kordia packet storm affecting isps

Forums › New Zealand Broadband › kordia packet storm affecting isps

raytaylor

3416 posts

Uber Geek

Trusted

# 81129 8-Apr-2011 12:11

As I understand, kordia have a packet storm on their network and its affecting a few isps at the moment

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

1 | 2

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

# 456710 8-Apr-2011 12:22

Where did you get this info from?

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

Beccara

1141 posts

Uber Geek

# 456718 8-Apr-2011 12:36

Kordia?

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

xpd

Chief Trash Bandit
10158 posts

Uber Geek

Mod Emeritus

Trusted

Lifetime subscriber

# 456722 8-Apr-2011 12:42

raytaylor: As I understand, kordia have a packet storm on their network and its affecting a few isps at the moment

If youre going to make an announcement such as that, please give more info (source would be nice).

XPD / Gavin / DemiseNZ

Server : i5-3470s @ 3.50GHz 16GB RAM Win 10 Pro Workstation : Ryzen 5 3600 / 16GB DDR4 / RX580 4GB Console : Xbox One

Now on BigPipe 100/100 and 2Talk Add me on Steam

skewt

602 posts

Ultimate Geek

# 456739 8-Apr-2011 13:39

Communications where i work were affected, use kordia for the wan, even now still got issues, started about 11:20 or so

raytaylor

3416 posts

Uber Geek

Trusted

# 456749 8-Apr-2011 13:53

More info:

Source - SafeNZ, an isp for a few of our clients
It was affecting national traffic between safenz, orcon and telecom and they reckon a between a few other isp's.

Has now been resolved.

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

freitasm

BDFL - Memuneh
64980 posts

Uber Geek

Administrator

Trusted

Geekzone

Lifetime subscriber

# 456757 8-Apr-2011 14:02

raytaylor: Source - SafeNZ, an isp for a few of our clients
It was affecting national traffic between safenz, orcon and telecom and they reckon a between a few other isp's.

"They reckon" is a bit vague and sounds like "they think it may be the case".

I haven't seen any mention in the NZNOG.

rhughes

3 posts

Wannabe Geek

Trusted

Kordia

# 456762 8-Apr-2011 14:29

We did have an issue on the Kordia network affecting one traffic queue caused by a broadcast storm on a customer's network. We're investigating why this issue caused impairments to other customers. Our apologies to those affected.

Regan
IP architect
Kordia

freitasm

BDFL - Memuneh
64980 posts

Uber Geek

Administrator

Trusted

Geekzone

Lifetime subscriber

# 456763 8-Apr-2011 14:30

Thanks for the update!

velofille

42 posts

Geek

Trusted

# 456777 8-Apr-2011 15:36

Rimuhosting have some of our VPS in there, and we got told it was a DoS attack. our servers are under hosting direct network, so this is where we got our information

raytaylor

3416 posts

Uber Geek

Trusted

# 456789 8-Apr-2011 16:18

Sorry.
I wouldn't have posted if I didn't think it was true.
It wasn't a case of an isp trying to place blame on someone else, I had done the traceroutes from a couple of isps that showed something was definitley wrong.

They reckon is a reflection on how I type the same way I talk.

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

Sounddude

I fix stuff!
1788 posts

Uber Geek

Trusted

Vocus

Subscriber

# 456795 8-Apr-2011 16:32

velofille: Rimuhosting have some of our VPS in there, and we got told it was a DoS attack. our servers are under hosting direct network, so this is where we got our information

Unrelated issue :-)

velofille

42 posts

Geek

Trusted

# 456797 8-Apr-2011 16:40

How many issues were there? :O

1080p

1332 posts

Uber Geek
Inactive user

# 456841 8-Apr-2011 20:02

Yah, got mail this afternoon:

1. Introduction

The purpose of this email is to provide a time-line and identify the root
cause of the network attack that occurred on April 8, 2011 which affected
all clients at our Piermark Datacentre. The attack centred on the core
network equipment which was bombarded by a DDOS attack originating from China.
Clients experienced a wide range of issues = intermittent or inaccessibility to complete outages
during the network event.

Event Time: 12:30pm - 2:30pm

2. Time-line Summary

At 12:30pm, engineers began to notice severe network latency
within the Managed Hosting network. While troubleshooting the network
latency it became apparent that the latency was part of a bigger issue within the core network and upstream. The Infrastructure team began troubleshooting the fiber links as a possible source of the network congestion. Upon further troubleshooting it was noted an attack originating from China was the root cause of network latency issues. The manner in which this attack worked was to flood our equipment with short byte empty UDP packets of data to the point it became overloaded and saturated.

Within 30 minutes of the attack we had requested our upstream provider to start null routing all IP's that were taking part in the attack.

3. Root Cause Analysis

There were 16 ?B Class? IP's originating from China which were leading the attack on our core network causing network degradation. There were also an array of C class IP's taking part.

4. Conclusion/Q&A

Why did it take 2 hours to resolve?

Hosting Direct maintains a very sophisticated network that utilizes many different types of equipment to deal with different situations. The issue today was down to a series of attacks that were from a vast range of different IP's. Each time progress was made through a corrective or isolation action the attacks presented themselves in another manner. Until all attacker IP's were simultaneously blocked, we were unable to stop the network congestion.

Why did a failure in a redundant network still impact my hosted site?

The issue today was not a ?hard? hard ware failure but a overload of system equipment caused by the network being maxed out by a DDOS attack.

What actions are being taken to prevent this from re-occurring?

In the process of working with our upstream provider, we have taken the plan of action to diversify our upstream providers. At this time, we do not have a scheduled date as to when this will change but we will provide notice as soon as this change has taken place.

Best Regards,
- Hosting Direct Limited