Some of you ACME fans may have noticed poor response times on the web site for a couple weeks. You were not imagining it, and it wasn't just you. Acme.com was undergoing a denial of service attack. It started early in June and lasted two weeks, on and off.
The attack consisted of a flood of UDP DNS packets from a variety of source addresses, all asking for any records associated with the name RIPE.NET. Acme.com does not provide DNS service and never has. The DNS port is closed, the packets did not get in, they were just dropped. Nevertheless, the sheer volume clogged up the internet connection and made it hard for anyone else to use it. You can see the effects in the graphs on the right, as dropped packets and increased round-trip times.
Attacks like this are fairly common on the internet these days. I heard through the old-skool hacker grapevine that other sites got hit with similar attacks around the same time. They are trivial to block, but because in my case the limiting resource is my internet link's bandwidth, I needed to block the attack on the upstream end of the link. That's when I ran into problems.
I called my ISP's tech support line. I told them about the attack, and laid out two simple measures they could use to block it. Those were literally the first three sentences out of my mouth. Either of the block methods would take me five minutes to accomplish, so I figured an ISP's tech team should be able to accomplish the same in a day or so.
After two weeks of daily phone calls and email exchanges, my ISP had not managed to do anything. The last email from them indicated they were about to do the exact wrong thing, disabling the wrong one of my two IP addresses. Luckily for me, that's when the attacker lost interest and decided to go harass someone else. All that was left for me to do was make sure the ISP trouble ticket indicated that the attack had ceased and they should not do anything.
I had already been thinking about upgrading my internet connection. This incident raised the priority of that task. More bandwidth might have lessened the severity of the attack, and I would definitely like to dump my current ISP over their handling of this. I am considering three options: