In almost 160'000 physical servers and more than 40'000 VM that we manage
in our network, some have a bad DNS setting which allows the hackers to use
the DNS server to launch attacks from our network to the targets. Of DDoS, DNS AMP type.
When we detect this kind of attack, we do aspire the attacked IP and monitor all root
IP that contribute to the attacks.
(Within few weeks we will purge the traffic to reinsert it properly on the Internet).
This will allow us to find and close easily and with proofs a server, then notify the customer
that he had caused a security incident.
As of 1 week, we have been working on attacks in DNS AMP, which are generated by our customers
due to the bad setting of BIND. An email is already sent to 500 first customers to which we request
that they fix the issue, then we will be sending emails to the 3000 remaining customers.
Meanwhile, we are managing the attacks which are still processing, many each day, as the BIND is not fixed
yet, and that a customer is not finding the time to or believes that this is not a big deal.
We have therefore, aspirated the 3200 IP which are contributing for 2H to an attack. The aspiration goes on our
switching infrastructures VAC1 to RBX and we're filtering all the DNS requests realised from the exterior and their
target is to launch the attack. Other requests are not filtered and are going through.
Meanwhile, we are sending emails to customers in order to notify them fix the issue within 24H.
Starting from tomorrow, we will launch a server suspension campaign due to the insecurity.