ANC website attack: how did IS react?

[jes]

ANC website attack: how did IS react?

The ANC website is hosted in the Internet Solutions data centre; this is how they reacted to the DDoS attack

 

[Grep]

Surely its meant to be the source of the attack?

 

[marine1]

So Afrihost host the ANC website? Enough reason for me not to use them

 

[icyrus]

Surely its meant to be the source of the attack?

No, there are multiple sources. They meant destination, as in where in their network was the attack targeted. In short, which IP address in their network.

So Afrihost host the ANC website? Enough reason for me not to use them

You should read the article.

 

[DrJohnZoidberg]

So Afrihost host the ANC website? Enough reason for me not to use them

Justin Bieber uses the internet, I'm going to stop using it now.

 

[r00igev@@r]

Surely its meant to be the source of the attack?

Correct. It seems that they just pulled the cable instead of using the firewall to filter and rate limit.

 

[Xzib1t]

Justin Bieber uses the internet, I'm going to stop using it now.

Terrorists use Nokia Cellphones, we should not use Nokia phones.

Afrihost should not reject a client based on their political affiliation.

 

[marine1]

Justin Bieber uses the internet, I'm going to stop using it now.

Afrihost CEO Gian Visser previously confirmed that the ANC website is hosted on a dedicated server on its network. Internet Solutions, in turn, provides hosting services to Afrihost.

Two companies I wont give business too.
Is that so wrong? I refuse to support anyone that does business with them.
Perhaps others should take a stand as well?

 

[marine1]

Justin Bieber uses the internet, I'm going to stop using it now.

You comparing a kid that worked his rear end off to become what he is now to the corrupt ANC?

 

[Nefertiti]

Afrihost CEO Gian Visser previously confirmed that the ANC website is hosted on a dedicated server on its network. Internet Solutions, in turn, provides hosting services to Afrihost.

Two companies I wont give business too.
Is that so wrong? I refuse to support anyone that does business with them.
Perhaps others should take a stand as well?

By using your logic, you shouldnt drive around in anything, eat anything, drink anything because the ANC is involved somewhere along the process. Or where is that line that you draw? I find this logic weird.

 

[Fudzy]

Yeah Afrihost are a service provider. They rent a dedicated server to the company that hosts the ANC website, Uwembi:

http://www.anc.org.za/unwembi.html

or

http://www.unwembi.co.za/

 

[JayM]

Correct. It seems that they just pulled the cable instead of using the firewall to filter and rate limit.

One does not use a firewall to mitigate a DDoS attack.

 

[Roman4604]

One does not use a firewall to mitigate a DDoS attack.

Yeah, if the firewall can handle it then its not really a serious attack. The computational overhead of stateful inspection usually results in the firewalls being one of the first to fail.

 

[ambo]

One does not use a firewall to mitigate a DDoS attack.

Yeah - I doubt that the just pulled the plug on the server. The attack traffic would normally continue regardless and carry on overwhelming the rest of the network.

He mentioned blackholing the traffic. This normally involves dropping the traffic to the particular address at the router where it comes into the network - typically at some international location. That has the side effect that anyone trying to reach the site then can't.

 

[MagicDude4Eva]

Please note: IS is incapable of dealing with any DoS or DDoS attack. We experienced a 500Mbps/Botnet attack in December and it knocked us off for 6 hours. IS engineers had no clue and could not assist - in the end our own engineers blocked traffic. IS has not learned a lesson from then and has no reliable shared firewall infrastructure or DDoS infrastructure. There are perhaps a handful of IS network engineers to deal with complex network topics.

IS shared firewall can barely cope with regular traffic and if you are a customer you will notice frequent outages in the customer zone. AFAIK there is no dedicated DDoS infrastructure at IS (and I doubt that any other ISP has a sophisticated DDoS protection in place). The hosting provider should ensure that the edge network is protected, and there are plenty of devices out there capable of just doing this. It all comes down to the cost of the infrastructure.

I am still surprised that AH hosts at IS - it's a constant ping-pong between AH and IS blaming each other for downtime. To say that "DDoS ar “really not fair play from a technical perspective" is like sticking your head in the sand. It's a reality that botnet traffic can be bought cheap and ISPs will rather expose their clients than spending money on infrastructure and skill-set.

In all DDoS attack patterns so far, the websites came back up due to the fact that the attackers stopped the DDoS attack and not because some ISP mitigated the attack.

 

[Malasius]

Please note: IS is incapable of dealing with any DoS or DDoS attack. We experienced a 500Mbps/Botnet attack in December and it knocked us off for 6 hours. IS engineers had no clue and could not assist - in the end our own engineers blocked traffic. IS has not learned a lesson from then and has no reliable shared firewall infrastructure or DDoS infrastructure. There are perhaps a handful of IS network engineers to deal with complex network topics.

IS shared firewall can barely cope with regular traffic and if you are a customer you will notice frequent outages in the customer zone. AFAIK there is no dedicated DDoS infrastructure at IS (and I doubt that any other ISP has a sophisticated DDoS protection in place). The hosting provider should ensure that the edge network is protected, and there are plenty of devices out there capable of just doing this. It all comes down to the cost of the infrastructure.

I am still surprised that AH hosts at IS - it's a constant ping-pong between AH and IS blaming each other for downtime. To say that "DDoS ar “really not fair play from a technical perspective" is like sticking your head in the sand. It's a reality that botnet traffic can be bought cheap and ISPs will rather expose their clients than spending money on infrastructure and skill-set.

In all DDoS attack patterns so far, the websites came back up due to the fact that the attackers stopped the DDoS attack and not because some ISP mitigated the attack.

Very interesting, thanks for this information!

 

[r00igev@@r]

One does not use a firewall to mitigate a DDoS attack.

Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.

 

[Lord Nikon6]

Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.

If you set that on the firewall, you will still be receiving an extremely large amount of data travelling to your website. The fact is, there is no way for you to detect all the attacking sources at such a large scale. say,set this rule on your firewall for 10 000 attacking sources, how will you do that in minutes? Remember, you need to determine every IP that is attacking, which, fair enough, can be determined easily with some network monitoring tools, and this from a series of different IP ranges. So you set your rules, the attacker changes the proxy that the attack is generating from(given, that it is a completely controlled movement and is not run via windows viruses), leaving your rule pointless.

Keep in mind that many of the anonymous attacks are botnets being run willingly on user computers...They can just as simply say, please reboot your router to get a new dynamic IP.

 

[JayM]

Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.

You do not use a firewall to mitigate a DDoS attack, period. Firewalls are usually the first thing to choke in an attack, and mitigation has to be done before them, on dedicated devices with ASICs designed to perform only this function. They also have to have enough bandwidth (usually tens of Gigabits+) to absorb the attack before cleaning the inbound traffic. There is a reason these mitigation devices (and services using them) are freaking expensive: they are the only thing that can do the job. Lord Nikon6 is right - simple rules on a firewall will be sidestepped by a 12 year old script kiddie, and that's if the CPS or volume of traffic hasn't bombed your firewall before that.

As to your second statement - many firewalls run in L2 mode while doing L3+ inspection. They do not have to act as routers or gateways.

 

[Roman4604]

You do not use a firewall to mitigate a DDoS attack, period. Firewalls are usually the first thing to choke in an attack

Agreed, even the highest-end firewalls are still based on an architecture of running complex sw on general purpose CPUs, largely on PC based hardware components. On multi-Gigabit networks it doesn't take much to exhaust their processing/forwarding resources with an avalanche of maliciously crafted micro-packets.

There is a reason these mitigation devices (and services using them) are freaking expensive

Yeah at the extreme no in-line devices, besides the ASIC based core routing switches, will be able to handle the situation. Carrier grade DDoS prevention systems thus sit out of band analysing traffic patterns and once a threat scenario is detected, they orchestrate the core's BGP routing protocol to blackhole the offending flows as close to source as possible.