DoS Attack on mail.rollernet.us (Sep. 3, 2008)

Historical archive of system events. These events are posted for reference purposes only.
Locked
RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

DoS Attack on mail.rollernet.us (Sep. 3, 2008)

Post by RollerNetSupport » Wed Sep 03, 2008 12:43 pm

We are currently investigating a possible denial of service attack against our network. Details will be posted as they become available.

http://status.rollernet.us/
Last edited by RollerNetSupport on Wed Sep 03, 2008 4:37 pm, edited 5 times in total.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Wed Sep 03, 2008 1:16 pm

Our initial netflow searching reveals that traffic from Postini may be the culprit. We are going to null-route 207.126.150.0/24 and see if that makes a difference.
Last edited by RollerNetSupport on Wed Sep 03, 2008 4:35 pm, edited 1 time in total.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Wed Sep 03, 2008 1:26 pm

Null routing Postini resulted in an immediate drop in traffic. All traffic was directed to mail.rollernet.us.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Wed Sep 03, 2008 1:30 pm

Mail server "mail.rollernet.us" is busy catching up on the incoming queue backlog.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Wed Sep 03, 2008 1:46 pm

Refining out netflow search a bit, the top talkers during the DoS period were all Postini mail servers:

Code: Select all

TCP    207.126.150.132:0     ->     208.79.240.2:25
TCP    207.126.150.130:0     ->     208.79.240.2:25
TCP    207.126.150.133:0     ->     208.79.240.2:25
TCP    207.126.150.125:0     ->     208.79.240.2:25
TCP    207.126.150.129:0     ->     208.79.240.2:25
TCP    207.126.150.128:0     ->     208.79.240.2:25
TCP    207.126.150.126:0     ->     208.79.240.2:25
TCP    207.126.150.127:0     ->     208.79.240.2:25
TCP    207.126.150.124:0     ->     208.79.240.2:25
We have reported this to Postini and will continue to null route 207.126.150.0/24 until we hear back from them.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Wed Sep 03, 2008 1:58 pm

We are continuing to investigate this attack since it resulted in loss of service of "mail.rollernet.us" and network congestion for all of our other services.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Wed Sep 03, 2008 3:28 pm

We have finally discovered the source (a Postini customer) and notified them.

We're going to try just blocking the source domain at the mail server level and remove the null route in our network core. This is preferred since we don't wish to block legitimate mail from Postini.
Technical Support support@rollernet.us
Roller Network LLC

RollerNetSupport
Site Admin
Posts: 850
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport » Wed Sep 03, 2008 4:26 pm

Traffic patterns continue to appear normal. Here's what our traffic looked like today:

Image

The big green abnormal spike after Wed 12:00 is mostly a SYN flood. The impact was amplified by one of our BGP peers bouncing due to hold timer expiration. Following countermeasures, ingress traffic returned to normal, and the two blue spikes are the mail server catching up with pending mail.
Technical Support support@rollernet.us
Roller Network LLC

Locked

Who is online

Users browsing this forum: No registered users and 1 guest