[188473] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: ARIN down?

daemon@ATHENA.MIT.EDU (David Conrad)
Sat Mar 26 00:55:22 2016

X-Original-To: nanog@nanog.org
From: David Conrad <drc@virtualized.org>
In-Reply-To: <FDC44491-1A52-411C-8EE9-1BC8010640E8@beckman.org>
Date: Fri, 25 Mar 2016 21:46:20 -0700
To: Mel Beckman <mel@beckman.org>
Cc: "<nanog@nanog.org>" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org


--Apple-Mail=_5B003BD4-D4C6-42D6-86C0-49FA322D212B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Yep, they're under another DDoS attack:

> Begin forwarded message:
>=20
> From: ARIN <info@arin.net>
> Subject: [arin-announce] ARIN DDoS Attack
> Date: March 25, 2016 at 1:31:34 PM PDT
> To: arin-announce@arin.net
>=20
> Starting at 3:55 PM EDT on Friday, 25 March, a DDoS attack began =
against ARIN. This was and continues to be a sustained attack against =
our provisioning services, email, and website. We initiated our DDoS =
mitigation plan and are in the process of mitigating various types of =
attack traffic patterns. All our other public-facing services (Whois, =
Whois-RWS, RDAP, DNS, IRR, and RPKI repository services) are not =
affected by this attack and are operating normally.
>=20
> We will announce an all clear 24 hours after the attacks have stopped.
>=20
> Regards,
>=20
> Mark Kosters
> Chief Technology Officer
> American Registry for Internet Numbers (ARIN)
> _______________________________________________


Regards,
-drc

> On Mar 25, 2016, at 9:43 PM, Mel Beckman <mel@beckman.org> wrote:
>=20
> I haven=E2=80=99t been able to connect to http://arin.net for several =
hours, but was able to open a ticket this morning. I=E2=80=99ve tried =
from several different networks, all roads seem to lead to the same =
place, with packets dropping at the NTT interface 129.250.196.154. e.g.:
>=20
> $ traceroute arin.net<http://arin.net>
> traceroute: Warning: arin.net<http://arin.net> has multiple addresses; =
using 199.43.0.44
> traceroute to arin.net<http://arin.net> (199.43.0.44), 64 hops max, 52 =
byte packets
> 1  =
l100.lsanca-vfttp-106.verizon-gni.net<http://l100.lsanca-vfttp-106.verizon=
-gni.net> (98.112.74.1)  5.992 ms  4.865 ms  4.943 ms
> 2  172.102.106.24 (172.102.106.24)  9.962 ms  9.723 ms  12.242 ms
> 3  =
ae2-0.lax01-bb-rtr2.verizon-gni.net<http://ae2-0.lax01-bb-rtr2.verizon-gni=
.net> (130.81.22.238)  29.982 ms *
>    =
so-4-1-0-0.lax01-bb-rtr2.verizon-gni.net<http://so-4-1-0-0.lax01-bb-rtr2.v=
erizon-gni.net> (130.81.151.248)  9.428 ms
> 4  0.ae6.br1.lax15.alter.net<http://ae6.br1.lax15.alter.net> =
(140.222.225.137)  9.806 ms * *
> 5  ae-7.r01.lsanca20.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.8.85)  10.409 ms
>    0.ae6.br1.lax15.alter.net<http://ae6.br1.lax15.alter.net> =
(140.222.225.137)  19.783 ms  9.757 ms
> 6  ae-7.r01.lsanca20.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.8.85)  10.292 ms  9.357 ms  12.291 ms
> 7  ae-17.r01.lsanca07.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.4.207)  22.541 ms
>    =
ge-101-0-0-3.r06.asbnva02.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.196.153)  72.412 ms
>    ae-17.r01.lsanca07.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.4.207)  22.167 ms
> 8  =
ge-101-0-0-3.r06.asbnva02.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.196.153)  72.510 ms  74.590 ms  72.258 ms
> 9  =
ge-101-0-0-3.r06.asbnva02.us.ce.gin.ntt.net<http://us.ce.gin.ntt.net> =
(129.250.196.154)  69.960 ms *  70.930 ms
> 10  * * *
> 11  * * *
>=20
> $ traceroute www.arin.net<http://www.arin.net>
> traceroute: Warning: www.arin.net<http://www.arin.net> has multiple =
addresses; using 199.43.0.43
> traceroute to www.arin.net<http://www.arin.net> (199.43.0.43), 64 hops =
max, 40 byte packets
> 1  router1.sb.becknet.com<http://router1.sb.becknet.com> (206.83.0.1)  =
1.010 ms  0.420 ms  0.536 ms
> 2  =
206-190-77-9.static.twtelecom.net<http://206-190-77-9.static.twtelecom.net=
> (206.190.77.9)  3.983 ms  0.732 ms  0.686 ms
> 3  =
64-129-238-182.static.twtelecom.net<http://64-129-238-182.static.twtelecom=
.net> (64.129.238.182)  2.760 ms =
lax2-pr2-xe-1-3-0-0.us.twtelecom.net<http://lax2-pr2-xe-1-3-0-0.us.twtelec=
om.net> (66.192.241.218)  2.816 ms =
64-129-238-186.static.twtelecom.net<http://64-129-238-186.static.twtelecom=
.net> (64.129.238.186)  18.203 ms
> 4  4.68.71.137 (4.68.71.137)  3.245 ms  2.877 ms  2.889 ms
> 5  * * *
> 6  ae-28.r00.lsanca07.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.9.93)  3.731 ms  3.483 ms  3.850 ms
> 7  ae-3.r01.lsanca07.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.5.29)  3.517 ms  3.433 ms  3.458 ms
> 8  =
ge-101-0-0-3.r06.asbnva02.us.bb.gin.ntt.net<http://us.bb.gin.ntt.net> =
(129.250.196.153)  69.503 ms  68.021 ms  68.072 ms
> 9  =
ge-101-0-0-3.r06.asbnva02.us.ce.gin.ntt.net<http://us.ce.gin.ntt.net> =
(129.250.196.154)  67.075 ms  67.102 ms  67.122 ms
> 10  * * *
> 11  * * *
>=20
> I recall ARIN had a DDoS attack a week or so ago. Does anybody know if =
this is a recurrence?
>=20
> -mel


--Apple-Mail=_5B003BD4-D4C6-42D6-86C0-49FA322D212B
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJW9hQcAAoJENV6ebf0/4rXrqIIAKCisQg7uWMVHcozdOV4q/Mb
u9nlnNyylLUC7FGyjWGhPjbTaFHRElC9FfH2bLYTPTSaXkGheAJ9WOTrHCaDFHva
ypZcbkjl8WviT3Spo7KZr0jmWyVVtOxC+rfk3sS9/LC7ahYmJI+PMlrh96xeHwQa
NTUv2fVeSIYSqrkCXsqtJPwda0+fdqVx8aMSOBGTxkEQgRnffg/zUq4QnW7WhQya
RPoLYxqFK0ZSha2Uhr3dLrJO22JXop42FsjmZr4GAgblFSuI4kDhj0rOxvZIPoLz
btpAwkI80IbtTAdqoC/3Mb4c32uxerw0avbOq8gdgSPFMASsejqVNkC7zTpY2Uw=
=moqK
-----END PGP SIGNATURE-----

--Apple-Mail=_5B003BD4-D4C6-42D6-86C0-49FA322D212B--
home help back first fref pref prev next nref lref last post