treyadams
join:2003-11-18
Los Angeles, CA
 ·SONIC.NET
| Denial of Service Attack
If you are a Sonic customer, you noticed that your service went down tonight at around 6:30 PM Pacific. I called tech support. I thought it was probably weather related, but wondered why it effected me in SoCal. Turns out they are experiencing a system wide denial of service attack. Have you heard of anyone else (other ISP's) experiencing similar issues? |
|
Djdeadly
join:2000-11-03
San Jose, CA
edit:
January 4th, @09:59PM
| Its been isolated and we should have internet back now. Its not uncommon to have DDoS attacks on ISPs but this must have been extremely massive to knock out most the backbone. |
|
treyadams
join:2003-11-18
Los Angeles, CA | reply to treyadams
You guys rock! |
|
succotash
Premium
join:2002-12-14
Monterey Park, CA
| Ahh! So that's what it was. I thought it was weather-related too (it's supposed to be the wettest weekend in years here in the L.A. area). I was just about to call tech support when service was restored. Must have been a pretty massive DOS attack, alright. |
|
burrowowl
Sonic.Net
VIP
join:2003-01-22
Santa Rosa, CA
| reply to treyadams
From our Message of the Day:
Fri Jan 4 19:53:00 PST 2008 -- Widespread network outage. At approximately 5pm today we logged a massive amount of inbound traffic headed toward one of the colocation customers in our Santa Rosa datacenter. This distributed denial of service attack (DDoS) consisted of well over a gigabit of traffic aimed at this customer, sourced by thousands of zombie computers likely part of a massive botnet. This attack caused two of our gigabit transit links to flap wildly, which caused routing instability inside and outside of our network. This flapping was curtailed by a controlled shutdown and bring-up of these transit links. During this attack, most traffic continued to flow normally, but connectivity to some sites was significantly degraded or unavailable.
Further complicating matters was the rather confusing loss of a Santa Rosa datacenter router. In the middle of the DDoS, one of the two core routers that services our Santa Rosa datacenter suffered a hard drive failure. In addition to contributing a bit of red herring to the mess, this router seems to have spewed some incorrect routing information during the confusion, further complicating our restoration. At this time the router is still down pending hardware replacement. We've got on-site spares for this unit, and will be swapping them in around midnight tonight during a maintenance window. There are no customers directly connected to this router, and it's set up with a redundant neighbor that can take over its duties as necessary. No customers are affected by this router being off-line.
As if that wasn't enough, one of our network engineers made an unfortunate typo in the heat of battle, the end result of which was a nearly network-wide loss of routing protocol packets. This occurred at around 6:20pm, after internet-wide connectivity was almost fully restored. Emergency roll-back procedures were set into motion, and rapid service restoration required usage of our out-of-band management system to remotely console the affected devices and deactivate the change. Even with these procedures, fully restoring network connectivity took around 25 minutes.
We'll be discussing this outage at length internally to put policies and procedures in place to prevent any possibility of recurrence, as well as investigating why the routing instability caused such an impact to our network core. Our apologies for the downtime!
-Nathan, Jared, Matt, and the Sonic.net NOC --
John Fitzgerald
Sonic.net Technical Support |
|
JohnInSJ
Premium
join:2003-09-22
San Jose, CA
·SONIC.NET
| reply to treyadams
Wow.
I was both laughing at the frank, even humorous description of the firefight, and simultaneously feeling your pain - on a crappy weather day, to have both a nasty rainstorm and a nasty data storm sucked - with the data storm coming at the "end" of the day to boot.
Good job guys, and as always I appreciate the transparency on what's going on behind the scenes.
Back in the bad old SBC/Yahoo days, I'd only get info on what was happening through unofficial channels (usually via PMs on this site, of all things  )
--
My place : »www.schettino.us |
|
guhuna
tuned to 30hz
Premium
join:2001-03-31
Millbrae, CA | reply to treyadams
I'm very thankful for S.net having a MOTD.
Keep up the good work guys!  |
|
veloslave
Geek For God
Premium
join:2003-07-11
Pleasant Hill, CA
·SONIC.NET
| reply to JohnInSJ
said by JohnInSJ  :Wow. I was both laughing at the frank, even humorous description of the firefight, and simultaneously feeling your pain - on a crappy weather day, to have both a nasty rainstorm and a nasty data storm sucked - with the data storm coming at the "end" of the day to boot. Good job guys, and as always I appreciate the transparency on what's going on behind the scenes. Back in the bad old SBC/Yahoo days, I'd only get info on what was happening through unofficial channels (usually via PMs on this site, of all things ) Ditto
X 2
Exactly
Keep up the good work!
--
Mom was right.... I NEED fiber! |
|
DaneJasper
Sonic.Net
Premium,VIP
join:2001-08-20
Santa Rosa, CA
clubs:
| reply to treyadams
Thanks folks for the support. It's rare that we have a failure, but we subscribe to the concept of being totally honest with customers about what went wrong. It's the least we can do. It's also a key way that we can be different that the cable and telcos - they often hide the real facts from customers.
-Dane |
|
veloslave
Geek For God
Premium
join:2003-07-11
Pleasant Hill, CA
·SONIC.NET
| reply to treyadams
Hey Dane... just wondering if this latest one on Saturday was the same customer... I thought my modem was getting weird on me again 
Would seem that some body has an axe to grind... especially if it is the same party.
I have been working part-time in IT since real estate is so dang slow. Sure is amazing what a different world the "tubes" would be if everyone employed a good AV and anti-spy regimen on a clean patched machine right from the start AND always kept it up to date. There would be so few bots out there... the hackers might actually have to get a legit job.
Must not be too much fun for the big guy to see these DDOS attacks and have to try and decide if they should cut a customer loose... I guess that must be considered if it is a regular problem huh?
How often do you guys see these attacks? There were these two that were substantial enough to be felt downsteam... are there a lot of others that we users do not notice?
--
Mom was right.... I NEED fiber! |
|
guhuna
tuned to 30hz
Premium
join:2001-03-31
Millbrae, CA | I've got a feeling it was a botnet. You get about 900 machines hammering one machine and its connection is done for.
»en.wikipedia.org/wiki/Botnet |
|
DaneJasper
Sonic.Net
Premium,VIP
join:2001-08-20
Santa Rosa, CA
clubs:
| reply to veloslave
We see more and more of them, and they're getting bigger and bigger. To cause us any troubles here, they have to be pretty big - well over a gigabit of traffic. We have about six gigabits of total transit in place today, but no single link is more than one gigabit.
We'll be talking here about what we can do to automate further our response to these type of attacks. These two recent ones both caused brief outages, and this is something we've got to address.
-Dane |
|
veloslave
Geek For God
Premium
join:2003-07-11
Pleasant Hill, CA | reply to treyadams
FWIW... from just one customer/user
I would rather put up with some occasional grief while you guys support someone getting slammed by the scum of the net.
[/FWIW]
--
Mom was right.... I NEED fiber! |
|
