rssLink RSS for all categories
 
icon_red
icon_green
icon_red
icon_red
icon_red
icon_green
icon_green
icon_red
icon_red
icon_red
icon_orange
icon_green
icon_green
icon_green
icon_red
icon_blue
icon_red
icon_orange
icon_red
icon_red
icon_red
icon_red
icon_red
icon_red
icon_red
icon_green
icon_red
icon_orange
icon_green
 

FS#8120 — FS#11995 — internal DDoS

Attached to Project— Network
Incident
the whole network
CLOSED
100%
We have a congestion problem on the internal network
due to the hack of hundreds of dedicated servers which are attacking
many internal targets. Overall, the hack generated 100Gbps
of traffic between RBX (source) and BHS (target)

input 35.22 Gbps
output 71.21 Gbps


The detection of the hacked servers which are participating
to the attack is done automatically but it is too
slow regarding the number of hacked servers.


We cut the traffic between RBX and the internal
network that's why the attack goes out by the public
network. So no more congestion.
However, the ips which go through the VAC are having
a loop.



We put back the internal network. It remains 70Gbps .

input 26.49 Gbps
output 43.17 Gbps
Date:  Monday, 10 November 2014, 10:43AM
Reason for closing:  Done
Comment by OVH - Sunday, 09 November 2014, 20:32PM

We are still interrupting the hacked servers.
There is no congestion anymore.
The VAC is operational.


Comment by OVH - Sunday, 09 November 2014, 20:36PM

We put in DPI the 2 IPs which are controlling the attack
to find all the other ips which are still sending the packets.
And we are comparing with the anti-hack system. We find the sames
hacked servers (ouch). The problem comes from the speed
of handling of the rescue mode of the attacking servers.


We are going to review the system starting from Monday.


Comment by OVH - Monday, 10 November 2014, 10:37AM

Less than 1,000 dedicated servers
participated in the attack. a dozen of
IP DST were the target.

There are still about 150 servers closed.


Comment by OVH - Monday, 10 November 2014, 10:39AM

We have identified a new series of hacked servers that took part in the attack. We are currently blocking these machines (around 500 machines).


Comment by OVH - Monday, 10 November 2014, 10:43AM

All servers who participated in the attack are
in rescue and customers contacted. The servers
were haced in root with shellshock hack (bash).
In all, 800 servers were involved in the attack
this morning generating over 120Gbps peak in the
internal network. We have 60Gbps between EU and BHS
and is what caused the congestion.Obviously it is
time to go to 2x100G on the private network between
Europe and Canada.