Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Zeon

3916 posts

Uber Geek

Trusted

#94917 21-Dec-2011 23:53
Send private message

Hey guys,
We have been hit by a number of DoS attacks over the last few weeks (to the point where we can't access our systems anymore and we are on a 100mbps Orcon datacenter line). After providing our summary logs to our firewall vendor the fact we get no increases in the number of states and the short nature of the attacks suggested to them it was not a DDoS but rather a one or 2 host DoS.

Anyway it started happening again tonight (like 4 times already) so I decided screw it, I'
ll log every packet and find out what's going on. The target IP is always the same so was quite easy to track. Anyway it looks like we are being hit from 122.58.191.250 which is from Telecom NZ. The DoSer is opening up heaps of connections to the IMAP port on that server (which runs Smartermail). I have more details than this too.

Question, do I contact Telecom NOC, get my ISP to contact Telecom NOC or open a case with the police? We are pretty desperate as our entire rack with Orcon is getting taken offline and Orcon don't want to help (still waiting 2+ weeks to hear from their technical department).

Bandwidth spikes massively:


Packet loss goes through the roof:




50 matched log entries. Max(50)ActTimeIfSourceDestinationProto
Dec 21 23:20:55WAN  122.58.191.250:49590  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49591  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49592  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49593  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49594  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49595  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49596  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49597  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49598  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49599  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49600  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49601  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49602  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49603  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49604  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49605  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49606  60.234.74.58:143TCP:FA
Dec 21 23:20:55WAN  122.58.191.250:49607  60.234.74.58:143TCP:FA
Dec 21 23:20:56WAN  122.58.191.250:49608  60.234.74.58:143TCP:FA
Dec 21 23:21:59WAN  122.58.191.250:49620  60.234.74.58:143TCP:FA
Dec 21 23:21:59WAN  122.58.191.250:49623  60.234.74.58:143TCP:FA
Dec 21 23:21:59WAN  122.58.191.250:49625  60.234.74.58:143TCP:FA
Dec 21 23:21:59WAN  122.58.191.250:49630  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49637  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49638  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49639  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49642  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49644  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49647  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49649  60.234.74.58:143TCP:FA
Dec 21 23:23:02WAN  122.58.191.250:49652  60.234.74.58:143TCP:FA
Dec 21 23:23:04WAN  122.58.191.250:49655  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49668  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49671  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49676  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49678  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49681  60.234.74.58:143TCP:FA
Dec 21 23:24:07WAN  122.58.191.250:49683  60.234.74.58:143TCP:FA
Dec 21 23:25:11WAN  122.58.191.250:49735  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49759  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49764  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49766  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49769  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49771  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49773  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49774  60.234.74.58:143TCP:FA
Dec 21 23:26:15WAN  122.58.191.250:49776  60.234.74.58:143TCP:FA
Dec 21 23:26:17WAN  122.58.191.250:49778  60.234.74.58:143TCP:FA
Dec 21 23:27:20WAN  122.58.191.250:49829  60.234.74.58:143TCP:RA
Dec 21 23:27:20WAN  122.58.191.250:49839  60.234.74.58:143TCP:RA




Speedtest 2019-10-14


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Ragnor
8219 posts

Uber Geek

Trusted

  #560507 22-Dec-2011 00:04
Send private message

I would have thought the first step would be for Orcon to null route traffic from that ip address. It's not an distributed dos so that would immediately alleviate the main problem.

Tried pm'ing Orcon people that post on GZ? eg: Sounddude, Bameron, ptinson... see if they can point you in the right direction or kick the process along.

What's your Orcon account manager doing? They should be all over this...

I would also recommend you join the nznog mailing list http://www.nznog.org/ and post a message to the list with basically the info from your post above asking from help from any Orcon or Telecom NOC staff.

Finally I've reported spam/network abuse against our work mailservers to security@xtra.co.nz in the past (http://telecom.custhelp.com/app/answers/detail/a_id/1115) and it did lead to a successful resolution but did take 48hrs or so.

I would be trying all the above approaches (orcon account manager, GZ orcon contacts, NZNOG contacts, Telecom Network Abuse address).



mattwnz
20141 posts

Uber Geek


  #560515 22-Dec-2011 00:26
Send private message

And twitter. More responsive than geekzone from my experience.

freitasm
BDFL - Memuneh
79254 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #560548 22-Dec-2011 08:06
Send private message

Tough case, but I'd ask Orcon to change the IP address. If the "attacks" follow you to your new IP address then it's certainly something wrong on the origin side. Contact Telecom then and ask them to investigate. If no luck, involve the police.

Bear in mind it's easy to spoof IP addresses so this could be coming from anywhere really...





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup




old3eyes
9119 posts

Uber Geek

Subscriber

  #560555 22-Dec-2011 08:24
Send private message

Why do i get a security alert message when ever I click on this  item link??

 




Regards,

Old3eyes


freitasm
BDFL - Memuneh
79254 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #560556 22-Dec-2011 08:25
Send private message

Please be more specific. What alert? What's in the message? What software issues it?




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


freitasm
BDFL - Memuneh
79254 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #560557 22-Dec-2011 08:26
Send private message

Oh, probably because the OP has done a copy and paste from somewhere and all those broken images on his post are using https. Your browser is probably telling you about "mixed content" (secure and non-secure).

Nothing to see here citizen, move along.




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


old3eyes
9119 posts

Uber Geek

Subscriber

  #560559 22-Dec-2011 08:28
Send private message

freitasm: Please be more specific. What alert? What's in the message? What software issues it?


 

I tried to post a copy of it but no go .  Try this dropbox version..

http://dl.dropbox.com/u/15032525/alert.jpg

 




Regards,

Old3eyes


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
PhoenixNZ
52 posts

Master Geek


  #560561 22-Dec-2011 08:32
Send private message

 I got the same alert regarding security cert.

detonate
45 posts

Geek


  #560582 22-Dec-2011 09:33
Send private message

Seems unlikely that this is actually a malicious DoS, more likely something has been misconfigured.

Can you see in your IMAP logs if this IP is actually logging in to your server as a particular user?

Also given that you said you're not seeing a massive increase in your state table, or other resources, it does just seem like someone is logging in to IMAP and using lots of bandwidth. (yes, a pantload of bandwidth)

JamesL
956 posts

Ultimate Geek
Inactive user


  #560722 22-Dec-2011 14:22
Send private message

null route the IP on your box as well..

Zeon

3916 posts

Uber Geek

Trusted

  #573246 25-Jan-2012 18:15
Send private message

Hey guys,
The DDoSes have been continuing but finally on Monday managed to get some headway with Orcon. We upgraded to a 1gbps port which gives us a lot more options to defend ourselves. Got our first DDoS today since the upgrade and it was 600mbps. I also discussed running 2 BGP sessions with Orcon to provide fault tolerance and load balancing via a separate 1gbps to each of their 2 core distribution switches which would give us redundancy and up to 2gbps to play with.

During the attack our packet loss hit around 17% which is a big step from the 80%+ we used to see. I think its a CPU issue on our firewall as its only running 2 cores of an e5620. I am going to bump that up to 4 cores and installing Snort on our border router at the moment.

When the Xeon E5s come out I'll move the router onto the new server with faster CPUs but the above should suffice for a couple of months.

I am still waiting to hear back from the Police but I'm not too worried at the moment as we seem to have things under control (finally).





Speedtest 2019-10-14


plambrechtsen
1948 posts

Uber Geek
Inactive user


  #573308 25-Jan-2012 21:27
Send private message

Zeon: I am still waiting to hear back from the Police but I'm not too worried at the moment as we seem to have things under control (finally).


Granted it may not be be sourced from Telecom since the IP could be spoofed but did you try security@xtra.co.nz and have any joy?? I'll ask a few people tomorrow about it as well.

If you don't get any joy or need assistance PM me with your name / phone / email and I can see what I can chase up for you.

daparrot
128 posts

Master Geek


  #573326 25-Jan-2012 22:13
Send private message

FYI

We also have been dealing with DDoS attacks taking down our firewall, our solution was to point our domain at a proxying service that specializes in DDoS filtering.
They then send the clean HTTP and HTTPS traffic to our webservers IP address where we only let their IP through

The two services we have found are Zenprotection or Gigenet?s ProxyShield

Although they cost $$ Both seem to work very well and get you back in business real quick

Bruce

mattwnz
20141 posts

Uber Geek


  #573346 25-Jan-2012 23:09
Send private message

Yes I get that security error popup too. Must be one of the images that the going through a secure cert that the OP posted, I am hoping.

freitasm
BDFL - Memuneh
79254 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #573350 25-Jan-2012 23:21
Send private message

There you go, removed all the HTTPS references from the OP.





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.