People have been wondering about “all those DDOS attacks” we have been hit with and more importantly, what we were going to do about it.
We haven’t been idle over the past weeks although we have been quiet. One of my least favorite things is talking about security out loud, because I think making a statement such as “Hey everybody, we just upgraded our firewalls” invites attack from the script kiddies. But in light of the recent spate of attacks and that there were so many of them over a sustained period of weeks; we not only had to do something, we also have a responsibility to say something for the benefit of our members.
We’ve upgraded the main pipe into our core facilities at Q9, and without giving out blueprints suffice it to say our bandwidth capacity has increased by a factor of 10. We’ve also replaced the firewalls with brand new firewall/attack mitigation appliances which can also handle more than 10 times the packets as the old ones.
On another front, and perhaps more significant: we’ve replaced and redeployed all of the remote nameservers. Where before they were simply lease units supplied by their respective data centers, we bought new, more powerful servers and shipped them to Prolexic.com data centers. Prolexic has a solution called “Clean Pipe” and their core value proposition is: DOS attack mitigation. They didn’t exist in 2003 when the first “big one” hit but they do now and some of our members as well as the RCMP’s Integrated Technological Crime Unit recommended them highly.
One of the reasons we haven’t spoken in detail to this was that given the frequency of attacks over september, we thought we would wait for another one to see how the new systems hold up.
Aside from an attack on remote3 after it had been moved to Prolexic, there hasn’t been another incident (yet), but we are happy to report that the attack on remote3 was handled by the Prolexic systems as advertised. The new remote3 was not affected by DOS, and it was of greater intensity than previous ones which had already knocked out the old remotes.
At this point I would go out on a limb to say that in a bad scenario where we may lose the web interface for a brief time under a very intense DOS, we will NOT lose DNS functionality again.
Thanks to all our members, you’ve shown great understanding, patience and loyalty through this intense (and horribly timed) period.