Jump to content


Photo

IP on S5 Server Null-Routed by Up-Stream due to DDoS


  • Please log in to reply
10 replies to this topic

#1 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,872 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 31 March 2018 - 08:16 PM

Hello,

 

Our upstream provider, Handy Networks, has null-routed the IP 162.244.254.212 for 24 hours due to an inbound DDoS attack.  While I do not have the details of the attack currently I have requested them.  It appears, from what they provided, to be a UDP flood.

 

We are working to move all affected accounts off to alternate IP addresses.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#2 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,872 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 31 March 2018 - 08:43 PM

All accounts on the affected IP have been migrated to new IP addresses.  If you are using our DNS there is nothing you need to do.  If you are using third party DNS you will need to sign in to your cPanel [ https://s5.supportedns.com/cpanel] and go to ' Server Information ' and then update your DNS to the 'Shared IP Address' shown there.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#3 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,872 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 31 March 2018 - 08:49 PM

This attack was a 6 GBPS DNS Amplification Attack according to the data I was provided.  This was the size of the attack at the point it was null-routed and very well may have grown larger if not null routed.

 

We will be keeping an eye on the new IPs to see if the attack shifts.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#4 Guest_AskMDD_*

Guest_AskMDD_*
  • Guests

Posted 31 March 2018 - 09:35 PM

Many users are seeing the default web page ("SORRY") when visiting their sites. This is due to the IP address change and DNS propagation.

 

If you use our DNS servers:

- No further action is required.

- The site will be accessible soon, when DNS propagation completes.

- New visitors should see the site immediately.

- You can follow the on screen directions, or visit https://go.cpanel.net/cleardnscachefor directions to restore your own access without delay.

 

If you are using third party DNS servers:

- Follow Michaels directions from earlier: https://forums.mddho...=6778#entry6778

- Once the DNS change has been completed, no further action is required.

- The site will be accessible soon, when DNS propagation completes.

- New visitors should see the site immediately.

- You can follow the on screen directions, or visit https://go.cpanel.net/cleardnscachefor directions to restore your own access without delay.

 

---

 

In any case, continue to monitor this forum thread for any updates.

 


  • 0

#5 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,872 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 31 March 2018 - 10:04 PM

If you are using CloudFlare you will need to update the IP for your domain(s) at CloudFlare if you are on the affected IP.

 

I do wish we could email only those affected and let them know - but only a tiny percentage of the server was affected and there is no way for us to email only those affected without it being entirely manual.  While it is a small percentage of accounts on the server - it's enough accounts that manually notifying one by one would take a fairly substantial amount of time.

 

If you aren't subscribed to this section of the forums, I do suggest it -> https://forums.mddho...ues-and-events/


  • 1
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#6 SarisIsop

SarisIsop

    Member

  • Members
  • PipPip
  • 148 posts
  • Gender:Not Telling

Posted 01 April 2018 - 05:14 AM

Thank you I subscribe to the Announcements and find it very helpful. 

 

Probably a dumb question, but are these types of attack aimed at a particular website or is just a random thing?


  • 0

#7 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 421 posts
  • Gender:Male

Posted 01 April 2018 - 10:10 AM

are these types of attack aimed at a particular website or is just a random thing?


They are typically targeting a specific website or entity.
  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#8 SarisIsop

SarisIsop

    Member

  • Members
  • PipPip
  • 148 posts
  • Gender:Not Telling

Posted 01 April 2018 - 10:20 AM

They are typically targeting a specific website or entity.

 

Thank you Scott.

 

I'm guessing there is nothing we can do form our side? And is there anyway of telling if I was a target.


  • 0

#9 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 421 posts
  • Gender:Male

Posted 01 April 2018 - 05:35 PM

I'm guessing there is nothing we can do form our side?


Correct.
 

And is there anyway of telling if I was a target.


If we tell you you were the target, then you are. Otherwise, you are not.
  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#10 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,872 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 01 April 2018 - 05:46 PM

If we tell you you were the target, then you are. Otherwise, you are not.

It is worth noting that attacks like these can be compared to carpet bombs with a lot of collateral damage.

 

While the attacker did likely take their target offline - they took others offline in the process.  In cases where we are able to identify the target we will segregate them and contact them - but in this case we have not been able to identify a specific target.


  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#11 SarisIsop

SarisIsop

    Member

  • Members
  • PipPip
  • 148 posts
  • Gender:Not Telling

Posted 02 April 2018 - 06:19 AM

Thank you both for clarifying. It's one of those things I've never fully understood, but now I know you will contact me if you knew for certain that I was a target I will leave it in your capable hands.


  • 0




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users