Re: XO blocking individual IP's

[Leigh Porter <leigh.porter () ukbroadband com>]

So if you want to launch a DoS attack against a specific IP address you spoof TCP3389 SYNs to networks single homed to 
XO and they will null it for you.

-- 
Leigh


On 8 Nov 2011, at 04:36, "Blake T. Pfankuch" <blake () pfankuch me> wrote:

> Oh yes!  Good lord I about went insane with this.  I was working with a customer single homed to cBeyond.  I spent 3 
> hours on the phone with cBeyond to figure out what was going on, it looks like a broken route.  Come to find out it 
> was an XO "security null".  The engineer on the phone from cBeyond said to me "Well, I have learned 2 things today.  
> 1, XO nulls for 'security purposes' at random.  2, I am no longer shocked by any ridiculous policy I will ever come 
> across again."
>
> In this case majority traffic was going from cBeyond to anywhere (via XO) and being eaten, however it was VERY tough 
> to diagnose as all parties involved assumed this would not be occurring between source and destination without good 
> public documentation or at least any record of this happening to someone else.  Also I guess we all assumed that 
> major bandwidth players don't filter anything.
>
> I personally think its good on paper, but very bad real life until there is a way to notify the end customer of the 
> violation quickly.  This issue literally took 3 full weeks to figure out what was going on.  Yes this works great in 
> a colo datacenter as you have the customer contact info (hopefully).  But in the case where my customers provider was 
> having the IP filtered by their transit it was hell to diagnose.  In my case the customer had a single infected 
> machine that was making outbound connections on TCP3389 in the range of about 100 connections every 5 minutes and 
> because of this was entirely being "security nulled".
>
> Blake
>
> -----Original Message-----
> From: clayton () haydel org [mailto:clayton () haydel org] 
> Sent: Monday, November 07, 2011 7:43 PM
> To: nanog () nanog org
> Subject: XO blocking individual IP's
>
>
> I'm hoping someone has had the same experiences, and is further toward a resolution on this than I am. About 6 months 
> ago, we noticed that XO was blackholing one specific IP out of a /24.  Traces to that IP stopped on XO's network, 
> traces to anything else out of the block went through fine.
> XO finally admitted that they had a new security system that identifies suspicious traffic and automatically blocks 
> the IP for 30 minutes.  We had to get the IP in question "whitelisted" by their security guys.  The traffic was all 
> legit, it was just on a high port # that they considered suspicious.
>
> There have several more cases like this, and XO has not been forthcoming with information. We're either looking to be 
> exempted from this filtering or at least get a detailed description of how the system works.  I'm not sure how they 
> think this is acceptable from a major transit provider.
> Anybody else had similar problems?
>
>
> Clayton Haydel
>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________