Hello,

Our website is being under severe DDoS-attack for over 3 days now.

We need avice not only from the support team but from expienced THE-PLANET users also.

Starting Thursday website domenforum.net is being DDoS'ed. Our server that hosts domenforum.net is receiveng plenty http-requests from all over the planet (mostly from asia and africa).

The-Planet support team has turned on the Guard, and if we could see the attacking IP's before they did turn the Guard on, after that we can only see incoming IP's from the Guard filter. So basically the filter receives requests and then sends them to our server without even filtering them out. Server is still down for over three days now and support can do nothing about is, just turno the Guard filter on and off by request.

Saturday evening we have worked hard to identify the source of attack and the rules that attacking source is using to attack our server. We have written the programm (script-based filter) which successfully banned all attacking IP's of the botnet network. Right after that, the attacking source has started to use different tactics fo an attack. Instead of sending http requests they started to send ICMP requests (ICMP-flood) onto our server. There is nothing we can do about it, server is always down.

Filtering out the ICMP-flood makes no sense and in such cases reputable datacenters turn off the ICMP.

The-Planet support team has enabled the Guard filter which has lowered the number of ICMP-packets, but server is still down (we can not even get into ROOT ... forget about websites being up and running).

We have contacted The-Planet support team with the request to shut down the ICMP in order to solve the problem we are expiriencing, but our request was denied. They said it is impossible!

Now we can not filter out TCP (we did successfully filter it out before) because we can not see neither attacking IP's or IP's of real people. There is nothing we can do because with GUARD protection and without it ICMP-flood is shutting down our server, and as per Te-Plane support-team the ICMP can not be disabled.


So, what do we do now?

There is nothing we can do and THE-PLANET is not helping us in any way. Our projects are all down, we lose money and the most important thing - REPUTATION!

We know that 23megabit ICMP-flood is nothing, but there is nothing we can do about it, and theplanet guys have turned their backs on our problem.

Maybe some of you guys can help us?
Any thought are appreciated.

Our request to block all traffic from Taiwan, China, Japan, Turkey, Mexico, India, Africa was not satisfied. These countries have always been a source of all attacks and users from these countries are in no way targeted visitors of our websites.

I would suggest phoning and asking to speak to a shift manager.

You could also get in contact with the abuse department and give them logs of what is going on. They may be able to help you.

Keep posting here, updating tickets, and phoning in.

Aprior,

I sent your issue over to our Security and Global NOC teams to see what we could get taken care of. Apparently one of the Techs got into your server and account and states that the DDoS and ICMP Flood attacks have been dealt with and your sites should be resolving once again. If this is not the case, please let me know and I'll escalate accordingly. Hopefully all has returned to normal.

Kind regards,
PD2

The server is still down for me.