Re: Denial of Service Attack in Sonic.net

Re: Denial of Service Attack in Sonic.net http://www.dslreports.com/forum/r19743379 en Wed, 20 Aug 2008 20:38:48 EDT Wed, 20 Aug 2008 20:38:48 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19850414 veloslave : FWIW... from just one customer/user

I would rather put up with some occasional grief while you guys support someone getting slammed by the scum of the net.

[/FWIW]
--
Mom was right.... I NEED fiber!]]> http://www.dslreports.com/forum/remark,19850414 Tue, 22 Jan 2008 02:45:40 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19842421 DaneJasper : We see more and more of them, and they're getting bigger and bigger. To cause us any troubles here, they have to be pretty big - well over a gigabit of traffic. We have about six gigabits of total transit in place today, but no single link is more than one gigabit.

We'll be talking here about what we can do to automate further our response to these type of attacks. These two recent ones both caused brief outages, and this is something we've got to address.

-Dane]]> http://www.dslreports.com/forum/remark,19842421 Sun, 20 Jan 2008 22:08:54 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19841810 guhuna : I've got a feeling it was a botnet. You get about 900 machines hammering one machine and its connection is done for.

»en.wikipedia.org/wiki/Botnet]]> http://www.dslreports.com/forum/remark,19841810 Sun, 20 Jan 2008 20:38:52 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19840909 veloslave : Hey Dane... just wondering if this latest one on Saturday was the same customer... I thought my modem was getting weird on me again :)

Would seem that some body has an axe to grind... especially if it is the same party.

I have been working part-time in IT since real estate is so dang slow. Sure is amazing what a different world the "tubes" would be if everyone employed a good AV and anti-spy regimen on a clean patched machine right from the start AND always kept it up to date. There would be so few bots out there... the hackers might actually have to get a legit job.

Must not be too much fun for the big guy to see these DDOS attacks and have to try and decide if they should cut a customer loose... I guess that must be considered if it is a regular problem huh?

How often do you guys see these attacks? There were these two that were substantial enough to be felt downsteam... are there a lot of others that we users do not notice?
--
Mom was right.... I NEED fiber!]]> http://www.dslreports.com/forum/remark,19840909 Sun, 20 Jan 2008 17:50:36 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19755579 DaneJasper : Thanks folks for the support. It's rare that we have a failure, but we subscribe to the concept of being totally honest with customers about what went wrong. It's the least we can do. It's also a key way that we can be different that the cable and telcos - they often hide the real facts from customers.

-Dane]]> http://www.dslreports.com/forum/remark,19755579 Mon, 07 Jan 2008 14:37:37 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19745252 veloslave :

said by JohnInSJ

:

Wow.

I was both laughing at the frank, even humorous description of the firefight, and simultaneously feeling your pain - on a crappy weather day, to have both a nasty rainstorm and a nasty data storm sucked - with the data storm coming at the "end" of the day to boot.

Good job guys, and as always I appreciate the transparency on what's going on behind the scenes.

Back in the bad old SBC/Yahoo days, I'd only get info on what was happening through unofficial channels (usually via PMs on this site, of all things ;) )

Ditto

X 2

Exactly

Keep up the good work!
--
Mom was right.... I NEED fiber!]]> http://www.dslreports.com/forum/remark,19745252 Sat, 05 Jan 2008 17:56:46 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19743379 guhuna : I'm very thankful for S.net having a MOTD.

Keep up the good work guys!

]]> http://www.dslreports.com/forum/remark,19743379 Sat, 05 Jan 2008 11:52:02 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19743052 JohnInSJ : Wow.

I was both laughing at the frank, even humorous description of the firefight, and simultaneously feeling your pain - on a crappy weather day, to have both a nasty rainstorm and a nasty data storm sucked - with the data storm coming at the "end" of the day to boot.

Good job guys, and as always I appreciate the transparency on what's going on behind the scenes.

Back in the bad old SBC/Yahoo days, I'd only get info on what was happening through unofficial channels (usually via PMs on this site, of all things ;) )
--
My place : »www.schettino.us]]> http://www.dslreports.com/forum/remark,19743052 Sat, 05 Jan 2008 10:42:13 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19741531 burrowowl : From our Message of the Day:

Fri Jan 4 19:53:00 PST 2008 -- Widespread network outage. At approximately 5pm today we logged a massive amount of inbound traffic headed toward one of the colocation customers in our Santa Rosa datacenter. This distributed denial of service attack (DDoS) consisted of well over a gigabit of traffic aimed at this customer, sourced by thousands of zombie computers likely part of a massive botnet. This attack caused two of our gigabit transit links to flap wildly, which caused routing instability inside and outside of our network. This flapping was curtailed by a controlled shutdown and bring-up of these transit links. During this attack, most traffic continued to flow normally, but connectivity to some sites was significantly degraded or unavailable.

Further complicating matters was the rather confusing loss of a Santa Rosa datacenter router. In the middle of the DDoS, one of the two core routers that services our Santa Rosa datacenter suffered a hard drive failure. In addition to contributing a bit of red herring to the mess, this router seems to have spewed some incorrect routing information during the confusion, further complicating our restoration. At this time the router is still down pending hardware replacement. We've got on-site spares for this unit, and will be swapping them in around midnight tonight during a maintenance window. There are no customers directly connected to this router, and it's set up with a redundant neighbor that can take over its duties as necessary. No customers are affected by this router being off-line.

As if that wasn't enough, one of our network engineers made an unfortunate typo in the heat of battle, the end result of which was a nearly network-wide loss of routing protocol packets. This occurred at around 6:20pm, after internet-wide connectivity was almost fully restored. Emergency roll-back procedures were set into motion, and rapid service restoration required usage of our out-of-band management system to remotely console the affected devices and deactivate the change. Even with these procedures, fully restoring network connectivity took around 25 minutes.

We'll be discussing this outage at length internally to put policies and procedures in place to prevent any possibility of recurrence, as well as investigating why the routing instability caused such an impact to our network core. Our apologies for the downtime!

-Nathan, Jared, Matt, and the Sonic.net NOC

--
John Fitzgerald
Sonic.net Technical Support]]> http://www.dslreports.com/forum/remark,19741531 Fri, 04 Jan 2008 23:42:26 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19741223 succotash : Ahh! So that's what it was. I thought it was weather-related too (it's supposed to be the wettest weekend in years here in the L.A. area). I was just about to call tech support when service was restored. Must have been a pretty massive DOS attack, alright.]]> http://www.dslreports.com/forum/remark,19741223 Fri, 04 Jan 2008 22:38:47 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19741099 treyadams : You guys rock!]]> http://www.dslreports.com/forum/remark,19741099 Fri, 04 Jan 2008 22:17:29 EDT Re: Denial of Service Attack http://www.dslreports.com/forum/remark,19741001 Djdeadly : Its been isolated and we should have internet back now. Its not uncommon to have DDoS attacks on ISPs but this must have been extremely massive to knock out most the backbone.]]> http://www.dslreports.com/forum/remark,19741001 Fri, 04 Jan 2008 21:58:34 EDT Denial of Service Attack http://www.dslreports.com/forum/remark,19740994 treyadams : If you are a Sonic customer, you noticed that your service went down tonight at around 6:30 PM Pacific. I called tech support. I thought it was probably weather related, but wondered why it effected me in SoCal. Turns out they are experiencing a system wide denial of service attack. Have you heard of anyone else (other ISP's) experiencing similar issues?]]> http://www.dslreports.com/forum/remark,19740994 Fri, 04 Jan 2008 21:57:37 EDT