WIN15 being DDOS - resolved

[Stephen]

bout 15 sites are being effected by a problem on win15 with one asp.net pool

I am working to find some bad code on one site that is cause a 1MB log file to be generated every 10 seconds on the C drive of the server, this is among the fastest log file generations I have ever seen, and I am working on it right now.

 

[Stephen]

Re: Issue with one pool on win15

This looks to be a DDoS attack against a side, a thousands of POSTs coming from many IPs.

 

[Stephen]

Re: Issue with one pool on win15

Wow, so many requests, I have the server mostly under control, but some ASP.NET is disabled right now as it is making the server unusable with so many requests!

This should be very temporary.

 

[Stephen]

Re: Issue with one pool on win15

Most sites ARE up, only some asp.net sites are down, just for clarification.

they may be a bit slower than normal, as it is using a lot of CPU and IO with the DDOS right now, but most are up.

 

[Stephen]

Re: Issue with one pool on win15

I just did something I really did not want to do, but was forced to do so.

I had to take the shared IP for win15 offline, as it was getting 20mb/s + DDOS from all over the world, from hundred of IP addresses.

I am hoping to see the traffic die down, and then I will bring it back up.

 

[Stephen]

Re: Issue with one pool on win15

I brought the shared ip back some time ago, and the attacks came right back with it.

 

[Yash]

Re: Issue with one pool on win15

We are now taking the difficult approach of blocking each IP individually at the router level. We plan to also forward the IP list to our Internet provider to block upstream

 

[Stephen]

Re: Issue with one pool on win15

The Shared IP is again offline until we can get all IPs blocked.

 

[Yash]

Re: Issue with one pool on win15

We expect the Win15 shared IP to remain down for at least another hour. That means all websites using Win15's shared IP are currently down.

We cannot put up the Win15 shared IP right now as it would affect the rest of the network.

We are aggressively blocking all attaacking IPs.. But this is taking time. We have also called in additional staff to help with this issue

 

[Stephen]

Re: Issue with one pool on win15

I just added a large number of dedicated IPs to Win15, so you can switch over to them if you need. We are very sorry about this matter, but to stop the DDoS attack we must unbind the shared IP.

 

[Yash]

Re: Issue with one pool on win15

We expect to be able to restore Win15's shared IP within 60 minutes from now.

We are working aggressively to track and block all attacking IPs

 

[Yash]

Re: Issue with one pool on win15

We reactivated Win15's shared IP more than 40 minutes ago as we were able to reduce the attack by 50%

so Win15 is functional but slow.. We continue to block attacking IPs

 

[Stephen]

Re: Issue with one pool on win15

We have over 80 IPs blocked right now, and still some being blocked, but the shared ip sites have been up and running pretty well all things considered.

 

[Stephen]

Re: Issue with one pool on win15

We have the DDoS down to 2mb or less now, and the target site DNS is now redirected back to the attacks, so when they attack the site it comes back to them, only those working on cached DNs will still be hitting the site.

 

[Stephen]

Re: Issue with one pool on win15

I think we have all IPs that were DDoSing blocked or otherwise stopped with the DNS change "going live"

If by any chance on of these IPs was yours or a customers and we were incorrect in blocking it, please send a ticket and we will evaulate the logs and unlist if the said IP was not at fault.