Page 2 of 6 FirstFirst 12345 ... LastLast
Results 26 to 50 of 140
  1. #26
    Join Date
    Nov 2009
    Location
    Cincinnati
    Posts
    1,585
    Quote Originally Posted by badboyx View Post
    the best thing you can do is to contact the isp of some botnet with the ip and the time and ask them to monitor the connections to find out the one who case that large ddos

    A 30GBit ddos is a little bit out of the "large" scope.. more like gynormas...


    Most data center do not even have 30gbit inbound pipes, that truly is a large amount of bandwidth.
    'Ripcord'ing is the only way!

  2. #27
    Join Date
    Aug 2007
    Location
    L.A., CA
    Posts
    3,710
    Why isn't ChinaTelecom doing anything about it on their end? After all thats 30Gbps they are paying for into the USA...
    EasyDCIM.com - DataCenter Infrastructure Management - HELLO DEDICATED SERVER & COLO PROVIDERS! - Reach Me: chris@easydcim.com
    Bandwidth Billing | Inventory & Asset Management | Server Control
    Order Forms | Reboots | IPMI Control | IP Management | Reverse&Forward DNS | Rack Management

  3. #28
    A) Yes it's a "gynormas" attack we do have the pipe for it. However, our carriers do not have the pipe for it as peer to peer connection with China Telecom
    B) You are absolutely right why isn't China Telecom doing something about it but considering they are "almost" the main carrier in China and we know how big is China. I am sure they are extremely overloaded to try to find a resolution.

  4. #29
    Join Date
    May 2003
    Location
    Canada
    Posts
    671
    Tim,
    We had this situation before with an Escort site of Switzerland. Had over 30Gbps+ attack as well. Issue was it was originating from Europe and even Above net transatlantic pipes got full due to the size. Interesting we with the help of DC and upstream were able to filter the attack. Then The attackers started Random Ips on the network hitting every other ip.

    In your case i am assuming those sites are gaming sites that's what we mostly get requests. Advantage you have is direct peering which is able to give probably the best speed there.

    What my recommendation in your limited Scenario will be to first find out which cient is being hit. I do know you said multiple ips. But there must be something common in all those ips being hit. Either they are from same industry or they are for same client may be or there friends.

    Last i believe Matt from Staminus or Ameen from Gigenet may be able to give some more useful information or share something with you guys as i donot know any one else in WHT who is strong enough to handle such things. May be Arbor Or Tata or Tinet may be able to do something
    Server4Sale
    Dirt CHEAP Servers coming soon

  5. #30
    Join Date
    Jun 2003
    Location
    London, UK
    Posts
    1,765
    What connectivity do you have and what routers are you using?
    Darren Lingham - Stablepoint Hosting
    Stablepoint - Cloud Web Hosting without compromise
    We provide industry-leading cPanel™ web hosting in 80+ global cities.

  6. #31
    Join Date
    Jun 2009
    Location
    UK: Oxford
    Posts
    1,259
    What about taking the hit and block ALL of the eastern-hemisphere? Stopping the attack and will your system time to recover.
    Garbott Ltd - Exceptional web development, hosting & consultancy services

  7. #32
    Join Date
    Mar 2009
    Location
    New Mexico - USA
    Posts
    224
    Talk about a handful, someone must really have it in for your company. Good luck getting it stopped!

  8. #33
    Join Date
    Jan 2006
    Location
    United States
    Posts
    1,386
    The sad thing is, you can stop it. But unless you can block the person absolutely it's going to happen again, and again, and again. They will hit you at random times

  9. #34
    Join Date
    Jul 2008
    Location
    Dallas, TX
    Posts
    107
    We have had some very large attacks from China in the past but not many this month. The target was always a Chinese based client as well and null routing or blackholing the target IP(s) was our resolution.

  10. #35
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,699
    Hi Tim,

    Tedious as it may be, I would try to contact the sources of the attacks. Are they actually on Chinatel's network, or are they just going through Chinatel for transit? Contacting source networks may not be the most effective recourse, from a technical standpoint, for a large and well distributed attack. However, by reducing the numbers of the attacker's botnet, you will at least incur some cost for them, even if it's only little by little. Keep it up and the attacker will most definitely take notice, and may consider moving on to a new target that doesn't result in their botnet shrinking.
    ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
    AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  11. #36
    Join Date
    May 2009
    Location
    Vaduz/LI
    Posts
    2,778
    B) You are absolutely right why isn't China Telecom doing something about it but considering they are "almost" the main carrier in China and we know how big is China. I am sure they are extremely overloaded to try to find a resolution.
    Because they dont pay for Traffic anyway, considered that they have almost 400mio customers which pay 10-100USD / month for Internet and/or Hosting services, and they are basically state owned, which gives them unlimited monetary ressources.

  12. #37
    Join Date
    Jul 2010
    Location
    Kansas City, MO, US
    Posts
    292
    Best bet? Get some media attention. Call it a national security crisis. Call it a homeland security issue. Get it on CNN and Fox News. I'm completely serious here. There are people with the power to fix this problem through non-technical channels.

    China Telecom's hand can be forced.

  13. #38
    Join Date
    May 2009
    Location
    Vaduz/LI
    Posts
    2,778
    China Telecom's hand can be forced.
    haha, no, i doubt that - they do what they want since years.

  14. #39
    Contacting the attacker is not going to help. This is a DDoS-for-lease service. From our investigation we found the attackers and caused some major blows to them, but since they have a service that they are selling for 1K+ for customers they had the financial means to recover.

    I can't share much of what we have done against the botnet but I can tell you we have given enough damage to them that any common botnet would cease to exist (all legal ofcourse). But this one it took them less than 2 weeks to recover.

    Getting the media's attention is a good idea, but I am afraid that no media want to run such a complicated peice of tech info. I remember when we had the DNS Reflective Attack it took us for ever to convince media outlets to run the story. I trully don't blame China Telecom for this problem, they are an ISP and they are doing the best they can to handle this, but when you are being told 100K+ of your clients are infected and being used to launch DDOS attacks. It is an overwhelming number to say the least their only solution for this problem is contacting these systems one at a time and cleaning them. It's a daunting task.

    Ryan, we have done that multiple times blackholing with limit results since the IP ranges keep on changing, but nullrouting is one of the methods that is keeping our network alive. I am afraid again I can not venture into the methods we are using in public in fear of the attacker finding out.

  15. #40
    Join Date
    Jun 2004
    Location
    Oregon
    Posts
    1,315
    All I can say is I'm sure this attack is targeting gaming sites/game servers. but it's hard to find and kick out those chinese clients who is hosting gaming sites/game servers. good luck.

  16. #41
    Join Date
    Oct 2003
    Location
    Orlando, FL
    Posts
    245
    Quote Originally Posted by Jigy View Post
    Contacting the attacker is not going to help. This is a DDoS-for-lease service. From our investigation we found the attackers and caused some major blows to them, but since they have a service that they are selling for 1K+ for customers they had the financial means to recover.

    I can't share much of what we have done against the botnet but I can tell you we have given enough damage to them that any common botnet would cease to exist (all legal ofcourse). But this one it took them less than 2 weeks to recover.

    Getting the media's attention is a good idea, but I am afraid that no media want to run such a complicated peice of tech info. I remember when we had the DNS Reflective Attack it took us for ever to convince media outlets to run the story. I trully don't blame China Telecom for this problem, they are an ISP and they are doing the best they can to handle this, but when you are being told 100K+ of your clients are infected and being used to launch DDOS attacks. It is an overwhelming number to say the least their only solution for this problem is contacting these systems one at a time and cleaning them. It's a daunting task.

    Ryan, we have done that multiple times blackholing with limit results since the IP ranges keep on changing, but nullrouting is one of the methods that is keeping our network alive. I am afraid again I can not venture into the methods we are using in public in fear of the attacker finding out.
    Look at your list of providers, They all seem to support the common BGP community 65000:XXXX
    Why not just stop the advertising of the prefix to the peer AS that the attack is flowing thru? It'll be the most optimized way to do things and will take the load off of your providers also.


    Edit:
    Just read "Regarding blocking or not announcing to China. We have a big customer base in China if it was all possible to do that we would have but it isn't." so this wouldn't work.

    A possible solution, Sadly we are still a few years away from provider support
    http://tools.ietf.org/html/draft-ietf-idr-flow-spec-05
    Last edited by Paul; 07-25-2010 at 10:46 AM.
    Paul

  17. #42
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    5+ Gbps attacks tend to fizzle quickly, the more they run their course the more net operators begin to pay attention to the fact that they have infected resources.

    The smart attackers are the ones that come in with a small attack, just enough to financially burden the target without really alarming the carriers in between. Also, the botnets are easier to recharge as the drones blow their cover.

  18. #43
    Join Date
    Dec 2000
    Location
    The Woodlands, Tx
    Posts
    5,974
    Can you put China traffic into a lower priority? Or block all of China, but allowing only select China traffic in, your customers there for example.

  19. #44
    Hello,

    Yes we can stop announcing our blocks to China Telecom. However, as I mentioned before we have a considerable customer base in China using China Telecom

    Regarding smart attacks and network operators catching them. As I mentioned before this is not your normal kind of attack which we receive one or more of everyminute. This attack every NOC that it passes through is aware of it but there isn't much they can do because as I mentioned over 100k machines involved in it. Common attacks have systems that has more bandwidth than others and once blocked it cuts attack in half. Not the case here China Telecom is aware of it first hand and they are struggling with it. The sad part of it all is the attackers advertise their Dado service on a website that looks like a legitimate business and that's what shocks me. If it was in the us they'd be in jail in a couple of weeks.

  20. #45
    Join Date
    Apr 2002
    Location
    North Kansas City, MO
    Posts
    2,694
    I must be missing something....

    Why are they attacking you? Botnets like that get shut down pretty quickly and to sustain something of that magnitude you'd need to keep refreshing the drone count constantly. Someone is spending a lot of resources to get at you and putting thier whole network at risk of being shut down.

    You must have some idea about why this attack is targeting you. Maybe if you share it we could help better.
    Aaron Wendel
    Wholesale Internet, Inc. - http://www.wholesaleinternet.net
    Kansas City Internet eXchange - http://www.kcix.net

  21. #46
    Join Date
    Oct 2003
    Location
    Orlando, FL
    Posts
    245
    " If so we would be willing to join forces to try to get this resolved. "

    You seem to want to work with other providers to help fight the attack but you seem unwilling to provide any usable vectors to the attack (We still don't even know the protocol they are using nevermind anything specific) that could help others in the future.
    Paul

  22. #47
    Hello,

    I think I have provided more than enough information that incase you are receiving this specific attack you would know about it. I don't know about you Paul but attacks in this magnitude don't come in everyday. If you are receiving a 30Gbps+ attacks and most of the hosts are from China it is safe to assume it's the same kind. The pattern of the attack protocol/port/..etc can change at any given time especially that the utility that does this allow them to do it.

    In regards to their motivation like I have explained before this is a ddos-for-hire service they provide you. The attack is targetted against Chinese customers of ours either they are trying to get us out of the market or they are simply trying to do the same thing ddos'ers do "extortion, closing businesses, ..etc"

  23. #48
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,568
    Quote Originally Posted by PaulTech View Post
    " If so we would be willing to join forces to try to get this resolved. "

    You seem to want to work with other providers to help fight the attack but you seem unwilling to provide any usable vectors to the attack (We still don't even know the protocol they are using nevermind anything specific) that could help others in the future.
    If Paul is willing to work with you, please do it. Paul has helped me on numerous occasions, heck last week a whopping what 5 times w/ 500-multi gigabit DDOS. He knows his stuff, granted I don't know if he's ever dealt with a 30Gbps DDOS he's definitely sharp in this area.

  24. #49
    Join Date
    Apr 2002
    Location
    North Kansas City, MO
    Posts
    2,694
    Quote Originally Posted by Jigy View Post
    The attack is targetted against Chinese customers of ours either they are trying to get us out of the market or they are simply trying to do the same thing ddos'ers do "extortion, closing businesses, ..etc"
    Have they made any demands?
    Aaron Wendel
    Wholesale Internet, Inc. - http://www.wholesaleinternet.net
    Kansas City Internet eXchange - http://www.kcix.net

  25. #50
    Aaron,

    Not to me directly, but I know some of the customers we had were willing to pay alot of money to stop this attack. What I beleive is happenning is this attack is not coming from one individual person or a group. The botnet is used by many "clients" that are paying to use this botnet to attack competitors or extortion.

    Quite frankly I am shocked that noone else so far has reported the same problem... This is starting to be frightening...

Page 2 of 6 FirstFirst 12345 ... LastLast

Similar Threads

  1. crossover != 1 GBPS?
    By HNLV in forum Colocation, Data Centers, IP Space and Networks
    Replies: 15
    Last Post: 03-30-2009, 01:53 AM
  2. Anyone want to share 1 gbps in Milwaukee?
    By keefe007 in forum Other Hosting Offers
    Replies: 2
    Last Post: 09-19-2008, 01:49 PM
  3. EU 1 Gbps host needed
    By ddosguru in forum Dedicated Server
    Replies: 15
    Last Post: 07-13-2008, 02:18 PM
  4. Replies: 14
    Last Post: 11-22-2003, 05:40 AM
  5. Replies: 8
    Last Post: 11-13-2003, 10:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •