At 15:38 2/04/2001, J S Russell wrote:
I'm certainly missing auckland.nz.undernet.org, as well.
Just out of interest, how were they attacking the server? It was on an APE address, and I presume you were keeping it's world-accessable IP very secret. Were the flooding dickheads simply attacking AsiaOnLine NZ networks directly, hoping to saturate your international connections and drive the server offline? Or were the DoS attacks coming from domestic sources?
At the time the server was switched off it appeared that people were randomly attacking ISP websites in New Zealand. (there were a rather large number of outages from various ISP's about the country at around the same time the attack on our own website ensued and seeing as the public IP was non-inationally routed AND the outgoing provider was kept quiet we are guessing that the attack was directed at the country as a whole) Another reason we came to the conclusion that they were hitting *.nz in general was that the sites that seemed to have problems over this weekend have the larger concentrations of IRC users, it was almost like a group got together and said "whats a list of domains people in new zealand come on IRC from" and hit the sites that had the largest concentrations including the ISP that used to host the IRC service.
There must be a way to circumvent these pesky floods, or at least route around them (and hence make them useless, which will in turn make them go away.)
The only way to effectively block these attacks is simply not to run a high profile target. I have suggested to the people that run the undernet a few ways in which to play down the profile of the leaf servers - this seems to have fallen on deaf ears and until such time as the people running undernet realise that soon no one will have the bandwidth capacity to run an IRC server things will not change.
Perhaps a server run by an incorporated society rather than a specific ISP, fed by bandwidth sourced from multiple interested NZ ISP's? This way it could have multiple paths out to us and eu undernet servers. Of course, it'd still have to have secret real-world IP's and again be on an APE or WIX address for domestic access.
This idea was floated as well, however you still run into the problem whereby someone can simply take out large portions of New Zealands international capacity and if the servers real IP is hidden then the DoS kiddies will simply hit everything they can and the innocent users will suffer.
That would be very difficult to attack,
Not really..
and bandwidth from each of the ISP's in question could perhaps be constrained at the international AP, limiting the effects of floods on each of the ISP's in question.
(as an asside, I highly doubt the Admin team that runs undernet would allow multiple IP's to be listed as possible incoming connections, they do tend to be a paranoid bunch :) ) This is probably the only way such a service could exist, the IRC server used around 128k sustained of international bandwidth, it used to burst to around 2-3 meg when it joined the network after splitting away (for those that dont know, the IRC server will resync its list of users online with the rest of the IRC network when it connects to an upstream IRC server - known as a netburst) - if the server were given a real world IP and this were limited at the far end of the .nz link, it would give the kiddies a target, the target IP could be bandwidth limited to around 3 meg and this should (in theory) allow them to take out the service if they so desire but not the entire country. How effective this would be is another story, I know that when the server had been running on a real world IP in the past some of the larger attacks ended up taking out pretty much all the country, even tho - stricly speaking it should only have filled up our own international capacity. -- Steve. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog