kordia packet storm affecting isps

Forums › New Zealand Broadband › kordia packet storm affecting isps

raytaylor

3468 posts

Uber Geek

Trusted

#81129 8-Apr-2011 12:11

As I understand, kordia have a packet storm on their network and its affecting a few isps at the moment

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

1 | 2

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#456710 8-Apr-2011 12:22

Where did you get this info from?

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

Beccara

1287 posts

Uber Geek

#456718 8-Apr-2011 12:36

Kordia?

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

xpd

Im a pirate
10808 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#456722 8-Apr-2011 12:42

raytaylor: As I understand, kordia have a packet storm on their network and its affecting a few isps at the moment

If youre going to make an announcement such as that, please give more info (source would be nice).

XPD^ / DemiseNZ

Blog Free Games Twitter My TradeMe Goodies

Pirating in Sea Of Thieves

Coming Soon - BBS door games - all the classics!

skewt

643 posts

Ultimate Geek

#456739 8-Apr-2011 13:39

Communications where i work were affected, use kordia for the wan, even now still got issues, started about 11:20 or so

raytaylor

3468 posts

Uber Geek

Trusted

#456749 8-Apr-2011 13:53

More info:

Source - SafeNZ, an isp for a few of our clients
It was affecting national traffic between safenz, orcon and telecom and they reckon a between a few other isp's.

Has now been resolved.

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

freitasm

BDFL - Memuneh
68897 posts

Uber Geek

Administrator

Trusted

Geekzone

Lifetime subscriber

#456757 8-Apr-2011 14:02

raytaylor: Source - SafeNZ, an isp for a few of our clients
It was affecting national traffic between safenz, orcon and telecom and they reckon a between a few other isp's.

"They reckon" is a bit vague and sounds like "they think it may be the case".

I haven't seen any mention in the NZNOG.

These links are referral codes

rhughes

3 posts

Wannabe Geek

Trusted

Kordia

#456762 8-Apr-2011 14:29

We did have an issue on the Kordia network affecting one traffic queue caused by a broadcast storm on a customer's network. We're investigating why this issue caused impairments to other customers. Our apologies to those affected.

Regan
IP architect
Kordia

freitasm

BDFL - Memuneh
68897 posts

Uber Geek

Administrator

Trusted

Geekzone

Lifetime subscriber

#456763 8-Apr-2011 14:30

Thanks for the update!

These links are referral codes

velofille

42 posts

Geek

Trusted

#456777 8-Apr-2011 15:36

Rimuhosting have some of our VPS in there, and we got told it was a DoS attack. our servers are under hosting direct network, so this is where we got our information

raytaylor

3468 posts

Uber Geek

Trusted

#456789 8-Apr-2011 16:18

Sorry.
I wouldn't have posted if I didn't think it was true.
It wasn't a case of an isp trying to place blame on someone else, I had done the traceroutes from a couple of isps that showed something was definitley wrong.

They reckon is a reflection on how I type the same way I talk.

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

Sounddude

I fix stuff!
1850 posts

Uber Geek

Trusted

Vocus

Lifetime subscriber

#456795 8-Apr-2011 16:32

velofille: Rimuhosting have some of our VPS in there, and we got told it was a DoS attack. our servers are under hosting direct network, so this is where we got our information

Unrelated issue :-)

velofille

42 posts

Geek

Trusted

#456797 8-Apr-2011 16:40

How many issues were there? :O

1080p

1332 posts

Uber Geek
Inactive user

#456841 8-Apr-2011 20:02

Yah, got mail this afternoon:

1. Introduction

The purpose of this email is to provide a time-line and identify the root
cause of the network attack that occurred on April 8, 2011 which affected
all clients at our Piermark Datacentre. The attack centred on the core
network equipment which was bombarded by a DDOS attack originating from China.
Clients experienced a wide range of issues = intermittent or inaccessibility to complete outages
during the network event.

Event Time: 12:30pm - 2:30pm

2. Time-line Summary

At 12:30pm, engineers began to notice severe network latency
within the Managed Hosting network. While troubleshooting the network
latency it became apparent that the latency was part of a bigger issue within the core network and upstream. The Infrastructure team began troubleshooting the fiber links as a possible source of the network congestion. Upon further troubleshooting it was noted an attack originating from China was the root cause of network latency issues. The manner in which this attack worked was to flood our equipment with short byte empty UDP packets of data to the point it became overloaded and saturated.

Within 30 minutes of the attack we had requested our upstream provider to start null routing all IP's that were taking part in the attack.

3. Root Cause Analysis

There were 16 ?B Class? IP's originating from China which were leading the attack on our core network causing network degradation. There were also an array of C class IP's taking part.

4. Conclusion/Q&A

Why did it take 2 hours to resolve?

Hosting Direct maintains a very sophisticated network that utilizes many different types of equipment to deal with different situations. The issue today was down to a series of attacks that were from a vast range of different IP's. Each time progress was made through a corrective or isolation action the attacks presented themselves in another manner. Until all attacker IP's were simultaneously blocked, we were unable to stop the network congestion.

Why did a failure in a redundant network still impact my hosted site?

The issue today was not a ?hard? hard ware failure but a overload of system equipment caused by the network being maxed out by a DDOS attack.

What actions are being taken to prevent this from re-occurring?

In the process of working with our upstream provider, we have taken the plan of action to diversify our upstream providers. At this time, we do not have a scheduled date as to when this will change but we will provide notice as soon as this change has taken place.

Best Regards,
- Hosting Direct Limited