DDOS - 2009-08-29
Оkay.
At around 13.30 a ddos consisting of around 500Mbit traffic startеd hitting PL.com .
The traffic caused some slowdowns but it's no problem to handle it. The problem is that it's on international pipes and it can become expensive if I let it continue.
500Mbit at 95th percentile will accumulate to around 3000EUR. My commit level is 250Mbit so that would be 1500EUR (cost of this month) if I would allow it to continue for more than 36h .
There were 6 IP's in total used in this DDOS.
2 of which were on university networks‚ one in south africa, and 3 other american IP's.
My first action was to block the traffic.
Then contact our upstreams. To avoid getting high bandwidth cost I had to blackhole 91.142.180.80 (PL.com IP) and change DNS of PL.com to 91.142.180.77 .
TTL was set to 8 hours, so max downtime would be 8h if someone had cached it just then. I've changed the TTL to 1h now.
The impact on this solution is that I will save myself a hefty bandwidth bill while access to PL.com is minimally impaired (DNS updates required).
If the attacks resume I'll have to take other options apart from only contacting the abuse departments of these IPs.
I'll have to blackhole the whole source network peers which try to reach pl.com from which these IP's arrive from.
This is a less attractive action as many of you americans will most likely be affected.
Know that, any hoster would be forced to take similar action or charge the customer for bandwidth (in this case, I myself am the customer of myself.. so the bill would have been sent to me..).
I'll update this thread with more info.
Оffеnding IPs has had their abuse departments contacted:
1) 144.92.48.172
2) 66.179.48.10
3) 69.142.254.2
4) 150.135.110.52 <- Undertaken abuse report, handled
5) 196.212.105.122
6) 169.232.154.107
Last edited by Ander; 2009-08-29 at 14:17.
|
(View-All)
Members who have read this thread : 0
Linear Mode
