Scott Posted March 24, 2013 Report Share Posted March 24, 2013 (edited) The ip "173.248.187.18" came under a rather large DDoS attack a short time ago. The attack was only about 300 megabit, however, it was comprised of over 500,000 packets per second which is enough to effectively take the entire server offline as the kernel can't keep up with that much. We've been forced to null-route (i.e. de-route) the affected IP to keep the service online for everybody else not on that IP. As usual, we're going to work to mitigate this including, but not limited to, changing the IP address of affected accounts. There is a possibility that the attack will shift IPs when this happens and, if that's the case, we'll have to keep moving and splitting accounts until we are able to identify the target. It's important to keep in mind that we aren't under attack, but one of our customers is. The attack is simply a packet flood to port 53 (standard DNS port) so there is no way to identify who the target is based upon the traffic / packets / data alone. Edited March 26, 2013 by Scott S Tentatively resolved Quote Link to comment Share on other sites More sharing options...
Michael D. Posted March 24, 2013 Report Share Posted March 24, 2013 We've moved all affected accounts from the IP under attack to a new IP. We'll be watching for the attack to shift and, if it does, migrations will likely happen again in smaller batches to help us narrow down who was under attack. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted March 24, 2013 Report Share Posted March 24, 2013 The attack has, indeed, shifted to the new IP that we moved accounts to so we're going to have to break the accounts up into small groups and move them to new IPs. Hopefully we'll be able to identify the target. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted March 25, 2013 Report Share Posted March 25, 2013 The attack has moved again. The accounts on the IP with the attack are going to be broken out to new IPs to further identify who is under attack. Those not affected by this newest attack will be moved back to the original IP. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted March 25, 2013 Report Share Posted March 25, 2013 The attack has shifted to a DNS IP. Not sure why... Perhaps they're tired of chasing a moving target. If they just continue to attack whatever site they want offline we'd eventually identify the target and isolate them. We, as always, are working to mitigate the attack to keep as many people online as possible. Quote Link to comment Share on other sites More sharing options...
Michael D. Posted March 25, 2013 Report Share Posted March 25, 2013 Our networking team has been able to block most of the attack at our network border. There's a chance they will adapt their attack. Quote Link to comment Share on other sites More sharing options...
Scott Posted March 26, 2013 Author Report Share Posted March 26, 2013 I am marking this as tentatively resolved. There have been a few short, smaller bursts of the attack coming back, being automatically mitigated, then stopping after a small amount of time, so I suspect the issue is over, although it is still possible for the attack to return or evolve. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.