Michael D. Posted February 19, 2013 Report Share Posted February 19, 2013 Update 8:52 PM ETAll accounts have been shifted to alternate IP addresses.============ We saw a rather large DDoS attack hit the IP 173.248.188.150 on our Jasmine server just now. Our networking team acted quickly to drop this IP to keep everybody else online. We're going to work to shift everybody on this IP to a small subset of new IPs to bring people back online as well as to hopefully narrow down who is actually under attack. It's unfortunate that the internet is such a hostile place these days. Quote Link to comment Share on other sites More sharing options...
PGR Posted February 20, 2013 Report Share Posted February 20, 2013 Can you give an approximate estimation of when will we be back online? Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 20, 2013 Author Report Share Posted February 20, 2013 Can you give an approximate estimation of when will we be back online?The only estimate I can give you is 'as quickly as possible' and, while I understand this is not helpful, it's the best I can provide. We're changing the IP of every affected account at this time to bring them back online and it takes several seconds (15~20 seconds) per account just for it to process once somebody has manually selected the account and the new IP. If you're using external DNS, you'll need to check your cPanel to watch for the IP to change from .150 to something new. Bear in mind that this isn't something that is a result of anything we've done and that we aren't under attack but simply one of our clients is. This attack, unfortunately, is just a port flood with a lot of garbage data and, as such, doesn't in and of itself identify any target beyond simply the IP address. We're working to bring everybody back online as quickly as possible as well as working to identify the target of the attack so that they can be isolated. Quote Link to comment Share on other sites More sharing options...
PGR Posted February 20, 2013 Report Share Posted February 20, 2013 Ok, thanks, I'll keep an eye out for IP changes. Quote Link to comment Share on other sites More sharing options...
ahnlak Posted February 20, 2013 Report Share Posted February 20, 2013 Will this be a permanent IP change, or just temporary while you track down the problem? Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 20, 2013 Author Report Share Posted February 20, 2013 Ok, thanks, I'll keep an eye out for IP changes.Bear in mind this is only necessary if you are not using our nameservers or if you simply wish to know once your account has been moved (if you are using our nameservers). Will this be a permanent IP change, or just temporary while you track down the problem?It's usually permanent, however, if you are moved to the IP that the attack shifts to, your IP will change again (as we bisect the accounts on that IP to 2 or more new IPs to identify the target). In short it's likely to be permanent but could be temporary. Nobody will be going back to the original IP, that is for sure. Quote Link to comment Share on other sites More sharing options...
ahnlak Posted February 20, 2013 Report Share Posted February 20, 2013 Cool - I'll keep an eye open and update my DNS then (and will finally get around to switching my DNS to your servers at some stage so I don't need to worry about it again Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 20, 2013 Author Report Share Posted February 20, 2013 Most customers have been moved to new IPs - there are still a few that are being moved. I estimate 10 to 15 minutes until everybody is on a new IP. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 20, 2013 Author Report Share Posted February 20, 2013 The last few are taking a little longer than I expected, I'll update this thread once *all* are moved. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 20, 2013 Author Report Share Posted February 20, 2013 All accounts are now on new IP addresses. Quote Link to comment Share on other sites More sharing options...
Arunner26 Posted February 20, 2013 Report Share Posted February 20, 2013 If our shared IP on our CPANEL is not 150 and our site is not running does that mean the new DNS entry has not propagated yet? Quote Link to comment Share on other sites More sharing options...
PGR Posted February 20, 2013 Report Share Posted February 20, 2013 Hmm, my IP was mvoed but the site is still inaccessible. Is this normal, i.e. should I just wait a little bit longer? Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 20, 2013 Author Report Share Posted February 20, 2013 Hmm, my IP was mvoed but the site is still inaccessible. Is this normal, i.e. should I just wait a little bit longer?Your site loads fine for me - any time an IP change takes place it can take 1 or 2 hours for your local cache to drop. The reason I am able to load your site (and anybody else who hasn't been to it before the IP change today) is because I don't have a prior cache and, as such, pulled the new record immediately. Quote Link to comment Share on other sites More sharing options...
Arunner26 Posted February 20, 2013 Report Share Posted February 20, 2013 Are you able to access mine too: <redacted for privacy> Quote Link to comment Share on other sites More sharing options...
Michael D. Posted February 20, 2013 Author Report Share Posted February 20, 2013 Are you able to access mine too: Yes, a good way to test is http://www.host-tracker.com/ Quote Link to comment Share on other sites More sharing options...
Arunner26 Posted February 20, 2013 Report Share Posted February 20, 2013 Thanks for the tip on the site. Nice!! Quote Link to comment Share on other sites More sharing options...
chrised Posted February 20, 2013 Report Share Posted February 20, 2013 Is Jasmine being DDOSed again? I can only connect intermittently and the uptime reports show it as responding in some places but not others. Quote Link to comment Share on other sites More sharing options...
Jas Posted February 20, 2013 Report Share Posted February 20, 2013 Our site is also down again. It did come back for a short period of time few hours ago. Quote Link to comment Share on other sites More sharing options...
Darren Posted February 20, 2013 Report Share Posted February 20, 2013 The Fresco server is also down or so it seems. My site is online, but I cannot access the control panel or retrieve mail. I can also not log into my FTP account - it keeps telling me 'wrong password' Quote Link to comment Share on other sites More sharing options...
Scott Posted February 20, 2013 Report Share Posted February 20, 2013 (edited) Update: A correction to my earlier comments. Fresco was not targetted by a DDoS attack but was participating in one. This flooded our networking gear for a short time and caused issues on other servers until we blocked the traffic. We are still identifying the specific account responsible for this. Is Jasmine being DDOSed again? I can only connect intermittently and the uptime reports show it as responding in some places but not others. There was a new attack targetting coming from our fresco server which was large enough to flood our networking equipment. There was also an issue with /tmp in jasmine that caused some issues. Our site is also down again. It did come back for a short period of time few hours ago. Please open a support ticket if you haven't already. The Fresco server is also down or so it seems. My site is online, but I cannot access the control panel or retrieve mail. I can also not log into my FTP account - it keeps telling me 'wrong password' Fresco was targetted participating in a new DDoS attack. We've null routed the affected IP. Please open a support ticket regarding your FTP account. Edited February 20, 2013 by Scott S Correction. Fresco not targetted by DDoS, but participating in one. Quote Link to comment Share on other sites More sharing options...
ahnlak Posted February 20, 2013 Report Share Posted February 20, 2013 Ahh, ok that makes a lot more sense - could see on the server status page a huge spike in *outbound* traffic from the DC, which didn't seem quite right for an inbound DDoS! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.