Autarchy of the Private Cave

Tiny bits of bioinformatics, [web-]programming etc

  • Related entries

    No related content found.

    XName.org down: largest DDoS they ever had

    27th October 2006

    Yesterday (October, 26, 2006) I found that the nameservers for my blog (ns0.xname.org, ns1.xname.org) are not responding.
    Today the following message appeared on xname.org:

    XName currently DOWN

    XName is temporarily closed since 08:00PM CEST yesterday evening. We were experiencing the largest DDoS we ever had on both ns0 and ns1 IP addresses, forcing our upstream providers to cut off XName servers in order to preserve their other customers.

    We’re working hard in order to have at least one DNS server answering ASAP, and we already negotiated with a premium transit provider to host one of our DNS servers shortly.

    Currently my blog is back online, available by its name, and not by IP.

    But I am looking for other free NS-record hosting servers (xname-like). I would appreciate if people comment with their experience on managing this problem. I temporarily allowed comments for anyone without registering (but with moderation).

    Meanwhile there are two places for Russian speaking folks to register secondary DNS: ns2.trifle.net, secondary.net.ua. Soon I’ll register secondaries there, leaving primary on xname, which was a stable service up until yesterday’s DDoS attack they had.

    update:

    Update: Sat. 28. 12:00 – ns0 is up and running, serving all zones correctly

    update 2:

    Update: Mon. 30. 18:00 CEST – ns1 is up and running, reachable from Association Kazar’s network peers (ns1 IP is still blacklisted on upstream transits backbones)

    update 3:
    xame.org is back online, fully functional.

    update 4:
    See the List of free DNS services.
    I’m staying with xname, though did add a couple of secondaries for better fault protection.

    update 5:
    See the comments to this post for new technical information about the DDoS attack, including IP addresses of the attackers and some packet statistics. Thanks Boris for the new information.

    new attack. On the 14th of January, 2007, I got the following letter from XName team:

    DDoS attack on both DNS servers
    Our both DNS servers IPs – ns0.xname.org and ns1.xname.org – are under heavy DDoS since 5PM CEST today.
    Consequently, both of them are unreachable – except very intermittently.
    We’re working with our transit providers to solve this ASAP.

    Next day (2007-01-15), XName was up and running:

    Resuming normal operations
    Since 2AM CEST both ns0 and ns1 were answering correctly – many thanx to
    our transit providers for their help on this issue.

    the total outage of our service was 7 hours…

    one more attack on the 1st of October 2007 (started on the 30th of September):

    both ns0 and ns1 DNS servers are under DDoS attack since 10PM (gmt+2) yesterday (September, 30th), ns0 is unreachable since 6AM this morning (October, 1st: total saturation of our uplink).
    ns1 is fine but was off 3 hours today (October, 1st), between 2PM and 5PM.

    I wonder what kind of a mentally sick person would attack the free service…

    For any further X-Name attack updates and history, please refer to the comments below.

    Share

    11 Responses to “XName.org down: largest DDoS they ever had”

    1. Василий Борисович Черский Says:

      Кстати, они флудировали Xname из российской ISP в Красноярске :/

    2. chronos Says:

      А где об этом сообщали? Я бы добавил сюда подробности…

    3. Василий Борисович Черский Says:

      на приватний канал IRC где я бывал, а сотовой админитратор сказал :

      Oct 27 06:14:29 xname : dead
      Oct 27 06:15:09 DDoS depuis hier
      Oct 27 06:15:20 dès qu’on essaye de remttre les NS up on se fait DDoS
      Oct 27 06:16:21 UDP flood sur le port 53 des deux NS
      Oct 27 06:16:46 donc clairement non filtrable
      Oct 27 06:17:01 sur 10000 à 30000 ip sources différentes
      Oct 27 06:32:55 bah mercredi on a eu un ddos sur xname en icmp type 0
      Oct 27 06:33:04 ca a duré 1h est c’est passé
      Oct 27 06:33:05 la…
      Oct 27 06:33:14 ca doit être de putains de botnets de merde
      Oct 27 06:33:20 qui nous casse les pieds
      Oct 27 07:02:12 bon
      Oct 27 07:02:13 y a un des connard qui emmerde xname qui est : 213.148.160.20

      20.160.148.213.in-addr.arpa domain name pointer dc.natm.ru.

      Oct 27 07:02:32 340352 packets en 5 minutes
      Oct 27 07:03:39 Xname est down because DDoS depuis hier soir 19h
      Oct 27 07:08:22 non en fait… je suis aussi l’admin du reéseau kheops qui herge kazar et xname
      Oct 27 07:08:32 et ca c’est les traces netflow
      Oct 27 07:08:40 # bgpctl sh ip bgp as 16301
      Oct 27 07:08:40 flags: * = Valid, > = Selected, I = via IBGP, A = Announced
      Oct 27 07:08:40 origin: i = IGP, e = EGP, ? = Incomplete
      Oct 27 07:08:40 flags destination gateway lpref med aspath origin
      Oct 27 07:08:40 *> 84.242.192.0/18 213.163.173.46 100 0 20917 3257 25462 8997 16301 i
      Oct 27 07:08:40 *> 213.148.160.0/19 213.163.173.46 100 0 20917 3257 25462 8997 16301 i
      Oct 27 07:08:49 vu qu’ils ont deux subnet
      Oct 27 07:09:00 je vais refuser toute annonce de l’as16301
      Oct 27 07:09:03 et on verra
      Oct 27 11:29:45 vt: j’ai 30Mbps qui vient de ces ips : 211.226.22.39, 219.138.151.156, 124.101.96.180, 58.70.87.229, 61.208.120.76, 219.134.185.188, 193.255.70.128, 70.83.237.133
      Oct 27 11:50:09 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
      Oct 27 11:50:09 2006-10-27 17:30:00.000 299.000 UDP 211.226.22.39:2344 -> 195.234.42.1:53 …… 0 590592 333.7 M 1975 8.9 M 592 4614
      Oct 27 11:50:10 2006-10-27 17:30:00.000 299.000 UDP 219.138.151.156:36082 -> 195.234.42.1:53 .AP… 0 291200 165.8 M 973 4.4 M 597 2275

      траффик на графе (у меня граф на другом компьюторе – я тебя сдаю) : 680 Mbit/s

      Я отправил E-mail админа natm.ru и мне сказали :
      «
      From: “Sergey Goncharov”
      Subject: Re: DDoS na XName

      Добрый день, Василий.

      Да, мы в
      Источник уже локализован.

      Приносим извинения за беспокойство.

      С уважением, Сергей Гончаров
      ООО “Новгород Дейтаком”, системный администратор
      »

    4. HTTP caching: universal approach and sample code » Autarchy of the Private Cave Says:

      [...] Now, let’s move on to actual caching. The simplest and quite reliable method of identifying any object within your cache is md5(url) – that is, the hash of the request URL. Note, that you might want to hash not the complete URL (starting with http://), but only the part after the TLD’s slash, e.g. for complete URL http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html you would hash only the “xnameorg-down-largest-ddos-they-ever-had.html” part (or “2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html”, if the filename part of the path might be non-unique). Evidently, this will save you from generating cache both for “http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html” and for “http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html” (differing only in “www.” part). [...]

    5. DNS troubles? » Autarchy of the Private Cave Says:

      [...] Update: this is in fact XName-related problem: they are again under DDoS attack. [...]

    6. Aidan Says:

      Possible new attack on XName servers – 9 October 2007

      DNS resolution from ns0.xname.org was lost at 17:09 BST (16:09 GMT). ICMP was lost at 16:05 BST.

      ns1.xname.org is still resolving although ICMP has been intermittent since 16:59 BST.

      I have not received any information from XName. This is information I have gathered through my own monitoring.

      HTH
      Aidan

    7. Bogdan Says:

      Aidan,
      thanks for sharing information. Did you check manually, or have some (semi-)automatic means for checking? I didn’t notice any problems, but that is because I was too busy to have a look at my sites for several days in a row.

      I must say though, that I did get an email. Here it is:

      Dear XName-Availability subscribers,

      both ns0 and ns1 DNS servers are under heavy DDoS attack since 4:45 PM
      (gmt+2) this afternoon.

      The BGP session serving NS0 network is flapping due to a total
      saturation of the link, so NS0 is up very intermittently.

      ns1 is still online, even if loaded.

      I got this email on the 9th of October at 23:00 gmt+2 from the XName-Availability mailing list.

    8. Aidan Says:

      Did you check manually, or have some (semi-)automatic means for checking?

      I’m monitoring Ping responses from and DNS requests to ns0 and ns1 using Nagios. I started doing this following the outage on the 1st.

      I’ve subscribed to the xname list but haven’t had my e-mail yet so thanks for confirming the problem.

      regards,
      Aidan

    9. Bogdan Says:

      Operations came back to normal at 12:00 AM today.

      ns1 was up during the whole DDoS, and ns0 was off for all global access – but was accessible for our network peers.

      To face these recurring problems, we’ll set up shortly a third DNS server (under active testing at the moment), and we’re studying how to build larger solutions accordingly with our resources (only from contributors). When done, announces will be done on xname-news mailing list.

    10. Xname is down again » Autarchy of the Private Cave Says:

      [...] XName is down again [...]

    11. Dinar Q. Says:

      it’s now down again

    Leave a Reply

    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>