William,

How did you determine that ARIN is accessible for “most of the rest of the 
Internet”?

I’ve tried accessing the web site from nine different networks: Cox, Comcast, 
Level3, Verizon, AT&T, CenturyLink, Frontier, Sprint and Cogent. None of them 
can reach it. I’ve used non-firewalled network monitors, as well as NAT’d 
devices. The DDoS attack seems to be blocking access from a large subset of 
U.S. ISPs. I am an ISP and we follow standard anti-IP spoofing practices, so at 
least my networks aren’t DDOS spoof sources.

 -mel

> On Mar 25, 2016, at 10:09 PM, William Herrin <b...@herrin.us> wrote:
> 
> On Sat, Mar 26, 2016 at 12:51 AM, Mel Beckman <m...@beckman.org> wrote:
>> You’d think with all the money they collect, they’d have permanent DDOS 
>> mitigation in place. Time for them to call BlackLotus :)
> 
> Hi Mel,
> 
> They do. www.arin.net is accessible for me and most of the rest of the
> Internet. Your traceroute didn't work because the UDP to random ports
> that traceroute generates is likely among the packets the DDOS
> mitigator filters out.
> 
> If you can't get to the web page with a browser, some things to consider:
> 
> 1. Are you behind a NAT with anybody else? Anybody who might, say, be
> unknowingly participating in a botnet?
> 
> 2. How good a job does your ISP do scrubbing spoofed source addresses
> originated by its clients?
> 
> Regards,
> Bill Herrin
> 
> -- 
> William Herrin ................ her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>




> On Mar 25, 2016, at 10:08 PM, Mel Beckman <m...@beckman.org> wrote:
> 
> I’m sure we all sympathize with the workload a DDOS attack imposes, as most 
> of us have been there. But I can’t understand why there is so little 
> broadcast communication of the attack through multiple channels. 
> lists.arin.net<http://lists.arin.net> is rather esoteric. Facebook and 
> Twitter are obvious alternative channels that are hard to attack, yet both 
> are silent on the subject:
> 
> https://www.facebook.com/TeamARIN/
> https://twitter.com/teamarin
> 
> Google shows only four hits for “arin dos attack march 25 2016”, and those 
> are only fragments of the lists.arin.net<http://lists.arin.net> announcement, 
> all of which dead end at arin.net<http://arin.net> right now.
> 
> It’s creepy that a major chunk of Internet infrastructure can be down for so 
> long with so little public notice.
> 
> -mel
> 
> On Mar 25, 2016, at 9:57 PM, Bill Woodcock 
> <wo...@pch.net<mailto:wo...@pch.net>> wrote:
> 
> 
> On Mar 25, 2016, at 9:43 PM, Mel Beckman 
> <m...@beckman.org<mailto:m...@beckman.org>> wrote:
> 
> I haven’t been able to connect to http://arin.net for several hours
> I recall ARIN had a DDoS attack a week or so ago. Does anybody know if this 
> is a recurrence?
> 
> Yes, it is.  I attach Mark’s notice about it from this afternoon.
> 
>                               -Bill
> 
> 
> 
> Begin forwarded message:
> 
> From: ARIN <i...@arin.net<mailto:i...@arin.net>>
> Subject: [arin-announce] ARIN DDoS Attack
> Date: March 25, 2016 at 1:31:34 PM PDT
> To: arin-annou...@arin.net<mailto:arin-annou...@arin.net>
> 
> Starting at 3:55 PM EDT on Friday, 25 March, a DDoS attack began against 
> ARIN. This was and continues to be a sustained attack against our 
> provisioning services, email, and website. We initiated our DDoS mitigation 
> plan and are in the process of mitigating various types of attack traffic 
> patterns. All our other public-facing services (Whois, Whois-RWS, RDAP, DNS, 
> IRR, and RPKI repository services) are not affected by this attack and are 
> operating normally.
> 
> We will announce an all clear 24 hours after the attacks have stopped.
> 
> Regards,
> 
> Mark Kosters
> Chief Technology Officer
> American Registry for Internet Numbers (ARIN)
> 

Reply via email to