North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Under DDoS attack; what do I do now?
On Wed, 30 Aug 2000, Chris Adams wrote: > > We appear to be under a distributed denial of service attack. We are > receiving 7.5+ megabits per second of ICMP traffic (it looks like a > smurf attack) from all over to a single address (one that was in our > dialup pool). We've taken the IP out of our pool and are routing it to > a separate interface with a computer just setup to capture traffic. It's a good thing this isn't an IP address from your hosting pool that just happens to have 1000 websites associated with it, isn't it? Phone call to Huge customer A: "Um, ya... Your website, email, blah blah blah are ALL down because we had to route the IP address you share with 999 other clients to a capture device. It seems that space-sprocket-inc.com is under a DDoS attack. No, your sites are not under attack. You're just suffering as a result of the ARIN policy that frowns on assigning an IP address to each website and since our company name doesn't start with "ex" or "gl" we were not given an exception and can not obtain IP space." Phone call to upstream B NOC: "Ya. We know you're dieing. We would love to be able to reduce the impact of this attack but, since we don't have 4000+ individual machines, we didn't qualify for our own /20 from ARIN. We know the attack is so large that it has ground our network to a complete halt and is putting a serious damper on yours. We would love to be able to retract the /20 announcement and announce specific /24's for all but the one /24 that the target address is in but, you know ARIN. They're the reason you could only assign us a /25 and static route into us. Hey, btw: once this is over, we'll send you some neato pictures of our NAT boxes. They're glowing white hot right now!" --- John Fraizer EnterZone, Inc