Comments on: XName.org down: largest DDoS they ever had http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html Science, Society, Programming and Hobbies Tue, 02 Dec 2008 01:51:40 +0000 http://wordpress.org/?v=2.6.3 By: Xname is down again » Autarchy of the Private Cave http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-69275 Xname is down again » Autarchy of the Private Cave Sun, 25 May 2008 10:06:24 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-69275 [...] XName is down again [...] [...] XName is down again [...]

]]> By: Bogdan http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-27601 Bogdan Wed, 10 Oct 2007 20:03:11 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-27601 <blockquote cite="xname-availability"> Operations came back to normal at 12:00 AM today. ns1 was up during the whole DDoS, and ns0 was off for all global access - but was accessible for our network peers. To face these recurring problems, we'll set up shortly a third DNS server (under active testing at the moment), and we're studying how to build larger solutions accordingly with our resources (only from contributors). When done, announces will be done on xname-news mailing list. </blockquote>

Operations came back to normal at 12:00 AM today.

ns1 was up during the whole DDoS, and ns0 was off for all global access - but was accessible for our network peers.

To face these recurring problems, we’ll set up shortly a third DNS server (under active testing at the moment), and we’re studying how to build larger solutions accordingly with our resources (only from contributors). When done, announces will be done on xname-news mailing list.

]]> By: Aidan http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-27497 Aidan Tue, 09 Oct 2007 21:55:03 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-27497 <blockquote cite="Bogdan">Did you check manually, or have some (semi-)automatic means for checking?</blockquote> I'm monitoring Ping responses from and DNS requests to ns0 and ns1 using <a href="http://www.nagios.org/" title="Nagios" rel="nofollow">Nagios</a>. I started doing this following the outage on the 1st. I've subscribed to the xname list but haven't had my e-mail yet so thanks for confirming the problem. regards, Aidan

Did you check manually, or have some (semi-)automatic means for checking?

I’m monitoring Ping responses from and DNS requests to ns0 and ns1 using Nagios. I started doing this following the outage on the 1st.

I’ve subscribed to the xname list but haven’t had my e-mail yet so thanks for confirming the problem.

regards,
Aidan

]]> By: Bogdan http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-27495 Bogdan Tue, 09 Oct 2007 21:33:22 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-27495 Aidan, thanks for sharing information. Did you check manually, or have some (semi-)automatic means for checking? I didn't notice any problems, but that is because I was too busy to have a look at my sites for several days in a row. I must say though, that I did get an email. Here it is: <blockquote> Dear XName-Availability subscribers, both ns0 and ns1 DNS servers are under heavy DDoS attack since 4:45 PM (gmt+2) this afternoon. The BGP session serving NS0 network is flapping due to a total saturation of the link, so NS0 is up very intermittently. ns1 is still online, even if loaded. </blockquote> I got this email on the 9th of October at 23:00 gmt+2 from the XName-Availability mailing list. Aidan,
thanks for sharing information. Did you check manually, or have some (semi-)automatic means for checking? I didn’t notice any problems, but that is because I was too busy to have a look at my sites for several days in a row.

I must say though, that I did get an email. Here it is:

Dear XName-Availability subscribers,

both ns0 and ns1 DNS servers are under heavy DDoS attack since 4:45 PM
(gmt+2) this afternoon.

The BGP session serving NS0 network is flapping due to a total
saturation of the link, so NS0 is up very intermittently.

ns1 is still online, even if loaded.

I got this email on the 9th of October at 23:00 gmt+2 from the XName-Availability mailing list.

]]> By: Aidan http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-27464 Aidan Tue, 09 Oct 2007 18:00:01 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-27464 <strong>Possible new attack on XName servers - 9 October 2007</strong> DNS resolution from ns0.xname.org was lost at 17:09 BST (16:09 GMT). ICMP was lost at 16:05 BST. ns1.xname.org is still resolving although ICMP has been intermittent since 16:59 BST. I have not received any information from XName. This is information I have gathered through my own monitoring. HTH Aidan Possible new attack on XName servers - 9 October 2007

DNS resolution from ns0.xname.org was lost at 17:09 BST (16:09 GMT). ICMP was lost at 16:05 BST.

ns1.xname.org is still resolving although ICMP has been intermittent since 16:59 BST.

I have not received any information from XName. This is information I have gathered through my own monitoring.

HTH
Aidan

]]> By: DNS troubles? » Autarchy of the Private Cave http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-24155 DNS troubles? » Autarchy of the Private Cave Mon, 01 Oct 2007 19:41:14 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-24155 [...] Update: this is in fact XName-related problem: they are again under DDoS attack. [...] [...] Update: this is in fact XName-related problem: they are again under DDoS attack. [...]

]]> By: HTTP caching: universal approach and sample code » Autarchy of the Private Cave http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-5068 HTTP caching: universal approach and sample code » Autarchy of the Private Cave Thu, 03 May 2007 14:52:19 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-5068 [...] Now, let's move on to actual caching. The simplest and quite reliable method of identifying any object within your cache is md5(url) - that is, the hash of the request URL. Note, that you might want to hash not the complete URL (starting with http://), but only the part after the TLD's slash, e.g. for complete URL http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html you would hash only the "xnameorg-down-largest-ddos-they-ever-had.html" part (or "2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html", if the filename part of the path might be non-unique). Evidently, this will save you from generating cache both for "http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html" and for "http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html" (differing only in "www." part). [...] [...] Now, let’s move on to actual caching. The simplest and quite reliable method of identifying any object within your cache is md5(url) - that is, the hash of the request URL. Note, that you might want to hash not the complete URL (starting with http://), but only the part after the TLD’s slash, e.g. for complete URL http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html you would hash only the “xnameorg-down-largest-ddos-they-ever-had.html” part (or “2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html”, if the filename part of the path might be non-unique). Evidently, this will save you from generating cache both for “http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html” and for “http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html” (differing only in “www.” part). [...]

]]> By: Василий Борисович Черский http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-120 Василий Борисович Черский Tue, 02 Jan 2007 18:26:20 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-120 на приватний канал IRC где я бывал, а сотовой админитратор сказал : Oct 27 06:14:29 xname : dead Oct 27 06:15:09 DDoS depuis hier Oct 27 06:15:20 dès qu'on essaye de remttre les NS up on se fait DDoS Oct 27 06:16:21 UDP flood sur le port 53 des deux NS Oct 27 06:16:46 donc clairement non filtrable Oct 27 06:17:01 sur 10000 à 30000 ip sources différentes Oct 27 06:32:55 bah mercredi on a eu un ddos sur xname en icmp type 0 Oct 27 06:33:04 ca a duré 1h est c'est passé Oct 27 06:33:05 la... Oct 27 06:33:14 ca doit être de putains de botnets de merde Oct 27 06:33:20 qui nous casse les pieds Oct 27 07:02:12 bon Oct 27 07:02:13 y a un des connard qui emmerde xname qui est : 213.148.160.20 20.160.148.213.in-addr.arpa domain name pointer dc.natm.ru. Oct 27 07:02:32 340352 packets en 5 minutes Oct 27 07:03:39 Xname est down because DDoS depuis hier soir 19h Oct 27 07:08:22 non en fait... je suis aussi l'admin du reéseau kheops qui herge kazar et xname Oct 27 07:08:32 et ca c'est les traces netflow Oct 27 07:08:40 # bgpctl sh ip bgp as 16301 Oct 27 07:08:40 flags: * = Valid, > = Selected, I = via IBGP, A = Announced Oct 27 07:08:40 origin: i = IGP, e = EGP, ? = Incomplete Oct 27 07:08:40 flags destination gateway lpref med aspath origin Oct 27 07:08:40 *> 84.242.192.0/18 213.163.173.46 100 0 20917 3257 25462 8997 16301 i Oct 27 07:08:40 *> 213.148.160.0/19 213.163.173.46 100 0 20917 3257 25462 8997 16301 i Oct 27 07:08:49 vu qu'ils ont deux subnet Oct 27 07:09:00 je vais refuser toute annonce de l'as16301 Oct 27 07:09:03 et on verra Oct 27 11:29:45 vt: j'ai 30Mbps qui vient de ces ips : 211.226.22.39, 219.138.151.156, 124.101.96.180, 58.70.87.229, 61.208.120.76, 219.134.185.188, 193.255.70.128, 70.83.237.133 Oct 27 11:50:09 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows Oct 27 11:50:09 2006-10-27 17:30:00.000 299.000 UDP 211.226.22.39:2344 -> 195.234.42.1:53 ...... 0 590592 333.7 M 1975 8.9 M 592 4614 Oct 27 11:50:10 2006-10-27 17:30:00.000 299.000 UDP 219.138.151.156:36082 -> 195.234.42.1:53 .AP... 0 291200 165.8 M 973 4.4 M 597 2275 траффик на графе (у меня граф на другом компьюторе - я тебя сдаю) : 680 Mbit/s Я отправил E-mail админа natm.ru и мне сказали : « From: "Sergey Goncharov" Subject: Re: DDoS na XName Добрый день, Василий. Да, мы в Источник уже локализован. Приносим извинения за беспокойство. С уважением, Сергей Гончаров ООО "Новгород Дейтаком", системный администратор » на приватний канал IRC где я бывал, а сотовой админитратор сказал :

Oct 27 06:14:29 xname : dead
Oct 27 06:15:09 DDoS depuis hier
Oct 27 06:15:20 dès qu’on essaye de remttre les NS up on se fait DDoS
Oct 27 06:16:21 UDP flood sur le port 53 des deux NS
Oct 27 06:16:46 donc clairement non filtrable
Oct 27 06:17:01 sur 10000 à 30000 ip sources différentes
Oct 27 06:32:55 bah mercredi on a eu un ddos sur xname en icmp type 0
Oct 27 06:33:04 ca a duré 1h est c’est passé
Oct 27 06:33:05 la…
Oct 27 06:33:14 ca doit être de putains de botnets de merde
Oct 27 06:33:20 qui nous casse les pieds
Oct 27 07:02:12 bon
Oct 27 07:02:13 y a un des connard qui emmerde xname qui est : 213.148.160.20

20.160.148.213.in-addr.arpa domain name pointer dc.natm.ru.

Oct 27 07:02:32 340352 packets en 5 minutes
Oct 27 07:03:39 Xname est down because DDoS depuis hier soir 19h
Oct 27 07:08:22 non en fait… je suis aussi l’admin du reéseau kheops qui herge kazar et xname
Oct 27 07:08:32 et ca c’est les traces netflow
Oct 27 07:08:40 # bgpctl sh ip bgp as 16301
Oct 27 07:08:40 flags: * = Valid, > = Selected, I = via IBGP, A = Announced
Oct 27 07:08:40 origin: i = IGP, e = EGP, ? = Incomplete
Oct 27 07:08:40 flags destination gateway lpref med aspath origin
Oct 27 07:08:40 *> 84.242.192.0/18 213.163.173.46 100 0 20917 3257 25462 8997 16301 i
Oct 27 07:08:40 *> 213.148.160.0/19 213.163.173.46 100 0 20917 3257 25462 8997 16301 i
Oct 27 07:08:49 vu qu’ils ont deux subnet
Oct 27 07:09:00 je vais refuser toute annonce de l’as16301
Oct 27 07:09:03 et on verra
Oct 27 11:29:45 vt: j’ai 30Mbps qui vient de ces ips : 211.226.22.39, 219.138.151.156, 124.101.96.180, 58.70.87.229, 61.208.120.76, 219.134.185.188, 193.255.70.128, 70.83.237.133
Oct 27 11:50:09 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
Oct 27 11:50:09 2006-10-27 17:30:00.000 299.000 UDP 211.226.22.39:2344 -> 195.234.42.1:53 …… 0 590592 333.7 M 1975 8.9 M 592 4614
Oct 27 11:50:10 2006-10-27 17:30:00.000 299.000 UDP 219.138.151.156:36082 -> 195.234.42.1:53 .AP… 0 291200 165.8 M 973 4.4 M 597 2275

траффик на графе (у меня граф на другом компьюторе - я тебя сдаю) : 680 Mbit/s

Я отправил E-mail админа natm.ru и мне сказали :
«
From: “Sergey Goncharov”
Subject: Re: DDoS na XName

Добрый день, Василий.

Да, мы в
Источник уже локализован.

Приносим извинения за беспокойство.

С уважением, Сергей Гончаров
ООО “Новгород Дейтаком”, системный администратор
»

]]> By: chronos http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-119 chronos Tue, 02 Jan 2007 10:44:32 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-119 А где об этом сообщали? Я бы добавил сюда подробности... А где об этом сообщали? Я бы добавил сюда подробности…

]]> By: Василий Борисович Черский http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-118 Василий Борисович Черский Mon, 01 Jan 2007 23:32:36 +0000 http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html#comment-118 Кстати, они флудировали Xname из российской ISP в Красноярске :/ Кстати, они флудировали Xname из российской ISP в Красноярске :/

]]>