[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: email@example.com, firstname.lastname@example.org, email@example.com
- Subject: Outage...
- From: Robert Dinse <firstname.lastname@example.org>
- Date: Wed, 27 Oct 1999 19:00:03 -0700 (PDT)
- Resent-Date: Wed, 27 Oct 1999 19:33:35 -0700
- Resent-From: email@example.com
- Resent-Message-ID: <"xguoG.0.-A.-Nx5u"@mx1>
- Resent-Sender: firstname.lastname@example.org
The outage from about 3pm-6pm PST was caused by a packet flood that is absolutely the most vicious I've ever seen. It was a UDP flood which had a forged source address that was random in the range of class C's from 192.x.x.x to 224.x.x.x, the destination address was random within our address space, the source port was random, the destination port was 53 (DNS), and the length of the packet was random, so there was absolutely no attribute one could filter on without ruining name service. The attack lasted in excess of three hours, and strangely it stopped the very instant tickets were generated by Sprint. The volume of the attack was not sufficient to overwhelm our T1's but it seemed to make everything unreachable even by IP, and that remained the case even after the attack and was restored by rebooting the router. I have never before had this router lock up, crash, or die, and in fact it wasn't locked up then it just stopped routing traffic. And then to add insult to injury, when I did boot for some reason the damned router reverted to old data. I have no idea why or how it did this. So for eskimo customers, that's why nothing was talking from about 3pm-6pm, and for IRC users, that's why services and irc.eskimo.com were unavailable during that time frame. If someone out there, an ISP, might be willing to consider providing secondary DNS for our domains (about 1000 zones), so that we can get some DNS redundancy to provide some protection from this sort of thing I would be interested in talking to you.