ARIN down?

Mel Beckman mel at beckman.org
Sat Mar 26 05:26:11 UTC 2016


William,

How did you determine that ARIN is accessible for “most of the rest of the Internet”?

I’ve tried accessing the web site from nine different networks: Cox, Comcast, Level3, Verizon, AT&T, CenturyLink, Frontier, Sprint and Cogent. None of them can reach it. I’ve used non-firewalled network monitors, as well as NAT’d devices. The DDoS attack seems to be blocking access from a large subset of U.S. ISPs. I am an ISP and we follow standard anti-IP spoofing practices, so at least my networks aren’t DDOS spoof sources.

 -mel

> On Mar 25, 2016, at 10:09 PM, William Herrin <bill at herrin.us> wrote:
> 
> On Sat, Mar 26, 2016 at 12:51 AM, Mel Beckman <mel at beckman.org> wrote:
>> You’d think with all the money they collect, they’d have permanent DDOS mitigation in place. Time for them to call BlackLotus :)
> 
> Hi Mel,
> 
> They do. www.arin.net is accessible for me and most of the rest of the
> Internet. Your traceroute didn't work because the UDP to random ports
> that traceroute generates is likely among the packets the DDOS
> mitigator filters out.
> 
> If you can't get to the web page with a browser, some things to consider:
> 
> 1. Are you behind a NAT with anybody else? Anybody who might, say, be
> unknowingly participating in a botnet?
> 
> 2. How good a job does your ISP do scrubbing spoofed source addresses
> originated by its clients?
> 
> Regards,
> Bill Herrin
> 
> -- 
> William Herrin ................ herrin at dirtside.com  bill at herrin.us
> Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>




> On Mar 25, 2016, at 10:08 PM, Mel Beckman <mel at beckman.org> wrote:
> 
> I’m sure we all sympathize with the workload a DDOS attack imposes, as most of us have been there. But I can’t understand why there is so little broadcast communication of the attack through multiple channels. lists.arin.net<http://lists.arin.net> is rather esoteric. Facebook and Twitter are obvious alternative channels that are hard to attack, yet both are silent on the subject:
> 
> https://www.facebook.com/TeamARIN/
> https://twitter.com/teamarin
> 
> Google shows only four hits for “arin dos attack march 25 2016”, and those are only fragments of the lists.arin.net<http://lists.arin.net> announcement, all of which dead end at arin.net<http://arin.net> right now.
> 
> It’s creepy that a major chunk of Internet infrastructure can be down for so long with so little public notice.
> 
> -mel
> 
> On Mar 25, 2016, at 9:57 PM, Bill Woodcock <woody at pch.net<mailto:woody at pch.net>> wrote:
> 
> 
> On Mar 25, 2016, at 9:43 PM, Mel Beckman <mel at beckman.org<mailto:mel at beckman.org>> wrote:
> 
> I haven’t been able to connect to http://arin.net for several hours
> I recall ARIN had a DDoS attack a week or so ago. Does anybody know if this is a recurrence?
> 
> Yes, it is.  I attach Mark’s notice about it from this afternoon.
> 
>                               -Bill
> 
> 
> 
> Begin forwarded message:
> 
> From: ARIN <info at arin.net<mailto:info at arin.net>>
> Subject: [arin-announce] ARIN DDoS Attack
> Date: March 25, 2016 at 1:31:34 PM PDT
> To: arin-announce at arin.net<mailto:arin-announce at arin.net>
> 
> Starting at 3:55 PM EDT on Friday, 25 March, a DDoS attack began against ARIN. This was and continues to be a sustained attack against our provisioning services, email, and website. We initiated our DDoS mitigation plan and are in the process of mitigating various types of attack traffic patterns. All our other public-facing services (Whois, Whois-RWS, RDAP, DNS, IRR, and RPKI repository services) are not affected by this attack and are operating normally.
> 
> We will announce an all clear 24 hours after the attacks have stopped.
> 
> Regards,
> 
> Mark Kosters
> Chief Technology Officer
> American Registry for Internet Numbers (ARIN)
> 



More information about the NANOG mailing list