hello

I pay $10/month for FloodGuard since April and, today, IP 69.72.225.34 started sending 90mbps udp attack
the server load was ok (0.6) and it couldn't even fell the attack

but my server's main IP was null-roted:



that was handled very fast and the server was 10~15 minutes off-line... but a tech told on phone (before the server got back) that it would just be back when the attack stopped

so if the attack lasted for 2 days, my server would be down for 2 days?!

Looks like the case. Since the attack is external, there is little much that they can do. Nullification would probably save everyone else on the network and someone from paying the excess bandwidth charges from the attack. Of course, the other thing would be to report to the attacking service provider to have their network shutdown but if they do not comply, there is little much you can do.

they could do what they're doing now: blocking the IP on the core router

Is this a static IP that is attacking you or it is coming from numerous sources ? Any resolution as yet ?

it was just one single static IP

i think they blocked it in the core router, but i didn't understand why my primary IP was nullroted

Shouldn't this be in floodguard, or server security or something?

wouldnt it make more since to block the attackers IP or IP range
rather then turning off a server?..thus is what firewalls are for or did i sleep threw that class? :shock:

I'd like an SM response on this, because I was thinking of getting floodgaurd, but if they are just going to nulroute your IP the moment an attack starts, why bother with the extra cost?

This is extremely disturbing. This is a 90mbit UDP flood that was BLOCKED BY FLOODGUARD.

When ServerMatrix was trying to sell the idea of FloodGuard to us, I remember them saying things like, they had a customer under a 300mbit flood that was blocked by floodguard and the user never had a problem.

Now, a 90mbit flood that is BLOCKED, nullrouting the IP is COMPLETELY unacceptable.

For example, what happens if one of our servers need to use 90mbit of bandwidth for a while on a 100mbit NIC? Will ServerMatrix nullroute the IP?

This behaviour by ServerMatrix completely defeats the purpose of having FloodGuard. I think we should demand a response by the higher-ups to tell us why they would do something so stupid.

You know what is MOST DISTURBING OF ALL? The parent post says this flood came from ONE SINGLE IP. Why did SM nullroute the customers server, and not the IP that was causing the flood?

after they told "(...) our initial look at the bandwidth appeared to be from spoofed hosts, but now it is only the one."

so it was probably a mistake
unfortunatelly my server was 21 minutes down because this mistake... but we always think "it could had been worse"

after all, they were pretty fast working on that

Can a member of the SM staff at least confirm this is being investigated? This is a serious issue that needs an official response.

Yes, we need an official response explaining why ServerMatrix failed so spectacularly. After all, if FloodGuard is blocking an attack properly, nullrouting an IP is not acceptable.

for some reason, it wasn't blocking (at least I was seeing 96mbps on MRTG graphic)...
but since it was only one IP, it could be blocked on the core router (what was done later)

i just don't understand why floodguard didn't block it (udp flood)

Woah woah, I thought you inferred FloodGuard was blocking the attack... This changes everything.

Still, if the attack was a flood from 1 IP, FloodGuard should have blocked it. In fact, ServerMatrix claimed FloodGuard was capable of blocking attacks from spoofed addresses too...