With a couple of the RBL's being shutdown I was wondering just how bad they
were being hit, I think I understand why they were forced to close their
doors now.
Wednesday night at 11pm one of my servers began being DDoS'd... I was out
and got alerts that my networks were offline. I checked and it seemed the
whole county link was offline so I dismissed it figuring my upstream would
have it resolved by morning and went to sleep. By morning nothing was
different, by noon on Thursday nothing still working. I called my upstream
and they said they were still trying to figure it out.
FYI my Upstream is Sprint, we lease 2 T1's from them and they have a DS3
from here (NW Florida, Pensacola - Panama City area) to Tallahassee.
Not sure what Tallahassee has for an uplink, or if they peer to multiple
sources at that point or what.
Around 1-2pm Sprint had gotten their links back up and shutdown all of my
links, as well as blocked all of my network blocks in their border routers
with null routes.
all they were telling me at this point is that the failure was related my
links and thus I was shutdown.
I went about pulling my bandwidth reports and saw that I jumped from 30%
usage at 11pm to %100 usage in a matter of minutes (only 3mb I know not
much) and stayed pegged until around 8am which is when I guess sprint just
shutdown completely trying to identify it.
As of 4pm Thur sprint said the attack was ongoing.... We figured out which
IP was being targeted and they lifted all of my blocks and just left a null
route for that single IP.
They confirmed the attack was from a multitude of different sources.
I'm not even sure why my server was targeted, but if someone was able to
crash Sprint's NW Florida network because they were targeting one of my
server I can imagine what the RBL operators felt like. ( Not saying sprint
is even any good either, they always seem to have trouble figuring out why
their shit is down, but they are a backbone provider ).
Now if only I hadn't purged my firewall logs by accident the yesterday
morning I could at least have an idea of what kind of info was being flooded
across my network.
I will be glad to see a distributed RBL network of some sort in the future,
I don't see how anyone running a free RBL server would be able to sustain
such an attack.
