Re: ARIN down?

[Mel Beckman <mel () beckman org>]

William,

How did you determine that ARIN is accessible for “most of the rest of the Internet”?

I’ve tried accessing the web site from nine different networks: Cox, Comcast, Level3, Verizon, AT&T, CenturyLink, 
Frontier, Sprint and Cogent. None of them can reach it. I’ve used non-firewalled network monitors, as well as NAT’d 
devices. The DDoS attack seems to be blocking access from a large subset of U.S. ISPs. I am an ISP and we follow 
standard anti-IP spoofing practices, so at least my networks aren’t DDOS spoof sources.

 -mel

> On Mar 25, 2016, at 10:09 PM, William Herrin <bill () herrin us> wrote:
>
> On Sat, Mar 26, 2016 at 12:51 AM, Mel Beckman <mel () beckman org> wrote:
> > You’d think with all the money they collect, they’d have permanent DDOS mitigation in place. Time for them to call 
> > BlackLotus :)
>
> Hi Mel,
>
> They do. www.arin.net is accessible for me and most of the rest of the
> Internet. Your traceroute didn't work because the UDP to random ports
> that traceroute generates is likely among the packets the DDOS
> mitigator filters out.
>
> If you can't get to the web page with a browser, some things to consider:
>
> 1. Are you behind a NAT with anybody else? Anybody who might, say, be
> unknowingly participating in a botnet?
>
> 2. How good a job does your ISP do scrubbing spoofed source addresses
> originated by its clients?
>
> Regards,
> Bill Herrin
>
> -- 
> William Herrin ................ herrin () dirtside com  bill () herrin us
> Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>




> On Mar 25, 2016, at 10:08 PM, Mel Beckman <mel () beckman org> wrote:
>
> I’m sure we all sympathize with the workload a DDOS attack imposes, as most of us have been there. But I can’t 
> understand why there is so little broadcast communication of the attack through multiple channels. 
> lists.arin.net<http://lists.arin.net> is rather esoteric. Facebook and Twitter are obvious alternative channels that 
> are hard to attack, yet both are silent on the subject:
>
> https://www.facebook.com/TeamARIN/
> https://twitter.com/teamarin
>
> Google shows only four hits for “arin dos attack march 25 2016”, and those are only fragments of the 
> lists.arin.net<http://lists.arin.net> announcement, all of which dead end at arin.net<http://arin.net> right now.
>
> It’s creepy that a major chunk of Internet infrastructure can be down for so long with so little public notice.
>
> -mel
>
> On Mar 25, 2016, at 9:57 PM, Bill Woodcock <woody () pch net<mailto:woody () pch net>> wrote:
>
>
> On Mar 25, 2016, at 9:43 PM, Mel Beckman <mel () beckman org<mailto:mel () beckman org>> wrote:
>
> I haven’t been able to connect to http://arin.net for several hours
> I recall ARIN had a DDoS attack a week or so ago. Does anybody know if this is a recurrence?
>
> Yes, it is.  I attach Mark’s notice about it from this afternoon.
>
>                               -Bill
>
>
>
> Begin forwarded message:
>
> From: ARIN <info () arin net<mailto:info () arin net>>
> Subject: [arin-announce] ARIN DDoS Attack
> Date: March 25, 2016 at 1:31:34 PM PDT
> To: arin-announce () arin net<mailto:arin-announce () arin net>
>
> Starting at 3:55 PM EDT on Friday, 25 March, a DDoS attack began against ARIN. This was and continues to be a 
> sustained attack against our provisioning services, email, and website. We initiated our DDoS mitigation plan and are 
> in the process of mitigating various types of attack traffic patterns. All our other public-facing services (Whois, 
> Whois-RWS, RDAP, DNS, IRR, and RPKI repository services) are not affected by this attack and are operating normally.
>
> We will announce an all clear 24 hours after the attacks have stopped.
>
> Regards,
>
> Mark Kosters
> Chief Technology Officer
> American Registry for Internet Numbers (ARIN)