ANC website attack: how did IS react?

Grep said:
Surely its meant to be the source of the attack?
Click to expand...

No, there are multiple sources. They meant destination, as in where in their network was the attack targeted. In short, which IP address in their network.

marine1 said:
So Afrihost host the ANC website? Enough reason for me not to use them
Click to expand...

You should read the article.
 
DrJohnZoidberg said:
Justin Bieber uses the internet, I'm going to stop using it now.
Click to expand...

Afrihost CEO Gian Visser previously confirmed that the ANC website is hosted on a dedicated server on its network. Internet Solutions, in turn, provides hosting services to Afrihost.

Two companies I wont give business too.
Is that so wrong? I refuse to support anyone that does business with them.
Perhaps others should take a stand as well?
 
marine1 said:
Afrihost CEO Gian Visser previously confirmed that the ANC website is hosted on a dedicated server on its network. Internet Solutions, in turn, provides hosting services to Afrihost.

Two companies I wont give business too.
Is that so wrong? I refuse to support anyone that does business with them.
Perhaps others should take a stand as well?
Click to expand...

By using your logic, you shouldnt drive around in anything, eat anything, drink anything because the ANC is involved somewhere along the process. Or where is that line that you draw? I find this logic weird.
 
JayM said:
One does not use a firewall to mitigate a DDoS attack.
Click to expand...
Yeah, if the firewall can handle it then its not really a serious attack. The computational overhead of stateful inspection usually results in the firewalls being one of the first to fail.
 
JayM said:
One does not use a firewall to mitigate a DDoS attack.
Click to expand...
Yeah - I doubt that the just pulled the plug on the server. The attack traffic would normally continue regardless and carry on overwhelming the rest of the network.

He mentioned blackholing the traffic. This normally involves dropping the traffic to the particular address at the router where it comes into the network - typically at some international location. That has the side effect that anyone trying to reach the site then can't.
 
Please note: IS is incapable of dealing with any DoS or DDoS attack. We experienced a 500Mbps/Botnet attack in December and it knocked us off for 6 hours. IS engineers had no clue and could not assist - in the end our own engineers blocked traffic. IS has not learned a lesson from then and has no reliable shared firewall infrastructure or DDoS infrastructure. There are perhaps a handful of IS network engineers to deal with complex network topics.

IS shared firewall can barely cope with regular traffic and if you are a customer you will notice frequent outages in the customer zone. AFAIK there is no dedicated DDoS infrastructure at IS (and I doubt that any other ISP has a sophisticated DDoS protection in place). The hosting provider should ensure that the edge network is protected, and there are plenty of devices out there capable of just doing this. It all comes down to the cost of the infrastructure.

I am still surprised that AH hosts at IS - it's a constant ping-pong between AH and IS blaming each other for downtime. To say that "DDoS ar “really not fair play from a technical perspective" is like sticking your head in the sand. It's a reality that botnet traffic can be bought cheap and ISPs will rather expose their clients than spending money on infrastructure and skill-set.

In all DDoS attack patterns so far, the websites came back up due to the fact that the attackers stopped the DDoS attack and not because some ISP mitigated the attack.
 
MagicDude4Eva said:
Please note: IS is incapable of dealing with any DoS or DDoS attack. We experienced a 500Mbps/Botnet attack in December and it knocked us off for 6 hours. IS engineers had no clue and could not assist - in the end our own engineers blocked traffic. IS has not learned a lesson from then and has no reliable shared firewall infrastructure or DDoS infrastructure. There are perhaps a handful of IS network engineers to deal with complex network topics.

IS shared firewall can barely cope with regular traffic and if you are a customer you will notice frequent outages in the customer zone. AFAIK there is no dedicated DDoS infrastructure at IS (and I doubt that any other ISP has a sophisticated DDoS protection in place). The hosting provider should ensure that the edge network is protected, and there are plenty of devices out there capable of just doing this. It all comes down to the cost of the infrastructure.

I am still surprised that AH hosts at IS - it's a constant ping-pong between AH and IS blaming each other for downtime. To say that "DDoS ar “really not fair play from a technical perspective" is like sticking your head in the sand. It's a reality that botnet traffic can be bought cheap and ISPs will rather expose their clients than spending money on infrastructure and skill-set.

In all DDoS attack patterns so far, the websites came back up due to the fact that the attackers stopped the DDoS attack and not because some ISP mitigated the attack.
Click to expand...
Very interesting, thanks for this information!
 
JayM said:
One does not use a firewall to mitigate a DDoS attack.
Click to expand...

Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.
 
r00igev@@r said:
Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.
Click to expand...

If you set that on the firewall, you will still be receiving an extremely large amount of data travelling to your website. The fact is, there is no way for you to detect all the attacking sources at such a large scale. say,set this rule on your firewall for 10 000 attacking sources, how will you do that in minutes? Remember, you need to determine every IP that is attacking, which, fair enough, can be determined easily with some network monitoring tools, and this from a series of different IP ranges. So you set your rules, the attacker changes the proxy that the attack is generating from(given, that it is a completely controlled movement and is not run via windows viruses), leaving your rule pointless.

Keep in mind that many of the anonymous attacks are botnets being run willingly on user computers...They can just as simply say, please reboot your router to get a new dynamic IP.
 
r00igev@@r said:
Of course you do. What you mean is that you do not ONLY need to use a firewall to mitigate a DDOS attack.

A firewall operates as a router and is a gateway hop. (All you do on the firewall is set the targeted host as destination host unreachable to the attacking sources.
Click to expand...
You do not use a firewall to mitigate a DDoS attack, period. Firewalls are usually the first thing to choke in an attack, and mitigation has to be done before them, on dedicated devices with ASICs designed to perform only this function. They also have to have enough bandwidth (usually tens of Gigabits+) to absorb the attack before cleaning the inbound traffic. There is a reason these mitigation devices (and services using them) are freaking expensive: they are the only thing that can do the job. Lord Nikon6 is right - simple rules on a firewall will be sidestepped by a 12 year old script kiddie, and that's if the CPS or volume of traffic hasn't bombed your firewall before that.

As to your second statement - many firewalls run in L2 mode while doing L3+ inspection. They do not have to act as routers or gateways.
 
JayM said:
You do not use a firewall to mitigate a DDoS attack, period. Firewalls are usually the first thing to choke in an attack
Click to expand...
Agreed, even the highest-end firewalls are still based on an architecture of running complex sw on general purpose CPUs, largely on PC based hardware components. On multi-Gigabit networks it doesn't take much to exhaust their processing/forwarding resources with an avalanche of maliciously crafted micro-packets.

JayM said:
There is a reason these mitigation devices (and services using them) are freaking expensive
Click to expand...
Yeah at the extreme no in-line devices, besides the ASIC based core routing switches, will be able to handle the situation. Carrier grade DDoS prevention systems thus sit out of band analysing traffic patterns and once a threat scenario is detected, they orchestrate the core's BGP routing protocol to blackhole the offending flows as close to source as possible.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X