An update from Linode about the recent DDoS attacks

Glad to hear something official on this...5 or 6 days is way too long to go without something more than &quot;We&#x27;re working on it&quot; and some light details. I understand that it&#x27;s likely an all-hands-on-deck hair-on-fire situation over there, but those of us who rely on Linode for our own businesses have been largely left in the dark.<p>When our customers are emailing and tweeting us and they just want to know when we are going to be up, and all we can say is &quot;We have no idea, we don&#x27;t know why this is happening or what&#x27;s really going on&quot;, that&#x27;s pretty much the definition of a worst case scenario from a customer service standpoint.<p>As someone whose business relies on Linode currently to function, I am sympathetic to Linode&#x27;s plight...this is the equivalent of someone coming and setting off a bomb in your factory; not exactly something that you can always plan for even if you have prevention measures in place. But they would have kept a lot more of my sympathy long-term if they would have communicated better with their customers in the first place...<p>EDIT: And it looks like the attackers decided to start things back up again, as Linode.com is unavailable...

I can&#x27;t believe people are criticising Linode:<p>1 - Attack mitigation was mostly successful. As I thought and they have confirmed, the attack vectors evolved continuously.<p>2 - They had to deal with this over Xmas. Anyone familiar with such a job knows what this means in terms of human resources, knowledge distribution, organization of technical response and communication with 3rd parties.<p>3 - Linode is not Nagios. If you don&#x27;t monitor your own infrastructure don&#x27;t expect Linode to SMS you because your site might be down. Linode resources were focused on fighting the DDoS, as they should, and provided regular updates through their status site, as is expected. Everything else is nice-to-have, but no a must-have.<p>4 - In line with what others said, I had 7 hours downtime in my London VPS. That is an uptime of 96% in the last 7 days. Considering restless DDoS ongoing over holidays, I&#x27;d say that is pretty good.<p>I&#x27;m sorry, but what happens to Linode sucks, but it is an eventuality anyone with assets depending on this service should have counted with, because it can happen everywhere. Cannot blame Linode if your HA strategy does not exist, or you never thought of a way to gracefully fail over to a second provider if your business depends on &gt;96% availability.

My message to the attackers (in case they happen to read HN):<p>Fuck you. I will continue to be a Linode customer. Not sure what your goals might be but you will not succeed.<p>Frankly, and I am going to be politically incorrect here, these are the kinds of cases where I wish there was a &quot;special forces&quot; kind of task force to hunt down these pieces of shit and put them out of their misery.<p>This amounts to financial terrorism of the worst kind. It affects small and large companies and creates untold losses across the board. It is entirely unproductive. The world would be a better place if the pieces of shit who engage in this sort of financial terrorism simply didn&#x27;t exist.<p>Happy New Year.<p>Linode folks: I&#x27;m renting another server next week. Don&#x27;t need it. Just want to support your effort and, in a tiny way, help mitigate losses. I might just give it to the kids in the robotic team I mentor so they can play around in a real server environment.

Thanks for the update and the hard work. You all work a job that requires a lot of sweat and tears that goes unappreciated from many levels of our society. Making the internet work is hard work.<p>Know that you&#x27;re in good company here and that we&#x27;re rooting for you.

My London Linodes&#x27; stats from the past 7 days: 40 outages. 6h25m downtime.<p>What upsets me the most is that customers haven&#x27;t heard a single word from Linode. If you weren&#x27;t watching their status page (and have server monitoring on your servers), you&#x27;d be clueless.<p>The least they could do is to email affected customers about what&#x27;s happening, and the time frame they need to fix it.<p>But one week of continuous issues is just not good enough.

1) Why in the world are you exposing your router control planes to the outside world? That should be ACL&#x27;d off (in stateless firewall rules and routing engine) to only allow access from a few IP&#x27;s.<p>2) Your transit providers should be defending their infrastructure. I&#x27;ve never seen a transit provider allow an attacker to take out their &#x2F;30 serials or IX addresses. This is their network after all. If attackers try to hit the serial between customer and provider, you just readdress the serial to RFC1918 space. You don&#x27;t really need a routable address there other than to make traceroutes easy to read. If they attack farther upstream in the provider&#x27;s network, you just add ACL&#x27;s at the provider edge. Nothing external will ever need to reach a provider&#x27;s core. This is basic, basic stuff.<p>Next time, don&#x27;t only run your network on house bandwidth (HE, TelX, etc). Or in other words, caveat emptor.

Link to original thread, which has been getting comments up until today: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10806686" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10806686</a>

&gt; a bad actor is purchasing large amounts of botnet capacity in an attempt to significantly damage Linode’s business.<p>I wonder what size investment this is taking, and what the end-game is for the bad actor. Unless Linode&#x27;s mitigation tactics are increasing the bad actor&#x27;s costs, what&#x27;s to stop the bad actor from continuing the attacks until Linode goes out of business?

Greetings.<p>I know I migth come late, but being one of your very satisfied Customers, and having experienced this type of issue multiple times with other providers that didn&#x27;t even bothered to even ackowledge that there was an issue, I can say that I wil remain with you regardless.<p>Also to those saying &quot;I have all my business running at Linode so this is unacceptable&quot;, I only says this: You get what you pay for, and for a VPS Service you won&#x27;t find better than Linode, and if you have something critical running for YOUR Clients, than it is YOUR responsability to ensure resiliency against this type of situation. Linode is a VPS provider after all, and the reason why you are making money out of someone who doesn&#x27;t know enougth to go to the VPS hoster themselfes.<p>Good luck making a profitable business and milking your Customers running on AWS or AZURE. You&#x27;d be broke and in debth at the first DDOS and Over-Bandwith charge from any of them.<p>I work at a service provider myself, and I understand what you guys had to deal with the last 10 days, and you have my full support.

I&#x27;m a bit surprised to see the update from someone who is not senior management&#x2F;C-level (as far as I can tell). Where is the communication from the CEO&#x2F;CTO?<p>It seems a bit unfair to have this fall on Alex&#x27;s shoulders. I could be way off base, happy to be put right. I&#x27;m sorry to hear about your ruined holidays. Hopefully you&#x27;ll get some time off soon :)

That&#x27;s crazy... I have a linode box with several low-traffic websites on it, old projects I&#x27;ve wanted to keep around for archival purposes. I picked linode because I wanted root access and they were cheap but really just because I wasn&#x27;t sure of better options. I suppose there is always t2.nano.

Linode has always been a great host. Sure they&#x27;ve had their growing pains but I&#x27;ve never been more happy with a virtual hosting provider, even their support. But yes, days without communication is not a good thing. Let&#x27;s hope they learn from this.

ISPs already spend plenty of money on DPI and HTTP injection gear. It would cost next to nothing to do basic egress filtering and detecting+throttling known compromised customers.<p>And yet, we still get DDoS attacks. Why?

I think the lesson here is don&#x27;t rely on one supplier. I have my tiny infrastructure spread over three different suppliers in different geographical locations. Plan for the worst and hope for the best.<p>Edit. This is in no way a criticism of linode. The worst outcome is if we all end up with one monopoly supplier. I have deliberately avoided using the big player in this space as I want support diversity. This makes my job harder, but it is better for us all if we don&#x27;t put all our eggs in the one basket.

Out of curiosity: why is it so hard to track the real origin of DDoS attack, who&#x27;s behind them and what they are after?

How do botnets still exist? Wasn&#x27;t that a problem that should have gone away with Windows XP?

jsonip.com is hosted on Linode. It&#x27;s been averaging roughly 6mb&#x2F;s inbound for months, but in the last week it&#x27;s been about 8.5. I&#x27;m not sure if the uptick has anything to do with the DDOS attacks or not.