[Bf-committers] Rack denial of service

[Dan McGrath]

Our ISP responded and confirmed they blocked the attack and turned off all
access to our www IP:

Hi,
> A DDoS targetting 82.94.226.104 started at 15:30 Amsterdam time. We tried
> to contact you but there was no response. When my last colleague went home
> at 17:12 we set a discard on all traffic to 82.94.226.104. 21:30 (8 minutes
> ago) the DDoS stopped. I have just removed the discard route but will keep
> monitoring your traffic. If the DDoS continues I will again place a discard
> on the target IP on our edge routers.
> The DDoS was about 3-4Gbit in size, enough to fill your 1Gbit uplink.
>
> Regards,
> Team Colocation


It's not clear whom/how they tried to contact us, however, nor why they
were unable to block access from the particular IP (or even entire attacker
netblock) from talking to us, rather than turning off the entire Blender
IP, but it is certainly understandable that investigating such incidents
can be time consuming and error prone, and are generally not from a single
attacker.

But, another attack started, and they've yet again blocked the traffic to
our www IP, but otherwise we are semi-online. I have sent another email to
them to inquire about any more specifics they may have on the attack, as
some initial investigations suggest that the attacker wasn't hitting the
web server directly, or at least not with any particular requests that
stand out in the logs. Most likely it was something like a ping flood, or
similar, that targeted our IP address with traffic not destined for a
particular service like HTTP.

If the situation changes in any particularly important way, I will of
course mention it, but otherwise I hate to waste your time with boring
details. Just keep an eye on the site, and hope for the best! :)


Cheers,

Danny McGrath


On Thu, Jan 30, 2020 at 10:03 AM Dan McGrath <danmcgrath.ca at gmail.com>
wrote:

> Hi,
>
> It seems that at, or around 9:25am EST, one of our servers started to
> experience a large number of connections. Shortly after the rack appears to
> have at least its inbound bandwidth (gigabit) saturated to the point where
> almost nothing is making it to the servers, although outbound in some
> established connections does at least appear to be making it out here and
> there just fine.
>
> Not much we can do about it atm, other than wait it out. By the time you
> receive this email, odds are it was either lucky, or it worked itself out,
> and thus is acting as explanation after the fact.
>
>
> Cheers!
>
>
> Dan McGrath
>