# No Good Deed Goes Unrewarded: ColoCrossing Boots the Booters / DDoS



## drmike (Feb 23, 2015)

Not my typical schtick, but times are changing and I give out brownie points for good behavior when I think folks deserve it.

This comes to us from the shadowy underside of the net, one of those black background, hack oriented communities.



> So, ColoCrossing is the most commonly used server provider that allows IP spoofing, Meaning you can amplify the attack to a much higher power.
> 
> 
> 
> ...


That was as of a few days ago.

HackForums has a related thread about this:

http://webcache.googleusercontent.com/search?q=cache:CIRHZUcbCoUJ:http://www.hackforums.net/archive/index.php/thread-4692889-1.html+&cd=2&hl=en&ct=clnk&gl=us

In the HF thread it talks a bit more about it.

What ColoCrossing did is put rate limiting cap in place.  If a server on CC's network hits 500Mbit  for over 10 minutes, it gets rate limited at 100Mbit for next 48 hours.

Why does this matters to DDoS / stresser folks?  1/10th of their pipe speed with that.

So I applaud CC on being creative here and dealing a blow to the web stressers / DDoS attackers / etc.

Still should deal with the BGP standard circa 2000 that does away with spoofing.  I head they claim enabling such causes other stuff to get dropped in their network.  Wondering what is up with that and if this inability to BGP smack the problem out isn't lack of proper BGP router still.  But that's above my pay scale.  Ideally some BGP person can comment.

Big applause to CC for reigning in abuse a bit.  Let's see more of this.


----------



## DomainBop (Feb 23, 2015)

> I give out brownie points for good behavior when I think folks deserve it.


The CC lowlifes don't deserve any brownie points for good behavior.  Booters are just a small part of the problems coming from their network.  Based on the recent increase in complaints on WHT about brute force attacks, comment spammers, and hack attempts coming from CC's IP ranges they aren't making a sincere effort to clean up their IP ranges and  Spamhaus, CleanTalk, and SenderBase (they are once again the top network for SPAM on SenderBase today) confirm that their network is still a top source of crap.

At this point I won't even do business with any provider who puts any money in little Jonny's Biloh's pocket, even if only one of the provider's 10 locations are in a CC location.  The attacks coming from that network cost other businesses a significant chunk of money to deal with and I see no reason in doing business with any provider who doesn't think twice about associating with a company like CC that makes a significant amount of its income from renting to criminals.

TL;DR: f**k 'em, they're still a menace to society


----------



## rds100 (Feb 23, 2015)

It's not BGP, it's BCP38 (Best Current Practice) - published in May 2000.

https://tools.ietf.org/html/bcp38


----------



## drmike (Feb 23, 2015)

DomainBop said:


> The CC lowlifes don't deserve any brownie points for good behavior.  Booters are just a small part of the problems coming from their network.  Based on the increase in complaints on WHT about brute force attacks, comment spammers, and hack attempts coming from CC's IP ranges they aren't making a sincere effort to clean up their IP ranges and  Spamhaus, CleanTalk, and SenderBase (they are once again the top network for SPAM on SenderBase today) confirm that their network is still a top source of crap.
> 
> At this point I won't even do business with any provider who puts any money in little Jonny's Biloh's pocket, even if only one of the provider's 10 locations are in a CC location.  The attacks coming from that network cost other businesses a significant chunk of money to deal with and I see no reason in doing business with any provider who doesn't think twice about associating with a company like CC that makes a significant amount of its income from renting to criminals.
> 
> TL;DR: f**k 'em, they're still a menace to society


We need a package @DomainBop - pull all their bad network stuff in one place.      Little shrine with memory.

The booters are unknown in size, but not small.   Makes me wonder what the hark is going on on and how unnoticed and if noticed how that consumption of bandwidth was justified under low pricing.   Attacks stuff like that is noisy.   Had to be blasting out network, dropping performance, clogging things.  Probably why that few weeks back had no throughput in Buffalo.

I still have boots with their logo on the bottom. STOMP.

But, this clamping down, interesting in a multitude of ways.


----------



## drmike (Feb 23, 2015)

rds100 said:


> It's not BGP, it's BCP38 (Best Current Practice) - published in May 2000.
> 
> https://tools.ietf.org/html/bcp38


That's blindness on my part.

BCP38 it is.  Appreciated.

Now where normally, these days is BCP38 enabled / a feature one enables?


----------



## rds100 (Feb 23, 2015)

It's better to do it at the access layer, i.e. put every dedicated server customer on a separate VLAN and filter all his packets by source IPs. Unfortunately even some pretty large providers run big flat L2 networks with everyone in the same LAN, not isolated by VLANS. And some don't bother to do any source filtering.


----------



## Wintereise (Feb 23, 2015)

It's the same thing as reverse path filtering, and no -- it's not much of a knob.

Most effective when applied between PE <-> CE topologies, i.e: in the access layer.


----------



## zomgmike (Feb 23, 2015)

This is a good first step.


----------



## Steven F (Feb 23, 2015)

I'd be interested in hearing how this affects normal clients who push a lot of bandwidth intermittently.


----------



## WSWD (Feb 23, 2015)

Steven F said:


> I'd be interested in hearing how this affects normal clients who push a lot of bandwidth intermittently.


Don't think they have all that many normal clients...


----------



## PortCTL (Feb 23, 2015)

I see that rate limitting is working soo well, that's why one of my servers is still offline and under a constant ddos attack originating from ColoCrossing network. Even after reporting it to them, no response.

Such ashame.


----------



## drmike (Feb 23, 2015)

PortCTL said:


> I see that rate limitting is working soo well, that's why one of my servers is still offline and under a constant ddos attack originating from ColoCrossing network. Even after reporting it to them, no response.
> 
> Such ashame.


Your server is elsewhere right?  Not also on the Colocrossing network also?

Single IP connecting - how big is that flow?  Not seeing rate limiting cap? or does it seem to be 100Mbit worth max?

 

If you can document the CC attack IPs and perhaps dump or metrics of the packet rate flying.  I'll punt it over to them.

I can't stand abuse like that which isn't handled / ignored like this.  That's unforgivable.


----------



## SaadIsmail (Feb 25, 2015)

That's weird they capped for everyone instead of dumping those booters & having some monitors,
It's time to look for another home for KVM node now -_-


----------



## drmike (Feb 25, 2015)

SaadIsmail said:


> That's weird they capped for everyone instead of dumping those booters & having some monitors, It's time to look for another home for KVM node now -_-


Has your server / your customers hit such limit and received the throughput limitation for 48 hours?

I can see this cap being very bad especially for VPS companies.


----------



## AnthonySmith (Feb 26, 2015)

Its good that something is being done but I honestly do not understand the approach, I understand they don't want to hurt re-sellers by crippling 100's of customers at a time by dropping a server but you would think it would be more along the lines of 1+ hour drop to 100mbit, +2 hours 50mbit +5 hours 10mbit, +24 hours null route.


----------



## PortCTL (Feb 26, 2015)

drmike said:


> Your server is elsewhere right?  Not also on the Colocrossing network also?
> 
> Single IP connecting - how big is that flow?  Not seeing rate limiting cap? or does it seem to be 100Mbit worth max?
> 
> ...


It's quite annoying, I know who's doing the attacks, they've been attempting to blackmail to stop, had to open the piggy bank and throw the website under Voxility protection, now the attacks don't even cause lag/timeouts.


----------



## drmike (Feb 26, 2015)

AnthonySmith said:


> Its good that something is being done but I honestly do not understand the approach, I understand they don't want to hurt re-sellers by crippling 100's of customers at a time by dropping a server but you would think it would be more along the lines of 1+ hour drop to 100mbit, +2 hours 50mbit +5 hours 10mbit, +24 hours null route.


Right there with you Anthony.  I am thinking they have limited tools / options to work with.

I sure feel for the resellers and VPS folks.... I am expecting they can opt folks out of such.  Which then will have me wondering if the good paying stressers are paid opt out too.

Then again probably half the hosting space still wants to hand you 100 speed for gear...  So maybe it just takes that sales point away from them sort of.   Or may it be like this, buy from our bargain line (HVH and thereunder or CVPS and thereunder) you are subject to the limits.  But buy direct from CC and you aren't.  

This approach seems like a lot of overhead.


----------



## SaadIsmail (Feb 26, 2015)

drmike said:


> Has your server / your customers hit such limit and received the throughput limitation for 48 hours?
> 
> I can see this cap being very bad especially for VPS companies.


First of all i don't have customers,

Those are just my personal boxed where i do some experiments & learn new things in free time. Haven't got the limit yet as i can grab the cachefly's test at ~50MB/s  And yes VPS companies will move instantly for sure.


----------

