Powered by Invision Power Board


  Reply to this topicStart new topicStart Poll

> Distributed Denial of Service Attack, resolved
andy
Posted: Aug 21 2017, 02:13 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,310
Member No.: 9
Joined: 12-July 02



For about 40 minutes this evening, our network was under heavy Distributed Denial of Service attack (DDoS).

As best we can tell, this attack was again directed at some of our older DNS servers.

Unlike the prior attack which was easily blocked, this attack was distributed and came from numerous remote IP addresses or at least there were numerous IP addresses spoofed as the source address, making it nearly impossible to filter. That's the nature of DDoS attacks and why they've become the tool of choice for disrupting service.

We still have no idea why we're being targeted. Our best guess is that someone was probably bored and wanted to test the capabilities of our network.

For the moment, the attacks have ceased, but we don't know if/when they might resume.

If the DDoS attacks resume, we'll be working with our upstream providers to mitigate the attack on their more powerful hardware.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Aug 21 2017, 04:00 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,310
Member No.: 9
Joined: 12-July 02



There have been no further attacks after 2:20AM Pacific time (GMT -7:00), August 21.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Aug 22 2017, 05:45 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,310
Member No.: 9
Joined: 12-July 02



Attacks resumed about 3:40AM August 22 and are still ongoing at 6:30AM August 22 (Pacific time, GMT -7:00).

They have gradually reduced severity and frequency. This is likely due to reduced motivation on the part of the attacker since our DNS servers do not represent a good traffic reflector/amplifier for their DDOS against Google.

The way a DNS reflection/amplification attack works is that the attacker spoofs (fakes) the real target's IP address as the source of the UDP DNS request and then sends that request to a DNS server (reflector/amplifier) that will respond with more data than what was received to the spoofed IP address. The point is to overload the spoofed IP address by using someone else's servers to do the heavy lifting. When working as the attacker intends, they can get more traffic sent to the spoofed IP address than they sent to the reflector/amplifier.

In this case, our DNS servers are not very good reflector/amplifier systems for this type of attack. For every 1KB the real attacker sends to our DNS servers, only about 400 bytes is reflected to the spoofed IP address. This represents a very low economic return for the attacker. They'd get better results simply attacking the target directly.

As they discover that our DNS servers are simply a waste of their bandwidth for their attack, we expect the attacks to continue to reduce.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Aug 22 2017, 06:05 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,310
Member No.: 9
Joined: 12-July 02



It appears that the attacks ended at 6:35AM Pacific time (GMT -7:00) August 22.

The attacks that happened overnight caused only minor slowdowns for the affected DNS servers and did not disrupt our network.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Aug 28 2017, 05:22 PM
Quote Post





Group: Advantagecom Staff
Posts: 4,310
Member No.: 9
Joined: 12-July 02



These have been continuing in the late night or early morning most days for a few minutes at a time, but only to certain DNS servers and not at a level that it causes network problems.

Most people will not notice any affect due to the timing of the attacks, short duration of each attack, and the small number of older systems affected.

There have been a couple nights recently that did not appear to have any attacks, so we're hopeful that they'll subside completely in the near future.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Sep 27 2017, 09:50 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,310
Member No.: 9
Joined: 12-July 02



We haven't seen the attacks for a couple of weeks now, so we consider this to be resolved.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll