June 21st, the NOC was jarred into action. Two minutes earlier, if not by chance, discussions focused around on how well traffic flowed so calmly within our Network. Its as if the Internet pirates, bots, and trojans and the Gods of War themselves had finally reached the end of their reign. Peace among us all, finally allowing us fleshies (yes I'm talking about you) ... the pleasure to carry out our endeavors; searching, googling, and torrenting, our daily porn....um I mean, gaming, ebaying, blogging, chatting, and all of our other *@%!-ing needs.

Of course the dread of reality and the scorn of the Internet was upon us. It's impossible to fully understand why these bots, and malicious bytes exist. 

• Were they all planted and to lay dormant for a random amount of time by some 9 year old kid who decided take it out on the innocent ones, because his/her (we don't discriminate :) frag count was just too low?
• Were they accidentally awakened by the ever curious Ad Clicker (we all know we've clicked on a few ourselves), or the procrastinator in all of us, who puts off those software updates to later, leaving a gaping hole for a silent takeover.
• Or were they maliciously set loose, as if someone playing master was watching his/her minions run around, attacking at random, just grinning with pleasure?

These questions become irrelevant when trying to curb these attacks on the the components of the Internet, the websites and computers which we've grown so accustomed to. It's a flat out war, and a hard fought battle which rallies on for what seems like every minute of every day. What's even more frustrating at times is that as quickly as these bots and attacks appear, they also tend to disappear as well, almost without a trace.

It's exactly these bots all orchestrated into a large attack (Denial of Service attack to be exact) which began striking that June 21st
afternoon. At first the signs were not clear, as if a part of us was unwilling to give up on our daydream earlier. It was a quick glance at the
alerts, thresholds, traffic patterns which jarred us back into reality and into action.

Traffic was on the rise at an alarming rate, entering into the Network via various vantage points, including both upstreams, and peers.

Traffic was of high Bandwidth and moderate Packets per Second levels, and saturation seemed inevitable, but was not an option. Among our weapons of choice, packet flows and various detection methods gathered over years of patrolling and curbing such attacks, we were narrowing in on the this attack. Quick analysis of the attack gave us the following facts:

1. UDP protocol based, from random source ports/multiple source IPs, to random destination ports but a single target or destination IP, meant a nightmare would ensue of contacting sources. Although the sources may have been spoofed, all "whois" info correlated to a specific region of the Earth. Without crossing any lines or great "walls", I think its safe to assume we all know where the Internet Beast likes to launch it'sattacks from.
2. Ingress points were from all over the globe, as shown in the graphs:
   The largest of which were:
   Amsterdam 200Mbps, 50Kpps
   LA 600Mbps, 100Kpps
   NYC 800Mbps, 50Kpps
   London 150Mbps, 25Kpps

(Not including the numerous smaller hits which ended up in Total numbers of well over 1750Mbps, 225Kpps, well over
what most providers and links could carry on their own.)

The innocent target IP was assigned to a device off of Gig Link, with a North Eastern quadrant of the Network. The device, tagged with its own IP, was almost the victim of being denied its own right to sit among the thousands upon thousands of websites on the Web. It was simply not powerful enough to hold back such a large attack.

In this case, the attacks succeeded in attaining their goal indirectly. For the greater good of the Network, and the other Sites that share the same Network, the site and IP had to be black holed. This in effect turned its light out. Yes, it disabled the effect the attack, but also allowed them to still succeed in the attacker's goal as the website is in effect brought down intentionally.

Without adequate protection, this is more than often the only choice. It's the same as unplugging the server/computer/website completely.

It is at these times we feel powerless under such circumstances:

1. At times we are at the mercy of the equipment, where the attack directly affects the site causing the server to die under the strain.
2. It doesn't help that when tracking the sources, the source IPs of these attacks are spoofed / faked, thus not being able to accurately judge where the attack truly originated from.
3. It also doesn't help that the public "whois" information is often completely inaccurate, thus not providing any useable details and hopes ofreaching the source of the attack.
4. The source IP is in a remote part of the world, and the language barrier stops all hopes in reaching a resolve, or politics are allow for a safe haven to protect these spawnpoints of attacks.

Oh well. Battles are fought on a daily basis. It's just a matter of fact that some are lost and some are won. That is, without the right protection, which is where YPigsFly fits in. YPigsFly allows the fight be taken to new levels, where losing is a thing of the past, and winning is the only option.

Martin Salovsky 
Network analyst 
Peer1 Network Operations Center

Comments

Add New Search

3.23 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."