Win27 DDOS attack - mostly blocked
- Thread starter Manish
- Start date
Re: Win27 urgent maintenance
We have IIS off for a brief time while checking this as it is allowing us to isolate the issue of the scan, even with IIS off over 40 megabits a second of HTTP requests are coming in, we are trying to isolate the ranges doing this and return it to normal operations.
We have IIS off for a brief time while checking this as it is allowing us to isolate the issue of the scan, even with IIS off over 40 megabits a second of HTTP requests are coming in, we are trying to isolate the ranges doing this and return it to normal operations.
Re: Win27 urgent maintenance
It went into chkdsk on the reboot, and that is the reason for the delay in coming back up, however at the moment we are working with upstreams to block the attacks that are still coming in hard even to a server not replying on the network interface.
It went into chkdsk on the reboot, and that is the reason for the delay in coming back up, however at the moment we are working with upstreams to block the attacks that are still coming in hard even to a server not replying on the network interface.
Re: Win27 urgent maintenance
We are starting IIS now, we can't wait on upstreams any longer:
I did check traffic sources for the most common destination,
64.187.108.55, and I see too many source IPs to be able to block the
traffic to it without null routing traffic.
So basically its so majorly distributed that its going to be near impossible to block it
_____
We are going to possibly block 10,000+ IPs on just the server, but not the entire network. The attack is coming in on the shared IP, so temporary removal of the IP from the network or allowing a null route to it, is not a viable option.
We are starting IIS now, we can't wait on upstreams any longer:
I did check traffic sources for the most common destination,
64.187.108.55, and I see too many source IPs to be able to block the
traffic to it without null routing traffic.
So basically its so majorly distributed that its going to be near impossible to block it
_____
We are going to possibly block 10,000+ IPs on just the server, but not the entire network. The attack is coming in on the shared IP, so temporary removal of the IP from the network or allowing a null route to it, is not a viable option.
Re: Win27 urgent maintenance
We are working as fast as possible here, but the amounts of IPs and all is staggering.
It is an entire LARGE ISP that looks to have MANY trojaned clients attacking the shared IP of win27.
I tried to call their NOC and have them null route the IP at their side (since their edge routers would have been the ideal place) but they do not answer the phone at their NOC.
We are working as fast as possible here, but the amounts of IPs and all is staggering.
It is an entire LARGE ISP that looks to have MANY trojaned clients attacking the shared IP of win27.
I tried to call their NOC and have them null route the IP at their side (since their edge routers would have been the ideal place) but they do not answer the phone at their NOC.
Re: Win27 urgent maintenance
the blocks are not as broad now, but do seem to have worked pretty well.
We are still blocking if we see abuse from an up, but really with exception of one small 254IP range, it is all a single ISP.
the server is performing much better since the attacks have been limited now.
the blocks are not as broad now, but do seem to have worked pretty well.
We are still blocking if we see abuse from an up, but really with exception of one small 254IP range, it is all a single ISP.
the server is performing much better since the attacks have been limited now.