially that the utility that does this allow them to do it.
In regards to their motivation like I have explained before this is a ddos-for-hire service they provide you. The attack is targetted against Chinese customers of ours either they are trying to get us out of the market or they are simply trying to do the same thing ddos'ers do "extortion, closing businesses, ..etc"
-
07-25-2010, 10:45 PM #48Web Hosting Master
- Join Date
- Sep 2008
- Location
- Dallas, TX
- Posts
- 4,568
If Paul is willing to work with you, please do it. Paul has helped me on numerous occasions, heck last week a whopping what 5 times w/ 500-multi gigabit DDOS. He knows his stuff, granted I don't know if he's ever dealt with a 30Gbps DDOS he's definitely sharp in this area.
-
07-25-2010, 10:52 PM #49Aaron Wendel
Wholesale Internet, Inc. - http://www.wholesaleinternet.net
Kansas City Internet eXchange - http://www.kcix.net
-
07-25-2010, 10:59 PM #50Junior Guru
- Join Date
- Aug 2004
- Posts
- 242
Aaron,
Not to me directly, but I know some of the customers we had were willing to pay alot of money to stop this attack. What I beleive is happenning is this attack is not coming from one individual person or a group. The botnet is used by many "clients" that are paying to use this botnet to attack competitors or extortion.
Quite frankly I am shocked that noone else so far has reported the same problem... This is starting to be frightening...
Similar Threads
-
crossover != 1 GBPS?
By HNLV in forum Colocation, Data Centers, IP Space and NetworksReplies: 15Last Post: 03-30-2009, 01:53 AM -
Anyone want to share 1 gbps in Milwaukee?
By keefe007 in forum Other Hosting OffersReplies: 2Last Post: 09-19-2008, 01:49 PM -
EU 1 Gbps host needed
By ddosguru in forum Dedicated ServerReplies: 15Last Post: 07-13-2008, 02:18 PM -
Shop Grenade attack kills 4, injures 20. Looks like a religious attack or...
By Critic in forum Web Hosting LoungeReplies: 14Last Post: 11-22-2003, 05:40 AM -
Website attack - Need host that can protect against attack
By dysfirkin in forum Web HostingReplies: 8Last Post: 11-13-2003, 10:14 PM