Root Cause Analysis for the OrderBox Downtime on 29th November 2017
Timeline
Attack Start Time: 16:15 HRS GMT(21:45 HRS IST)
Attack End Time: 20:00 HRS GMT(Thursday 30th November 01:00 HRS IST)
Duration: 03 Hours and 45 Minutes
What happened?
- At around 16:15 HRS GMT(21:45 HRS IST) we observed an attack vector of around 800 Mbps on our OrderBox IP 162.210.71.136
- Neustar mitigation was immediately enabled, however there was no noticeable difference
- Neustar then confirmed that attack traffic was hitting other IPs of the Subnet 162.210.71.0/24 as well
- As a precautionary measure traffic was allowed through only ports 80 and 443 for the Subnet 162.210.71.0/24
- Post this most services came back online, however our Domain Check Availability Service was still not functional
- Upon further investigation our team found that the Domain Check Availability service was working on ports other than 80 and 443
- Based on this this analysis the Network Team quickly decided to NULL Route the IP 162.210.71.136 on all our routers and allowed access for 162.210.71.0/24 on all ports
- Post this all services resumed normal operations by 20:00 HRS GMT(Thursday 30th November 01:00 HRS IST)
Action items to avoid this in the future
- Enforce OrderBox branding via CNAME only
- Reconfigure inbound rules for public Subnets and allow only required ports
- Reconfigure and fortify our Neustar mitigation template
- Use a new Subnet for critical OrderBox services