DoS attacks, sorry

I'd love to be able to blog in detail about denial of service attacks, what works, what does not, what we can or cannot do, but it would be mad to do so.

Suffice to say that anyone that wants to, and has a few bitcoins to spare (or fractions thereof) can engage one of the many botnets that exist and DoS the hell out of almost anyone, no matter how big.

It is unusual for an ISP to actually be the target, so much so that we did not cope well at all. We have all been working hard all day, and we all feel knackered. This attacker has caused the problems he wanted to cause, he has upset customers, and disrupted an ISP. Whack-a-mole does not really explain today adequately.

A customer had even ordered pizza for the staff, which is appreciated.

We still have much work to do even if the attack has now stopped, and we hope it has. Not only undoing loads of temporary hacks that cause their own issues, but planning for how to handle things better in future.

At the end of the day we are a small ISP and we try to do a good job for our customers. It is a shame when we cannot do that, and if anything we, or I, did upset anyone I am sincerely sorry for that. We also appreciate that it may have been something a customer has done to upset someone.

And, of course, I am sorry that our customers have suffered.

P.S. Increasingly looks like "not me" but a customer pissed someone off. I have had words!


  1. As a customer, thanks for your efforts; we've all been in hideous situations, but I've never been a knowing victim of deliberate targeting.

    As a techie, I'd *love* to know how you mitigate such attacks, but understand your silence. It would be interesting to hear any post-mortem details you can share, however.

    Tell the techies their customers say "thanks".

  2. I assume from that comment this was targeted at yourselves only then rather than being a wider issue on the internet that you got caught up in; do you even have any idea who you have upset or why?

  3. Definitely don't reveal your security tactics.

    I have many clients with lines at AAISP and although I received perhaps 100+ outage alerts I did not receive a single client call. Which is good as I had to drive near 300 miles today whilst providing a full day of support to all clients.

    It's also relevant that I was not at home so my home-office outages didn't affect me, plus many of my client AAISP lines are secondary lines, not primary lines so, assuming the primary stayed alive, the outage on the secondary was invisible to the client.

    Your open-ness and transparency is a credit to the industry.

    Don't ever change your approach.

  4. Perhaps this DDoS attack is linked to your recent blog post on time limits for bringing sexual abuse claims. Some people get very emotional about such topics.

    1. I had not even considered that as the cause. Far better to comment on the blog if people want to change my views.

    2. If I remember rightly, the last time you had a DOS attack was just after you wrote a serious of blog entries criticising attempts to outlaw encryption. And now a DOS attack just after you criticised something else that is deemed "politically correct". Curious coincidence.

  5. I think it's worth you correlating blog posts against DDOS attacks which start in the few days immediately after. I've just looked up your blog posts from the period immediately before your DDOS attack of November 2015. It seems a little strange.

  6. My server was DOS attacked at night once. AAISP coped admirably, by the time I even noticed the next morning it was all over. Admittedly that was an attack on just my IP adress and as Adrian says that sort of thing is a lot easier for an ISP to handle.

    To this day I have absolutely no idea why I was attacked, it's not even a particularly publicly visible server (no web site will give you a link to it). My best guess is either a disgruntled user that knows me, or it was completely random "let's pick an IP address to attack" or an accident.

  7. Hmm, it doesn't matter what a customer did to piss someone off a DDOS attack on their ISP or even just that customer is not an appropriate response. Why can't these people just grow up and behave like adults?

  8. Would love to know if the old webscreen engine inside junipers these days was used at all. Use to find the dynamic filtering and hot listing very useful on the original appliance. The later particularly useful for passing on to your transit providers for bgp and packet filtering upstream.

  9. I am more interesting in knowing what your customer said or did to "piss someone off".

  10. Sometimes the reason can be really stupid.

    I am a founder of an irc network, and back in the days when I was active there a DDOS attack from a rival network hit the press as at the time it was a huge attack, (tens of gigs over a decade ago).

    However a couple of years after the founder of that network was arrested by the FBI (and those attacks stopped), my ircd slave server was getting hit by attacks, we found after a few weeks it was been ddosed by a staff member of our own network "for fun", she enjoyed watching my reaction and the fallout, nevertheless she was kicked off, but it was not financial or commercial it was purely to get a kick out of it.

    You would think by now that these attacks can be detected early on in their path and never even reach the destination at all, but it seems there is not enough effort made by transit providers to put a stop to it so they continue.


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

ISO8601 is wasted

Why did we even bother? Why create ISO8601? A new API, new this year, as an industry standard, has JSON fields like this "nextAccessTim...