On Tue, Aug 4, 2015 at 12:07 PM, Glen <glen@xxxxxxxx> wrote: > Hi Paul - > > There certainly has been an effort to learn the "From where" (a total of > seven different netblocks, all in China, which are now blocked)... but I it's a bit worrying that the IETF site is blocked from some parts of the Internet, at least to me :( how long will that last? and were these things that leaked around the cloudflare frontends? What's the impact to the blocked networks? (ie: "No access to www.ietf.org", "No access to http on www.ietf.org", "No https access to www.ietf.org", "other") > confess that it is beyond my ability, armed with that, to figure out who was > behind it, or what their motivations were (although I'm sure inferences > could be drawn, but that' is way beyond my scope or vision!) > almost all 'dos' events are summarized by purpose: "because" generally there's no real use in speculating about the 'why', and most often the 'who' is also opaque to the end site... > Best regards, > Glen > Glen Barney > IT Director > AMS (IETF Secretariat) > > > On Tue, Aug 4, 2015 at 9:03 AM, Paul Kyzivat <pkyzivat@xxxxxxxxxxxx> wrote: >> >> Will there be an attempt to learn the "who" and "why" of the attack? >> >> Thanks, >> Paul >> >> On 8/3/15 6:24 PM, Glen wrote: >>> >>> All - >>> >>> We have determined that the degradation was caused by a DDoS attack >>> against the www.ietf.org <http://www.ietf.org> website. The attack was >>> a slowly-escalating attack, which began several hours ago, and increased >>> in load over the afternoon. The attack was directed at the Cloudflare >>> servers, so we were not immediately impacted. >>> >>> However, as time passed, the results of the attack started to spill over >>> to the actual IETF webservers, with the result that our webservers >>> started to slow. We were alerted to this by our own monitoring systems, >>> which is when we did an initial check, and I then sent the initial >>> report out. >>> >>> At this point, we have been unable to reach a human at Cloudflare, >>> although we are continuing to try. We have therefore put our Cloudflare >>> account into "DDoS Mitigation Mode". >>> >>> In this mode, users will see a brief interstitial page when browsing the >>> IETF website. This page allows Cloudflare to perform testing on each >>> browser to determine whether the request is part of an attack or not. >>> You may see this page as you approach the IETF website. It is nothing >>> to be alarmed about, and is an expected side-effect of this protection >>> mode. >>> >>> It is unknown, at this point, why Cloudflare did not automatically >>> detect, and block, the attack. >>> >>> It is unknown, at this point, why the attack caused Cloudflare to start >>> spilling requests over to us. >>> >>> It is unknown, at this point, why we are unable to reach a human there. >>> :-) >>> >>> However, at this time, website service is restored, and, apart from the >>> interstitial page on the IETF website, everything is running as >>> expected. We will continue to reach out to Cloudflare to address these >>> remaining issues, and will get that check page deactivated as quickly as >>> possible. >>> >>> Thank you for your patience during that happily brief degradation. >>> >>> Glen >>> Glen Barney >>> IT Director >>> AMS (IETF Secretariat) >>> >> >