Resolved Icarus - DDoS Attack on IP 173.248.187.213

[Michael D.]

The IP address "173.248.187.213" on our Icarus server has come under a very heavy DDoS attack. The attack is large enough that it was causing disruption for the entire network so we've been forced to disable the IP address until the attack subsides. We are going to continue working to try and mitigate the attack by identifying the target site under attack, but can make no gaurantees.

 

It is quite possible that if your account is on this IP, that it will be changed to another IP shortly to bring your site back online. In the event that you are using external DNS, you will simply need to check your cPanel periodically to view the IP address that your account is assigned to.

Edited September 7, 2012 by Scott S
Resolved

[Michael D.]

We are shifting all accounts off of this IP in groups to new IP addresses, hopefully when/if the attack moves to a new IP that will allow us to re-route the old IP and restore service to everybody.

[Michael D.]

All accounts have been moved over to new IP addresses. DNS propagation does apply, so it may be an hour or two before your site comes back online for you.

[Michael D.]

Networking has updated us that the IP block is removed and the attack did not return [so far]. All accounts were migrated off of the IP, but we just wanted to update and close this thread.

[Michael D.]

Looks like the attack returned, and moved to a new IP address. I have a suspicion as to who is under attack, however, we are going to split off accounts again from this new IP to further narrow the target.

[Michael D.]

The attacks have been ongoing, today the server was offline/sluggish for 5 to 10 minutes as we worked to isolate and mitigate another attack. We're fairly certain these repeated attacks are all targeting the same site/user but we've been unable to identify which site is under attack so far.

 

Every time the attack comes back, we bisect all accounts on the IP to two new IP addresses - so there's a 50/50 chance each time the attack returns that you won't be affected by the next 'round'. If the attack shifted quickly (like most) we could very quickly get it down to a single account and then simply disable that account, but this attack seems to only shift once every few days, so it is taking longer than we'd like to identify the target.

 

Each time it returns, less and less customers are going to be affected, and we apologize for any customers whose IPs have changed a few times by now.

 

Unfortunately the internet is a very hostile place, and anybody with the funds can 'hire' a botnet to send attacks on any site they wish. Keep in mind that it's not *us* that is under attack, but a site that we host - that we're working to identify.

[Scott]

It looks like we overlooked marking this as resolved. It's safe to say, however, that this issue is long since over.