Help - Search - Members - Calendar
Full Version: AUP-TOS Violation - I feel very humiliated!
The Planet Forums > General > Suggestions/Comments
Anatolia
Dec 14 2003, 07:26 PM
OK here we go icon_smile.gif

QUOTE
12/11/03 12:40:54 PM
12/11/03 - cnewcomb - 12:40:54 PM - Abuse - Warning - AUP-TOS Violation - ALL -> Dear Customer
Because we have found that your server is a target for massive inbound attacks that are cripleing the network, we unfortunately have to ask you that you make a copy of all content on the server 64.246.***.***, and find another host for this content. I have been authorized to give you until December 19, 2003 at 07:00 to remove all content on this server and find another host, at that time we will remove your server from the network permanently.


12/11/03-8:45:10 AM - Network - NOC - Blocked Inbound Attack  
12/10/03-8:01:09 AM - Network - NOC - Blocked Inbound Attack  
12/10/03-7:43:14 PM - Network - NOC - Blocked Inbound Attack  
12/10/03-8:16:15 PM - Network - NOC - Blocked Inbound Attack  
12/9/03-12:05:56 PM - Network - NOC - Blocked Inbound Attack  
12/9/03-2:31:19 PM - Network - NOC - Blocked Inbound Attack  
12/9/03-6:38:50 PM - Network - NOC - Blocked Inbound Attack  
12/9/03-8:33:41 PM - Network - NOC - Blocked Inbound Attack  
12/9/03-8:44:41 PM - Network - NOC - Blocked Inbound Attack  
12/9/03-7:47:33 PM - Network - NOC - Blocked Inbound Attack  
12/8/03-11:36:42 AM - Network - NOC - Blocked Inbound Attack  
12/8/03-6:03:41 PM - Network - NOC - Blocked Inbound Attack  
12/7/03-8:23:19 PM - Network - NOC - Blocked Inbound Attack  
12/6/03-8:50:09 PM - Network - NOC - Blocked Source Attack  
12/4/03-8:35:12 PM - Network - NOC - Blocked Inbound Attack  
12/3/03-1:12:43 PM - Network - NOC - Blocked Inbound Attack  
11/29/03-6:47:08 PM - Network - NOC - Blocked Inbound Attack  
11/28/03-9:53:23 PM - Network - NOC - Blocked Inbound Attack  
10/31/03-10:05:42 PM - Network - NOC - Blocked Inbound Attack  
10/23/03-9:24:57 AM - Network - NOC - Blocked Inbound Attack  
10/20/03-8:25:14 PM - Network - NOC - Blocked Inbound Attack  
10/16/03-10:25:43 AM - Network - NOC - Blocked Inbound Attack  
10/10/03-6:34:26 AM - Network - NOC - Blocked Inbound Attack  
9/30/03-12:03:27 PM - Network - NOC - Blocked Inbound Attack  
9/29/03-8:56:59 PM - Network - NOC - Blocked Inbound Attack  
9/26/03-10:16:18 PM - Network - NOC - Blocked Inbound Attack  
9/26/03-10:05:29 PM - Network - NOC - Blocked Inbound Attack  
9/24/03-9:52:06 PM - Network - NOC - Blocked Inbound Attack  
9/20/03-9:47:55 AM - Network - NOC - Blocked Inbound Attack  
9/12/03-11:28:43 AM - Network - NOC - Blocked Inbound Attack  
9/9/03-10:32:28 AM - Network - NOC - Blocked Inbound Attack  
9/8/03-7:30:00 AM - Network - NOC - Blocked Inbound Attack


--
Regards,
Chris
Abuse Team Leader
abuse@ev1servers.net


Ok lets talk about how to solve such a problem or how to stop inbonds attacks, Source, DDoS..
Any one has any idea how to stop the attacker?
I have APF Firewall installed, mod_dosevasive as will!
Should i upgrade to the Unmetered 10Mbps Server Series, i mean will that help?
I feel very humiliated by EV abuse team, am I a victim here?
note we have 9 high end servers with RS/EV1 with deferent (RS-***) user accounts should i just close all of them and find another host?


Many thanks to your inputs
Anatolia
Edgewize
Dec 14 2003, 07:36 PM
Rackshack is a value-level host and can't afford the level of network maintenance that a high-risk site like yours requires.

When you are a target of attacks, even if your server does not crash or get taken down, the entire network leading up to your server is affected.

It requires careful monitoring and coordination by all the upstream network providers to filter out the attack as it happens.

Requiring this level of dedicated support on a regular basis is definately not in the $99/month range. If you can't stop whatever it is that is performing these attacks, you will have to move to a host who can afford to watch over your server.

That's just the way it works, it is nothing personal and there's no reason that you have to take all your business elsewhere if those servers are not common targets for attack.
daveman692
Dec 14 2003, 07:39 PM
QUOTE
Originally posted by Edgewize
Requiring this level of dedicated support on a regular basis is definately not in the $99/month range.

I know of at least one other company that is in this price range and does offer a system to help protect against DoS attacks.
LighthousePoint
Dec 14 2003, 07:55 PM
QUOTE
Originally posted by daveman692
I know of at least one other company that is in this price range and does offer a system to help protect against DoS attacks.

Great, go to them...
eMax
Dec 14 2003, 08:37 PM
LighthousePoint - That is a real cocky reply from someone who represent a company.

Maybe some manner classes might help you be a better person?
daveman692
Dec 14 2003, 08:44 PM
I just want to say that the point of my post was not to bash EV1 nor promote another provider, just point out that another provider is able to offer advanced tools in the same price range as EV1.
TechieSurfer
Dec 14 2003, 09:23 PM
QUOTE
Originally posted by eMax
LighthousePoint - That is a real cocky reply from someone who represent a company.

Maybe some manner classes might help you be a better person?


LighthousePoint is a forum moderator but does not "represent" EV1. His opinions are just that - his.

I, for one, welcome constructive criticism and competition. Frequently it is these forces that help 'mold' certain aspects of our business resulting in a stronger and positive outcome...

Sincerely,

Randy Williams, CTO
foggy
Dec 14 2003, 10:24 PM
QUOTE
Originally posted by LighthousePoint
Great, go to them...


your getting as bad as dave# rolleyes.gif
LighthousePoint
Dec 14 2003, 10:28 PM
QUOTE
Originally posted by foggy
your getting as bad as dave# rolleyes.gif

lol, or emax?

Sorry, just kind of tired of these people. If you have some issues you want resolved, great, come to the forums and the members will help -- and if it's between you and EV1, the big players like TechieSurfer, Patrick, HeadSurfer, Mario, etc, always seem to come through...

But the whole "I left EV1" or the even worse : "I am going to leave EV1" speal that continues and continues gets tiresome. This is their house, and don't show disrespect. There is a *huge* difference from expressing concerns, or even flat-out being upset at EV1 when compared to being plain rude. Kind of like how it's not appropriate to name competitors, if you've moved, then be done with it. If you come here for support, or to help others, great, but don't try to take customers, or disrespect EV1.

My $2.00
Lippy
Dec 14 2003, 11:05 PM
QUOTE
Originally posted by LighthousePoint

My $2.00


Note to self, take pointers from LighthousePoint, his comments are worth more than $0.02, must try to raise value of my own.
LighthousePoint
Dec 14 2003, 11:10 PM
QUOTE
Originally posted by Lippy
Note to self, take pointers from LighthousePoint, his comments are worth more than $0.02, must try to raise value of my own.

yeah, big rants are worth more icon_wink.gif
scuro_falcao
Dec 15 2003, 02:23 AM
I wouldn't host you either. You may have better luck hosting your servers on DSL connections at home, although it will be incredibly slow
jeff-p4
Dec 15 2003, 02:40 AM
You might try either .

An unnamed rackshack competitor also in Texas has this option on thier order form:
QUOTE
utilizes FloodGuard™ from NetZentry to mitigate distributed denial of service and syn flood traffic directed to servers inside our datacenter facilities. Through the extensive use of actuators and sensors, security engineers are able to track traffic patterns and assist in mitigating the effects of malicious activity. utilizes best efforts to mitigate denials of service attacks and syn flood attacks, but due to the nature of these types of attacks… no SLA is applied to this service offering.

I also see vbulletin.com has been getting DDOS'ed extremely badly for the last week and hasn't kicked them - then again, they're probably spending a lot more than $99/month.

I have no experience with either company.

(Sorry - I thought it would be ok to post competitors in this case since RackShack does not want this business and Anatolia needs to find a new home quickly. I obviously wouldn't post direct competitors where RackShack does want the business and offer the service. I guess I was wrong so I hope you can figure it out or find your answers at )
Doobla
Dec 15 2003, 02:56 AM
QUOTE
Originally posted by jeff-p4
You might try either or .


I know you didn't exactly get it when LHP said it so I'll try to make it plain for you. Naming EV1's competitors on these forums isn't cool. This is EV1's house so leave competitors in the PM's or something.

QUOTE
Originally posted by LighthousePoint
But the whole "I left EV1" or the even worse : "I am going to leave EV1" speal that continues and continues gets tiresome. This is their house, and don't show disrespect. There is a *huge* difference from expressing concerns, or even flat-out being upset at EV1 when compared to being plain rude. Kind of like how it's not appropriate to name competitors, if you've moved, then be done with it. If you come here for support, or to help others, great, but don't try to take customers, or disrespect EV1.
jeff-p4
Dec 15 2003, 03:07 AM
QUOTE
Originally posted by Doobla
I know you didn't exactly get it when LHP said it so I'll try to make it plain for you.  Naming EV1's competitors on these forums isn't cool.  This is EV1's house so leave competitors in the PM's or something.
QUOTE
Originally posted by LighthousePoint
But the whole "I left EV1" or the even worse : "I am going to leave EV1" speal that continues and continues gets tiresome. This is their house, and don't show disrespect. There is a *huge* difference from expressing concerns, or even flat-out being upset at EV1 when compared to being plain rude. Kind of like how it's not appropriate to name competitors, if you've moved, then be done with it. If you come here for support, or to help others, great, but don't try to take customers, or disrespect EV1.

EV1 is not a competitor for sites that are getting DOS'ed as above - they have told the original poster, as quoted, that he must remove himself from the EV1 network within the next 4 days (originally given 8 days to find a new host and move, but waited 4 days to post or maybe was away?), that EV1 no longer wants his business because he is being attacked. Thus I didn't see potentail new homes for the first poster as competitors since EV1 does not want that business, at all. I also thought it might be useful if sites that were getting DDOS'ed moved to hosts who want to handle that type of thing and have installed options which might deal with it (I have no experience with the floodgard/etc options so I don't know if they're simply $$ options or if they're at all effective.) Anyway, I've removed any compeitor's names from the above post. You might want to edit yours as well since you quoted the names :confused:
Doobla
Dec 15 2003, 03:13 AM
QUOTE
Originally posted by jeff-p4
EV1 [b]is not a competitor for sites that are getting DOS'ed as above - they have told the original poster, as quoted, that he must remove himself from the EV1 network within the next 4 days, that EV1 no longer wants his business because he is being attacked.  Thus I didn't see potentail new homes for the first poster as competitors since EV1 does not want that business, at all.  I also thought it might be useful if sites that were getting DDOS'ed moved to hosts who want to handle that type of thing and have installed options which might deal with it (I have no experience with the floodgard/etc options so I don't know if they're simply $$ options or if they're at all effective.)  Anyway, I've removed any compeitor's names from the above post.  You might want to edit yours as well since you quoted the names :confused: [/B]


I understand where you are coming from, but you have to remember that a lot of people read these threads and so when you are naming companies that are in directo competition with EV1 you are potentially sending clients or potential clients away from EV1. That is kinda like biting the hand that feeds you, if you know what I mean. I'm not a Mod. I don't have any authority. I just didn't think it was cool and that it would have been better said in a PM.

Glad you edited and I did too.

Jon
jeff-p4
Dec 15 2003, 03:18 AM
Yea, you're probably right - I should have PM'ed and sorry I'm a bit cranky after trying to get the hang of FreeBSD for the first time tonight icon_smile.gif

As I look at the original post some more, is it correct that each inbound attack was logged as a trouble ticket when it occurred?
Doobla
Dec 15 2003, 03:25 AM
QUOTE
Originally posted by jeff-p4
Yea, you're probably right - I should have PM'ed and sorry I'm a bit cranky after trying to get the hang of FreeBSD for the first time tonight icon_smile.gif

As I look at the original post some more, it is correct that each inbound attack was logged as a trouble ticket when it occurred?


Yikes, good luck with that icon_wink.gif Me, I'm cranky because I'm a prude icon_razz.gif

As for each attack being logged as a trouble ticket, I don't know but I took it as they were just showing dates/times from their logs.

Jon
Anatolia
Dec 15 2003, 06:07 AM
Thanks all for your input!

I have mailed Chris (Abuse Team Leader) and we agreed to shut down the target IP that that the attacker is targeting, but if I get any attacks after that I will be forced by RS/EV1 to leave and find another host, but for know I'm not leaving RS/EV1 and hope all the attacks stop.

but what if i get new attacks on another IP on one of my servers?!
then i will need to now a good hosting company to move all my servers to!

jeff-p4 many thanks for your help, please PM to me the two hosting companies.
I need to have some kind of (plan B) icon_biggrin.gif in case i get stuck in the future and forced to find another host. icon_smile.gif

Can we talk about how to solve such a problem, or how to stop inbounds attacks, Source, DDoS..
Does RS/EV1 have any firewall solution and products that will help its costumers?
Should I upgrade to the Unmetered 10Mbps Server Series, will that help?

Anatolia
Lippy
Dec 15 2003, 07:31 AM
Upgrading to a 10 mbps server will not help, just means they would have to push more to get the site to go down, but in the end EV1 would still unplug you due to network congestion caused by the attack on your site/server.
Steve
Dec 15 2003, 08:25 AM
QUOTE
Originally posted by LighthousePoint
Sorry, just kind of tired of these people...

...the whole "I left EV1" or the even worse : "I am going to leave EV1" speal that continues and continues gets tiresome.  This is their house, and don't show disrespect.
Anatolia was not being rude or disrespectful and he didn't say, "I left EV1" or "I am going to leave EV1". Maybe you should read his post before you jump to conclusions.
Starpoint
Dec 15 2003, 09:39 AM
QUOTE
Originally posted by Anatolia
Thanks all for your input!

I have mailed Chris (Abuse Team Leader) and we agreed to shut down the target IP that that the attacker is targeting, but if I get any attacks after that I will be forced by RS/EV1 to leave and find  another host, but for know I'm not leaving RS/EV1 and hope all the attacks stop.

but what if i get new attacks on another IP on one of my servers?!
then i will need to now a good hosting company to move all my servers to!

jeff-p4 many thanks for your help, please PM to me the two hosting companies.
I need to have some kind of (plan B) icon_biggrin.gif in case i get stuck in the future and forced to find another host. icon_smile.gif  

Can we  talk about how to solve such a problem, or how to stop inbounds attacks, Source, DDoS..
Does RS/EV1 have any firewall solution and products that will help its costumers?
Should I upgrade to the Unmetered 10Mbps Server Series, will that help?

Anatolia


Something you have to consider is the attacks are either IP based or name based... so if the site moves to a new IP, and the attack follows once DNS has propogated, then its the site itself.. but if it ceases, then the attacker is doing IP. However it can be scripted for the attack to do a NSLookup on the name and thus get IP then attack the IP..
if you can down the sites for a while without a big $$ loss, see if the attacks move around..


It may boil down to just moving the sites on that server to a different machine or hosting company.. you do not have to totally abandon Ev1servers 100 %
Lippy
Dec 15 2003, 09:40 AM
Before this turns in to finger pointing lets return to the point of this post. What can be done to stop inbound attacks, prevent them in the future and generally Filter them off the network entirely. At one point or another some of us may face some similar problems and this is a great chance for all of us to learn how to avoid or react to this type of issue.
LighthousePoint
Dec 15 2003, 10:21 AM
QUOTE
Originally posted by Anatolia

Should I upgrade to the Unmetered 10Mbps Server Series, will that help?

That would actually HURT the problem. As it is now, you've got a 100Mbps pipe. That is much more difficult to saturate when compared to a 10Mbps pipe. You actually are doing better with the metered box.
Anatolia
Dec 15 2003, 03:59 PM
Thanks all for your input..
Just like to tell all the members and Ev1 staff that I'm a loyal costumer to RS/EV1 company..
OK upgrading will not help..
Any firewall solution?!
I really think that a hosting company as big as EV1 needs a Firewall before there routers ..
Why not add a Firewall solution as a add-on product like the backup servers?!
I real like Ev1 and hate to think about leaving, EV1 should help plp like me by adding firewall solution and so on..

Anatolia
eMax
Dec 15 2003, 04:04 PM
Best thing to do is look for a company which has PrevenTier in place.
aussie
Dec 15 2003, 07:07 PM
This concerns me because we also have at least 1 server on the 64.246 subnet. Hmmmmm!
Lippy
Dec 15 2003, 07:16 PM
QUOTE
Originally posted by aussie
This concerns me because we also have at least 1 server on the 64.246 subnet. Hmmmmm!


I'm with you Assuie.
Brad-ev1
Dec 15 2003, 10:34 PM
aussie and lippy,

Keep in mind that within the ev1servers network, "64.246" is actually a collection of ~25 or so individual subnets, so it is likely that your 64.246 servers were not affected any more so then servers starting with other prefixes. Part of the reason we use comparatively small subnets is to limit the effects of DoS and other network issues to a comparatively smaller number of customers.
Poof
Dec 17 2003, 06:47 PM
Hrm- You may want to enable SYN-Cookies

Put this on the bottom of /etc/rc.local

[PHP]echo 1 > /proc/sys/net/ipv4/tcp_syncookies[/PHP]

Also, type that after editing your rc.local and that might help SOME of your DDOSes. (Since I've been SYN flooded twice now after putting that on I haven't seen a problem.) >.< It'll at least make the attackers work a little harder to attack you. =p (More machines they'll need!)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.