My “DoS” Attack
I experienced a ‘brief’ period of downtime ( ~24 hours) the other day on a server that I have hosted with 1and1. When I contacted them to find out about the outage, I was informed that my IP has been blackholed due to a DoS attack. I was surprised to discover that they hadn’t contacted me when they’d taken this action and, if I didn’t access my server daily, I wonder how long they would have continued to blackhole the IP. I asked for proof that my server was under attack and they sent me a snippet of the log:
12:57:25.528325 IP 64.233.180.94.53615 > 74.208.78.XXX.53: 5038 A? www.securitybloggers.net. (42)
12:57:25.586218 IP 64.233.180.94.38886 > 74.208.78.XXX.53: 27266 A? www.securitybloggers.net. (42)
12:57:25.606691 IP 64.233.180.94.50898 > 74.208.78.XXX.53: 5454 AAAA? www.securitybloggers.net. (42)
12:57:25.653284 IP 64.233.180.94.32922 > 74.208.78.XXX.53: 16830 A? www.securitybloggers.net. (42)
That IP, for those of you running to look it up, resolves to ni-out-f94.1e100.net. It turns out that 1e100.net is a Google domain. So, if I believe my hosting provider, I was DoSed by Google. I emailed 1and1 to point out that it was a Google domain and simply DNS traffic, and shortly after that my server was back up… at least in theory. In the end I had to reboot my server before it would respond… but at least I got it up at running.
Nothing exciting... just my latest pain.