Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New ZealandDoS Attack from Telecom NZ address 122.58.191.250


3421 posts

Uber Geek
+1 received by user: 410

Trusted

Topic # 94917 21-Dec-2011 23:53
Send private message

Hey guys,
We have been hit by a number of DoS attacks over the last few weeks (to the point where we can't access our systems anymore and we are on a 100mbps Orcon datacenter line). After providing our summary logs to our firewall vendor the fact we get no increases in the number of states and the short nature of the attacks suggested to them it was not a DDoS but rather a one or 2 host DoS.

Anyway it started happening again tonight (like 4 times already) so I decided screw it, I'
ll log every packet and find out what's going on. The target IP is always the same so was quite easy to track. Anyway it looks like we are being hit from 122.58.191.250 which is from Telecom NZ. The DoSer is opening up heaps of connections to the IMAP port on that server (which runs Smartermail). I have more details than this too.

Question, do I contact Telecom NOC, get my ISP to contact Telecom NOC or open a case with the police? We are pretty desperate as our entire rack with Orcon is getting taken offline and Orcon don't want to help (still waiting 2+ weeks to hear from their technical department).

Bandwidth spikes massively:


Packet loss goes through the roof:




50 matched log entries. Max(50)ActTimeIfSourceDestinationProto
Dec 21 23:20:55WAN  122.58.191.250:49590  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49591  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49592  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49593  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49594  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49595  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49596  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49597  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49598  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49599  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49600  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49601  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49602  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49603  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49604  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49605  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49606  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49607  60.234.74.58:143TCP:FA
Dec 21 23:20:56WAN  122.58.191.250:49608  60.234.74.58:143TCP:FA
Dec 21 23:21:59WAN  122.58.191.250:49620  60.234.74.58:143TCP:FA
Dec 21 23:21:59WAN  122.58.191.250:49623  60.234.74.58:143TCP:FA
Dec 21 23:21:59WAN  122.58.191.250:49625  60.234.74.58:143TCP:FA
Dec 21 23:21:59WAN  122.58.191.250:49630  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49637  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49638  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49639  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49642  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49644  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49647  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49649  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49652  60.234.74.58:143TCP:FA
Dec 21 23:23:04WAN  122.58.191.250:49655  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49668  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49671  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49676  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49678  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49681  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49683  60.234.74.58:143TCP:FA
Dec 21 23:25:11WAN  122.58.191.250:49735  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49759  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49764  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49766  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49769  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49771  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49773  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49774  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49776  60.234.74.58:143TCP:FA
Dec 21 23:26:17WAN  122.58.191.250:49778  60.234.74.58:143TCP:FA
Dec 21 23:27:20WAN  122.58.191.250:49829  60.234.74.58:143TCP:RA
Dec 21 23:27:20WAN  122.58.191.250:49839  60.234.74.58:143TCP:RA





View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 560507 22-Dec-2011 00:04
Send private message

I would have thought the first step would be for Orcon to null route traffic from that ip address. It's not an distributed dos so that would immediately alleviate the main problem.

Tried pm'ing Orcon people that post on GZ? eg: Sounddude, Bameron, ptinson... see if they can point you in the right direction or kick the process along.

What's your Orcon account manager doing? They should be all over this...

I would also recommend you join the nznog mailing list http://www.nznog.org/ and post a message to the list with basically the info from your post above asking from help from any Orcon or Telecom NOC staff.

Finally I've reported spam/network abuse against our work mailservers to security@xtra.co.nz in the past (http://telecom.custhelp.com/app/answers/detail/a_id/1115) and it did lead to a successful resolution but did take 48hrs or so.

I would be trying all the above approaches (orcon account manager, GZ orcon contacts, NZNOG contacts, Telecom Network Abuse address).

14447 posts

Uber Geek
+1 received by user: 1898


  Reply # 560515 22-Dec-2011 00:26
Send private message

And twitter. More responsive than geekzone from my experience.

 
 
 
 


BDFL - Memuneh
61773 posts

Uber Geek
+1 received by user: 12428

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 560548 22-Dec-2011 08:06
Send private message

Tough case, but I'd ask Orcon to change the IP address. If the "attacks" follow you to your new IP address then it's certainly something wrong on the origin side. Contact Telecom then and ask them to investigate. If no luck, involve the police.

Bear in mind it's easy to spoof IP addresses so this could be coming from anywhere really...





Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

7912 posts

Uber Geek
+1 received by user: 801

Subscriber

  Reply # 560555 22-Dec-2011 08:24
Send private message

Why do i get a security alert message when ever I click on this  item link??

 




Regards,

Old3eyes

BDFL - Memuneh
61773 posts

Uber Geek
+1 received by user: 12428

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 560556 22-Dec-2011 08:25
Send private message

Please be more specific. What alert? What's in the message? What software issues it?




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

BDFL - Memuneh
61773 posts

Uber Geek
+1 received by user: 12428

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 560557 22-Dec-2011 08:26
Send private message

Oh, probably because the OP has done a copy and paste from somewhere and all those broken images on his post are using https. Your browser is probably telling you about "mixed content" (secure and non-secure).

Nothing to see here citizen, move along.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

7912 posts

Uber Geek
+1 received by user: 801

Subscriber

  Reply # 560559 22-Dec-2011 08:28
Send private message

freitasm: Please be more specific. What alert? What's in the message? What software issues it?


 

I tried to post a copy of it but no go .  Try this dropbox version..

http://dl.dropbox.com/u/15032525/alert.jpg

 




Regards,

Old3eyes

52 posts

Master Geek


  Reply # 560561 22-Dec-2011 08:32
Send private message

 I got the same alert regarding security cert.

45 posts

Geek


  Reply # 560582 22-Dec-2011 09:33
Send private message

Seems unlikely that this is actually a malicious DoS, more likely something has been misconfigured.

Can you see in your IMAP logs if this IP is actually logging in to your server as a particular user?

Also given that you said you're not seeing a massive increase in your state table, or other resources, it does just seem like someone is logging in to IMAP and using lots of bandwidth. (yes, a pantload of bandwidth)

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 560722 22-Dec-2011 14:22
Send private message

null route the IP on your box as well..



3421 posts

Uber Geek
+1 received by user: 410

Trusted

  Reply # 573246 25-Jan-2012 18:15
Send private message

Hey guys,
The DDoSes have been continuing but finally on Monday managed to get some headway with Orcon. We upgraded to a 1gbps port which gives us a lot more options to defend ourselves. Got our first DDoS today since the upgrade and it was 600mbps. I also discussed running 2 BGP sessions with Orcon to provide fault tolerance and load balancing via a separate 1gbps to each of their 2 core distribution switches which would give us redundancy and up to 2gbps to play with.

During the attack our packet loss hit around 17% which is a big step from the 80%+ we used to see. I think its a CPU issue on our firewall as its only running 2 cores of an e5620. I am going to bump that up to 4 cores and installing Snort on our border router at the moment.

When the Xeon E5s come out I'll move the router onto the new server with faster CPUs but the above should suffice for a couple of months.

I am still waiting to hear back from the Police but I'm not too worried at the moment as we seem to have things under control (finally).






1948 posts

Uber Geek
+1 received by user: 469
Inactive user


  Reply # 573308 25-Jan-2012 21:27
Send private message

Zeon: I am still waiting to hear back from the Police but I'm not too worried at the moment as we seem to have things under control (finally).


Granted it may not be be sourced from Telecom since the IP could be spoofed but did you try security@xtra.co.nz and have any joy?? I'll ask a few people tomorrow about it as well.

If you don't get any joy or need assistance PM me with your name / phone / email and I can see what I can chase up for you.

86 posts

Master Geek
+1 received by user: 23

Subscriber

  Reply # 573326 25-Jan-2012 22:13
Send private message

FYI

We also have been dealing with DDoS attacks taking down our firewall, our solution was to point our domain at a proxying service that specializes in DDoS filtering.
They then send the clean HTTP and HTTPS traffic to our webservers IP address where we only let their IP through

The two services we have found are Zenprotection or Gigenet?s ProxyShield

Although they cost $$ Both seem to work very well and get you back in business real quick

Bruce

14447 posts

Uber Geek
+1 received by user: 1898


  Reply # 573346 25-Jan-2012 23:09
Send private message

Yes I get that security error popup too. Must be one of the images that the going through a secure cert that the OP posted, I am hoping.

BDFL - Memuneh
61773 posts

Uber Geek
+1 received by user: 12428

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 573350 25-Jan-2012 23:21
Send private message

There you go, removed all the HTTPS references from the OP.





Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.