Update on the botnet attack of February 7, 2013

We’re starting to get things under control. We’ve blocked 2832 unique ip addressess so far. We’re continuing to monitor the situation and isolate the customers who were affected by this, from the customer who was being attacked. 

What we know so far

  1. A customer’s website is under a botnet attack, where we are seeing 190,000 requests/second made to one ip address. 
  2. These requests seem to be coming from about 3000 unique ip addresses.
  3. Our firewall was reaching a CPU max of about 90% while this was happening, our alarms go off when it hits 51%. 
  4. Blocking all 3000 ips on the firewall is not a good idea, so we’ve “null routed” the destination ip address. 

What are we doing to bring customers back?

  1. We are assigning new ips to the affected customers (several hundred) who shared the same ip address with this customer.
  2. If we control your dns, this change will happen within the next 30 minutes. If we don’t, we’ll be contacting you to let you know what the ip address should be. 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s