Web Squad ISP

Status
Not open for further replies.
websquadza said:
Morning All. Apologies for my silence this morning. Picked up on a distributed DDOS attack against an IP range that started around 08:55. The volume of the attack across our edge and seemingly random routes chosen put some strain on NLD routes until it was mitigated . I can't share a lot more information for obvious reasons. Interesting though is that traffic found its way to us at exchanges, with a large portion of it from a Microsoft peering port (we believe this might be a rogue botnet on Azure). We've mitigated this and we're working with upstreams to ensure the attack remains contained. We're carefully monitoring our edge for any spikes or further issues.
Click to expand...

Thank you for the super fast response and detailed reply as always!
Really appreciate everything you're doing to keep things humming along while we're all so dependent on our internet.
Things are looking nice and stable here again :D
 
Thanks for the comms !
Would IS and Liquid destinations be affected by this ?
CT to CT are routing via JHB currently.
 
websquadza said:
NAP CPT should be back in the mix - you should see routing via CPT.
Click to expand...

Thanks !

IS is back to it 1ms self :)
Liquid is loving JHB still :(

2 160.119.233.129 2.437 ms 2.185 ms 4.438 ms
3 160.119.233.161 <core.as-01.cp1.za.ws.net.za> 1.170 ms 1.153 ms 1.100 ms
4 160.119.233.189 <core.cr-01.cp1.za.ws.net.za> 1.366 ms 1.136 ms 1.311 ms
5 160.119.224.178 <core.pe-ge-inx.jnb.za.ws.net.za> 23.693 ms 23.537 ms 23.698 ms
6 196.223.14.55 <jinx.liquidtelecom.net> 28.429 ms 24.970 ms 24.992 ms
7 41.60.135.92 <be-20.lza-p4-jhb.liquidtelecom.net> 22.605 ms 22.891 ms 23.021 ms
8 46.17.232.104 22.676 ms 23.036 ms 22.649 ms
9 46.17.232.5 <46.17.232.5.liquidtelecom.net> 23.093 ms 23.147 ms 23.089 ms
 
websquadza said:
Morning All. Apologies for my silence this morning. Picked up on a distributed DDOS attack against an IP range that started around 08:55. The volume of the attack across our edge and seemingly random routes chosen put some strain on NLD routes until it was mitigated . I can't share a lot more information for obvious reasons. Interesting though is that traffic found its way to us at exchanges, with a large portion of it from a Microsoft peering port (we believe this might be a rogue botnet on Azure). We've mitigated this and we're working with upstreams to ensure the attack remains contained. We're carefully monitoring our edge for any spikes or further issues.
Click to expand...
This part of the same wave hitting some other web hosting companies currently? UDP Reflection at some pretty big rates
 
PsyWulf said:
This part of the same wave hitting some other web hosting companies currently? UDP Reflection at some pretty big rates
Click to expand...

I think so. So far, we know of 2 other ISPs (primary business ISP) and 2 Hosts (primary business hosting) - so a total of 5 ASNs affected in the past 24 hours. So I'm sure there are more who just won't talk about it. Most seem to have been targeted through peering traffic (primarily Microsoft peering) through botnets operating inside the Microsoft network - which bypass European scrubbing services.
 
jvrs said:
Thanks !

IS is back to it 1ms self :)
Liquid is loving JHB still :(

2 160.119.233.129 2.437 ms 2.185 ms 4.438 ms
3 160.119.233.161 <core.as-01.cp1.za.ws.net.za> 1.170 ms 1.153 ms 1.100 ms
4 160.119.233.189 <core.cr-01.cp1.za.ws.net.za> 1.366 ms 1.136 ms 1.311 ms
5 160.119.224.178 <core.pe-ge-inx.jnb.za.ws.net.za> 23.693 ms 23.537 ms 23.698 ms
6 196.223.14.55 <jinx.liquidtelecom.net> 28.429 ms 24.970 ms 24.992 ms
7 41.60.135.92 <be-20.lza-p4-jhb.liquidtelecom.net> 22.605 ms 22.891 ms 23.021 ms
8 46.17.232.104 22.676 ms 23.036 ms 22.649 ms
9 46.17.232.5 <46.17.232.5.liquidtelecom.net> 23.093 ms 23.147 ms 23.089 ms
Click to expand...

Looking into this
 
websquadza said:
I think so. So far, we know of 2 other ISPs (primary business ISP) and 2 Hosts (primary business hosting) - so a total of 5 ASNs affected in the past 24 hours. So I'm sure there are more who just won't talk about it. Most seem to have been targeted through peering traffic (primarily Microsoft peering) through botnets operating inside the Microsoft network - which bypass European scrubbing services.
Click to expand...
Somebody trying to get Friday off work by hitting the routes to 365/Teams :P
 
JustinB said:
Just tried this....View attachment 824833
Click to expand...

We are working on implementing RPKI and MANRS fully within our network.. We always take the integrity of our network and security of our clients as an utmost priority. We do currently implement MANRS techniques and actively manage routing between ourselves and peers to minimise risks.

Cloudflare are quick to ride their white horse as soon as their RPKI implementation is complete - and while the intention behind the initiative is great (especially to push the Tier 1 networks to complete their rollout) - there are a few factors which complicate the rollout- not the least of which is native hardware vendor support for RPKI. That being said, workarounds are being tested and implemented by the community at large and we are working with the networking community by participating in NOGs and Tech days to learn more, share what we’ve learnt and complete the process as a community as a whole. The SA networking community is made up of a passionate bunch of people all working hard to bring a host of new technologies to production.
 
1587313713334.png
Getting some packet loss spikes to a server in Germany again.

Not sure if its related to the above issues that happened this morning?
 
WilfredJ said:
View attachment 825159
Getting some packet loss spikes to a server in Germany again.

Not sure if its related to the above issues that happened this morning?
Click to expand...

Issue this morning?

DarkSt0rm said:
Getting bad lag and packet loss again

View attachment 825165
View attachment 825167
Click to expand...

Seeing this too- looks like upstream peering in Amsterdam (I think) is affected. I’ve escalated to the affected upstream. In the meanwhile, going to drain the affected provider.
 

Apologies. A little confusion there. That was Mitigated on Friday morning soon after it started. Tonight looks like a congested port somewhere deep into upstream networks. That said, we’ve moved traffic away from the affected route.
 
What seems to be the problem today? From my upgraded 200 MB via Vumatel to a mere 60MB for all connections including local traffic?

Help please
 
Status
Not open for further replies.
Back
Top
Sign up to the MyBroadband newsletter
X