DDoS attack on 78.129.133.15

[eUKhost.com]

Right now we are dealing with Severe DDoS attack on 78.129.133.15 and all efforts to filter this inbound traffic have failed.

We are replacing main IP of the server right now so all website hostings hosted on this server should be online within an hour.

[detordiggei]

The server is up but the Ip's are still down here so web domains are not viewable yet, today was an hard day for both you and us! Sob

[Rock]

Apologies for not keeping you updated regarding the server status. It was indeed a hard day for all of us. All the website hostings are back online at the moment with a new IP : 78.129.133.118. The server will be put behind a hardware firewall within few days to avoid such future attacks & to keep the attackers at bay. Please place a ticket to our support dept 'windows@eukhost.com' if you still have any issues with your website hosting.

[suziq]

so are all website hostings back up and running now?

[DPS Computing]

I assume so seen as though the IP has been replaced. Sorry to hear about the attack .

[Rock]

so are all website hostings back up and running now?

Yes, all the website hostings are back online & running. If your scripts use the old IP in them (eg: database connection strings), the scripts will not be able to connect to the database. In that case please have them changed with the new IP [78.129.133.118], or let us know & we'll get it fixed for you.

[swexpert]

How much was the traffic and from what regions, if i may know? Was the target a single machine? Why aren't all you machines behind hardware firewalls?

Regds
IJ

[Durchbrechen]

Even my one is down now : 78.129.128.20


[paolo@linux ~]$ ping -c8 durchbrechen.com
PING durchbrechen.com (78.129.128.20) 56(84) bytes of data.

--- durchbrechen.com ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7010ms

[paolo@linux ~]$ ping -c8 eukhost.com
PING eukhost.com (87.117.224.51) 56(84) bytes of data.
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=1 ttl=53 time=66.9 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=2 ttl=53 time=67.3 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=3 ttl=53 time=66.6 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=4 ttl=53 time=67.0 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=5 ttl=53 time=66.8 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=6 ttl=53 time=68.7 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=7 ttl=53 time=67.1 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=8 ttl=53 time=67.2 ms

--- eukhost.com ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7000ms
rtt min/avg/max/mdev = 66.661/67.261/68.750/0.631 ms

[Rock]

Here's from my local machine:

root@tech [~]# ping -c8 durchbrechen.com
PING durchbrechen.com (78.129.128.20) 56(84) bytes of data.
64 bytes from typhoon.eukhost.com (78.129.128.20): icmp_seq=0 ttl=63 time=0.192 ms
64 bytes from typhoon.eukhost.com (78.129.128.20): icmp_seq=1 ttl=63 time=0.185 ms
64 bytes from typhoon.eukhost.com (78.129.128.20): icmp_seq=2 ttl=63 time=0.269 ms
64 bytes from typhoon.eukhost.com (78.129.128.20): icmp_seq=3 ttl=63 time=0.185 ms
64 bytes from typhoon.eukhost.com (78.129.128.20): icmp_seq=4 ttl=63 time=0.179 ms
64 bytes from typhoon.eukhost.com (78.129.128.20): icmp_seq=5 ttl=63 time=0.182 ms
64 bytes from typhoon.eukhost.com (78.129.128.20): icmp_seq=6 ttl=63 time=0.189 ms
64 bytes from typhoon.eukhost.com (78.129.128.20): icmp_seq=7 ttl=63 time=0.186 ms

--- durchbrechen.com ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7001ms
rtt min/avg/max/mdev = 0.179/0.195/0.269/0.033 ms, pipe 2

What is your local network's IP ? I doubt it being blocked on the server firewall.

[AndyD]

Durchbrechen :: Even my one is down now : 78.129.128.20

Your website hosting seems to be on eUKhost's one of other server typhoon.eukhost.com (78.129.128.20) and not the one that was affected by DOS attack i.e., WIN.specialservers.com (78.129.133.118 )
Moreover, a ping to your domain from my local machine worked perfect even! I would thereby suggest you to make a traceroute/tracert to your domain or server's IP (78.129.128.20) from your local machine to see if it completes or time-outs and then contact eUKhost support accordingly. Also make sure that you provide them your local network's IP (which you can obtain from http://whatismyip.com/) to check if it's blocked on the server (do this only if you have a static IP). They would work out on your problem for sure.
Good Luck!!

[eUKhost.com]

Even my one is down now : 78.129.128.20


[paolo@linux ~]$ ping -c8 durchbrechen.com
PING durchbrechen.com (78.129.128.20) 56(84) bytes of data.

--- durchbrechen.com ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7010ms

[paolo@linux ~]$ ping -c8 eukhost.com
PING eukhost.com (87.117.224.51) 56(84) bytes of data.
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=1 ttl=53 time=66.9 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=2 ttl=53 time=67.3 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=3 ttl=53 time=66.6 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=4 ttl=53 time=67.0 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=5 ttl=53 time=66.8 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=6 ttl=53 time=68.7 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=7 ttl=53 time=67.1 ms
64 bytes from www.eukhost.com (87.117.224.51): icmp_seq=8 ttl=53 time=67.2 ms

--- eukhost.com ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7000ms
rtt min/avg/max/mdev = 66.661/67.261/68.750/0.631 ms

Your IP got blocked on server due to multiple login failures. I have removed it and your website hosting should work fine from your end.

[Durchbrechen]

Your IP got blocked on server due to multiple login failures. I have removed it and your website hosting should work fine from your end.

wow ! There wasn't anything precious in it ....

In any case now it's all ok. Many thanks

cheers
Paolo

[eUKhost.com]

wow ! There wasn't anything precious in it ....

In any case now it's all ok. Many thanks

cheers
Paolo

You are welcome

[Morledge]

Why aren't all you machines behind hardware firewalls?

Did this question get answered?

Thanks
Morledge

[swexpert]

Hello,
Nopes. none of the questions were answered. However, from the conversations, I now assume they do have hardware firewalls on *some* of the servers, not all.

Regds
IJ

[WelshTom]

Yes, however, I do believe the majority of the servers to be directly behind firewalls. The servers which were compromised as a result of this DDoS attack were quickly installed with new firewalls to prevent any further problems.

[jc8654]

I also believe this to be the case as using Windows inbuilt traceroute shows the last two steps to be missing for the majority of servers I've checked. This is a sign of the firewall.

[eUKhost.com]

We have Cisco ASA 5510 Firewall for our windows servers. Hardware firewall makes no difference for Linux Servers so we have Hardware Firewall for windows servers only.

Even Cisco ASA 5510 cannot handle over 100 Mbps attack but it is helpful for security of windows servers. Firewalls are good to deal with DDoS of upto 10 - 30 Mbps but anything beyond that needs experience to reverse those attacks.

[DPS Computing]

Yes that is true - if an attacker is determined they'll find a way past any system - look how many times banks and government agencies have been compromised and they have some of the best security software / hardware and personell working for them in the world!

[jc8654]

Hackers although annoying at the time help make the internet a safer place as if they get into a system, people then make that same system safer.