THR Outage right now

[Derek Zeanah]

Sorry folks, but THR is unavailable.

From what I can tell it's a network-related issue. My alarms went off this morning as we saw a 6 minute outage, then things came up fine, then they went down again, and are still down 86 minutes later.

It's not the THR box, it's all of them I have at the datacenter. It looks like it's a datacenter issue, as my colo provider's web page is down, no-one's available via AIM, and their voicemail box is full.

Just wanted to let folks know what's happening. I'm aware of the situation, but am sitting here waiting for a problem that's in someone else's hands...

Sorry.

[Redneckrepairs]

Thanks for the info , Likely to be some dammed fool with a backhoe and a lazy swamper involved lol .

[sm]

Derek,

I hope everything works out soon, I know you have a life besides tending to Networks.
As always, I appreciate your time and hard work, as I do others responsible for keeping THR , TFL and Sister sites up and running.

Steve

[Larry Ashcraft]

Thanks, Derek.

[Derek Zeanah]

OK, we're back up.

[Bogie]

Not quite...

[Derek Zeanah]

Crap. Looks like we might be going back down again. Wish I knew what was going on.

[Bogie]

Take a step back, and look around for Mr. Chainsaw. That always makes _me_ feel better...

(warning: If Mr. Chainsaw is actually close at hand, this can have Bad Consequences. It is recommended that one modify this error protocol to include a device that is not readily available.)

[Derek Zeanah]

Don't start. You're not getting 6 SMS messages every time the status changes.

[stellarpod]

Whew! I thought it was due to the tactless posting I made in Legal and Political...



stellarpod

[Derek Zeanah]

Don't know that we're up permanently, but I was able to get through to the firewall. Here are two graphs of bandwidth data: one from the last 2 months to give you a feel for averages, and one from the last 2 hours. Note the increments -- normal inbound traffic might be .3 megabits/sec. For at least a short while there, we were reporting 36? I thought I was on a 10 megabit port.

This might end up being an interesting explanation...

[Gewehr98]

Isn't that what a DDoS attack looks like?

[Redneckrepairs]

damm lol will withold other comment for the rest of the story .

[Derek Zeanah]

Quote:

Isn't that what a DDoS attack looks like?

Yeah, but it doesn't seem consistent. We just went down again, but I grabbed this from the firewall while we were up:



Why just the 2 spikes, and why isn't it constant? Either my colo is doing a great filtering job, or it's generalized around the IPs that the datacenter owns. I'm still feeling a bit blind here though, to be honest. Colo still seems slammed.

[Derek Zeanah]

Thinking through the "is it a DDOS against THR" question a bit further, it still doesn't make much sense. Basically, I'm on a 10 mb/s pipe for all of my sites -- if someone's sending more than 10 megabits per second, there's a good chance packets are gonna get dropped. Well, maybe 20 megabits -- my firewall is plugged into a 10 Mbit port which should allow us to duplex.

So, it wouldn't be that hard to knock my sites offline. What we're seeing appears to be a more general failure -- my provider's got big pipes from 7-8 providers coming into his cages, and it would take a lot more to knock him offline. It's still possible (maybe the routers can't keep up with the demand if this is way more than normal traffic would predict), but if he was getting slammed that hard with an attack on THR or Oleg's site or whatever you'd think he would just blackhole the affected IP addresses so the data was dropped before it hit the local network.

For that not to work would mean a huge attack.

No-one hates us that much.

[Gewehr98]

But that's an awfully big amount of inbound hits, regardless.

[Sindawe]

Quote:

No-one hates us that much

Don't forget the "mad lemur" that has been such fun for for Oleg on APS.

Maybe somebody did a router upgrade somewhere along the line that your not aware of.

[sm]

Quote:

No-one hates us that much.

I don't know about that, Missouri Legislature and wise cracks about Baking Soda being "restricted" might have hurt THR, I know I tried real hard ...

Steve,

Who knows where the big rubber hammer is in his IT classroom...works great on Routers and Switches...
Gives a whole new meaning to "switchport security".

[Gewehr98]

"The Mad Lemur".

[tyme]

Looks like an attack to me, or horrible routing screw-up or IP conflict. I'm intermittently managing to connect, but it never serves a webpage.

Code:

64 bytes from wellbuiltnetworks.net (209.51.144.70): icmp_seq=4 ttl=51 time=53.9 ms
64 bytes from wellbuiltnetworks.net (209.51.144.70): icmp_seq=14 ttl=51 time=60.5 ms
64 bytes from wellbuiltnetworks.net (209.51.144.70): icmp_seq=16 ttl=50 time=74.2 ms
64 bytes from wellbuiltnetworks.net (209.51.144.70): icmp_seq=25 ttl=50 time=67.4 ms
64 bytes from wellbuiltnetworks.net (209.51.144.70): icmp_seq=32 ttl=50 time=103 ms

On second thought, looking at those TTLs, maybe there's a route flapping somewhere. It's still switching between 51 and 50 as of 0008 UTC

[Kestrel]

Being in the IT industry myself, this is the kind of stuff that gives me gray hair...

... and a tight stomach...

Derek, I would be willing to bet you have a drawer stocked with Maalox, Advil, Tylenol and Alka-Seltzer. (I wonder how I know...)

Good luck with running it down.

[Kaylee]

Derek, you're my hero.

Thanks.

[J.J.]

I have been trying to get on APS or THR all Morning and someone missed these threads when I came to TFL.


I am confused is it an attack or not? I ask because on the THR Outage thread Derek seems to think it is an attack.

I eagerly await the forums coming online.

[Derek Zeanah]

Quote:

I am confused is it an attack or not?

We really don't have enough information to be able to tell.

[Bogie]

Guys, there are nice folks out there who just flat out HATE guns. I could see one of 'em doing an attack, and then bragging to his little buddies about putting the evil gun nuts out of business.

Then again, I'm a little paranoid.