Network connectivity issue - DOS attack - monitoring

[SachinK]

There is some network connectivity issue occurring at our DC. We are checking it and will post an update soon.

 

[Stephen]

There was a period of about 5 minutes with some packetloss seen, it wasn't completely down but the packetloss was high for this short time making some connections drop temporarily.

 

[Stephen]

Looks like we may have some DOS attack impacting a bit here. I am making some checks, as there is a bit of packetloss again now.

 

[Stephen]

Some network segments seem to be having just 1-2% packetloss and others having higher levels of loss.

 

[Stephen]

We are checking on the WIN39 Cluster1 as it is having far more packetloss than the others, in fact so much it is impossible to work on the server and trace for more info. We are working on alternative means now to work on it, and the rest of the network doesn't seem quite as impacted now, just some very occasional packetloss.

 

[Stephen]

While working to get it blocked the attack just stopped. We are monitoring the situation closely at the moment if it is to return.

 

[Stephen]

Seems to be back at least on the WIn39 server and possibly a few on the switch around it being more impacted.

 

[Stephen]

I am now sitting right next to the server thats having the attacks and will use it locally while it happens next time to work and track down more quickly. (there is no issue with the attacks at the moment, no packetloss, no timeouts on connections)

 

[Stephen]

Well back again, seems it is summer break in Asia and the kids are out to play with their digital toys.

 

[Stephen]

I have temporarily taken win39 off the network as that makes the rest of the impact on network go down, while checking the matter.

 

[Stephen]

Win39 has been back up, I have it temporarily limited while we work with it further to some slower network speeds. The problem is that the requests coming flooding in are also being replied to making the attack requests become amplified and the situation worse as traffic is coming in and out both.

 

[Stephen]

We had a ticket open with one of the upstreams for helping with the DOS attack and seems they have null routed the shared IP of the server within the last hour. We are working with them now to resolve this matter.

 

[Stephen]

The null route was removed.

 

[Stephen]

This is getting to be quite annoying, the attack is back now and doesn't seem to care about Win39 being up or down anymore, it continues either way.

 

[Stephen]

Overall there isn't a lot of major impact happening, but there are 'waves' of attacks and sometimes it is more noticeable for 2-5 minutes with packetloss, then working fine.

 

[Stephen]

These attacks are getting to be predictable on time, but changing in tactics a lot each time. However target remains the shared IP on WIN39 server.

 

[ashwaniyadav]

Again getting major attack on Win39, so working on it, to stop.

 

[Stephen]

We have found the domain being attacked, and it is a .in domain, which really comes as no surprise with the timing of the attacks being daytime there when night here.

 

[Stephen]

Very much confirmed the attacks as well, the logs even include the DDOS tool being used!

This helps a lot now to block the issue more fully and yes the tool has multiple simulation modes that cycles through explaining some of the issues we have sen.