Eskimo North

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


     The outage from about 3pm-6pm PST was caused by a packet flood that is
absolutely the most vicious I've ever seen.

     It was a UDP flood which had a forged source address that was random in
the range of class C's from 192.x.x.x to 224.x.x.x, the destination address was
random within our address space, the source port was random, the destination
port was 53 (DNS), and the length of the packet was random, so there was
absolutely no attribute one could filter on without ruining name service. 

     The attack lasted in excess of three hours, and strangely it stopped the
very instant tickets were generated by Sprint.

     The volume of the attack was not sufficient to overwhelm our T1's but it
seemed to make everything unreachable even by IP, and that remained the case
even after the attack and was restored by rebooting the router.  I have never
before had this router lock up, crash, or die, and in fact it wasn't locked up
then it just stopped routing traffic. 

     And then to add insult to injury, when I did boot for some reason the
damned router reverted to old data.  I have no idea why or how it did this. 

     So for eskimo customers, that's why nothing was talking from about
3pm-6pm, and for IRC users, that's why services and were
unavailable during that time frame. 

     If someone out there, an ISP, might be willing to consider providing
secondary DNS for our domains (about 1000 zones), so that we can get some DNS
redundancy to provide some protection from this sort of thing I would be
interested in talking to you.