marine1

Honorary Master
Joined
Sep 4, 2006
Messages
48,344
So Afrihost host the ANC website? Enough reason for me not to use them
 

icyrus

Executive Member
Joined
Oct 5, 2005
Messages
8,609
Surely its meant to be the source of the attack?
No, there are multiple sources. They meant destination, as in where in their network was the attack targeted. In short, which IP address in their network.

So Afrihost host the ANC website? Enough reason for me not to use them
You should read the article.
 

Xzib1t

Expert Member
Joined
Jan 26, 2010
Messages
3,455
Justin Bieber uses the internet, I'm going to stop using it now.
Terrorists use Nokia Cellphones, we should not use Nokia phones.

Afrihost should not reject a client based on their political affiliation.
 

marine1

Honorary Master
Joined
Sep 4, 2006
Messages
48,344
Justin Bieber uses the internet, I'm going to stop using it now.
Afrihost CEO Gian Visser previously confirmed that the ANC website is hosted on a dedicated server on its network. Internet Solutions, in turn, provides hosting services to Afrihost.

Two companies I wont give business too.
Is that so wrong? I refuse to support anyone that does business with them.
Perhaps others should take a stand as well?
 

Nefertiti

Honorary Master
Joined
Oct 12, 2005
Messages
17,630
Afrihost CEO Gian Visser previously confirmed that the ANC website is hosted on a dedicated server on its network. Internet Solutions, in turn, provides hosting services to Afrihost.

Two companies I wont give business too.
Is that so wrong? I refuse to support anyone that does business with them.
Perhaps others should take a stand as well?
By using your logic, you shouldnt drive around in anything, eat anything, drink anything because the ANC is involved somewhere along the process. Or where is that line that you draw? I find this logic weird.
 

Roman4604

Expert Member
Joined
Jun 27, 2005
Messages
4,531
One does not use a firewall to mitigate a DDoS attack.
Yeah, if the firewall can handle it then its not really a serious attack. The computational overhead of stateful inspection usually results in the firewalls being one of the first to fail.
 

ambo

Expert Member
Joined
Jun 9, 2005
Messages
2,682
One does not use a firewall to mitigate a DDoS attack.
Yeah - I doubt that the just pulled the plug on the server. The attack traffic would normally continue regardless and carry on overwhelming the rest of the network.

He mentioned blackholing the traffic. This normally involves dropping the traffic to the particular address at the router where it comes into the network - typically at some international location. That has the side effect that anyone trying to reach the site then can't.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Please note: IS is incapable of dealing with any DoS or DDoS attack. We experienced a 500Mbps/Botnet attack in December and it knocked us off for 6 hours. IS engineers had no clue and could not assist - in the end our own engineers blocked traffic. IS has not learned a lesson from then and has no reliable shared firewall infrastructure or DDoS infrastructure. There are perhaps a handful of IS network engineers to deal with complex network topics.

IS shared firewall can barely cope with regular traffic and if you are a customer you will notice frequent outages in the customer zone. AFAIK there is no dedicated DDoS infrastructure at IS (and I doubt that any other ISP has a sophisticated DDoS protection in place). The hosting provider should ensure that the edge network is protected, and there are plenty of devices out there capable of just doing this. It all comes down to the cost of the infrastructure.

I am still surprised that AH hosts at IS - it's a constant ping-pong between AH and IS blaming each other for downtime. To say that "DDoS ar “really not fair play from a technical perspective" is like sticking your head in the sand. It's a reality that botnet traffic can be bought cheap and ISPs will rather expose their clients than spending money on infrastructure and skill-set.

In all DDoS attack patterns so far, the websites came back up due to the fact that the attackers stopped the DDoS attack and not because some ISP mitigated the attack.
 

Malasius

Senior Member
Joined
Jul 25, 2007
Messages
644
Please note: IS is incapable of dealing with any DoS or DDoS attack. We experienced a 500Mbps/Botnet attack in December and it knocked us off for 6 hours. IS engineers had no clue and could not assist - in the end our own engineers blocked traffic. IS has not learned a lesson from then and has no reliable shared firewall infrastructure or DDoS infrastructure. There are perhaps a handful of IS network engineers to deal with complex network topics.

IS shared firewall can barely cope with regular traffic and if you are a customer you will notice frequent outages in the customer zone. AFAIK there is no dedicated DDoS infrastructure at IS (and I doubt that any other ISP has a sophisticated DDoS protection in place). The hosting provider should ensure that the edge network is protected, and there are plenty of devices out there capable of just doing this. It all comes down to the cost of the infrastructure.

I am still surprised that AH hosts at IS - it's a constant ping-pong between AH and IS blaming each other for downtime. To say that "DDoS ar “really not fair play from a technical perspective" is like sticking your head in the sand. It's a reality that botnet traffic can be bought cheap and ISPs will rather expose their clients than spending money on infrastructure and skill-set.

In all DDoS attack patterns so far, the websites came back up due to the fact that the attackers stopped the DDoS attack and not because some ISP mitigated the attack.
Very interesting, thanks for this information!
 

r00igev@@r

Executive Member
Joined
Dec 14, 2009
Messages
5,021
One does not use a firewall to mitigate a DDoS attack.
Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.
 

Lord Nikon6

Expert Member
Joined
May 10, 2010
Messages
1,414
Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.
If you set that on the firewall, you will still be receiving an extremely large amount of data travelling to your website. The fact is, there is no way for you to detect all the attacking sources at such a large scale. say,set this rule on your firewall for 10 000 attacking sources, how will you do that in minutes? Remember, you need to determine every IP that is attacking, which, fair enough, can be determined easily with some network monitoring tools, and this from a series of different IP ranges. So you set your rules, the attacker changes the proxy that the attack is generating from(given, that it is a completely controlled movement and is not run via windows viruses), leaving your rule pointless.

Keep in mind that many of the anonymous attacks are botnets being run willingly on user computers...They can just as simply say, please reboot your router to get a new dynamic IP.
 

JayM

Expert Member
Joined
Oct 30, 2005
Messages
2,843
Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.
You do not use a firewall to mitigate a DDoS attack, period. Firewalls are usually the first thing to choke in an attack, and mitigation has to be done before them, on dedicated devices with ASICs designed to perform only this function. They also have to have enough bandwidth (usually tens of Gigabits+) to absorb the attack before cleaning the inbound traffic. There is a reason these mitigation devices (and services using them) are freaking expensive: they are the only thing that can do the job. Lord Nikon6 is right - simple rules on a firewall will be sidestepped by a 12 year old script kiddie, and that's if the CPS or volume of traffic hasn't bombed your firewall before that.

As to your second statement - many firewalls run in L2 mode while doing L3+ inspection. They do not have to act as routers or gateways.
 

Roman4604

Expert Member
Joined
Jun 27, 2005
Messages
4,531
You do not use a firewall to mitigate a DDoS attack, period. Firewalls are usually the first thing to choke in an attack
Agreed, even the highest-end firewalls are still based on an architecture of running complex sw on general purpose CPUs, largely on PC based hardware components. On multi-Gigabit networks it doesn't take much to exhaust their processing/forwarding resources with an avalanche of maliciously crafted micro-packets.

There is a reason these mitigation devices (and services using them) are freaking expensive
Yeah at the extreme no in-line devices, besides the ASIC based core routing switches, will be able to handle the situation. Carrier grade DDoS prevention systems thus sit out of band analysing traffic patterns and once a threat scenario is detected, they orchestrate the core's BGP routing protocol to blackhole the offending flows as close to source as possible.
 
Top