Ask Your Question
0

Inquiry about DDOS-like activity [closed]

asked 2021-11-11 16:19:55 -0500

Hi Team,

Today AWS alerted us of DDOS-like activity originating from our media download requests on November 5th. An example of the logs they provided below:

11/5/2021 14:11:04 1166638 52.203.173.86 GET d1aq9hj1j4zic2.cloudfront.net /Property/P6/BCAR/322434/4/0/0/ab1fbf375fb1dcc3502f9883079d891d/7/f250aa55cf3e2b5735db07952ba4378b/322434-4.JPG 200 - rh-dip-media-downloader/1.0%20(MLS%20Listing%20Media%20Downloader;%20support%20at%20rockethomes%20dot%20com) Hit p94nF33uS93w8MwmbWIlj9Ys0utS8an5YfJazvKF7YcaDODqQg3Owg== cdnparap60.paragonrels.com https 349 0.022 - TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 Hit HTTP/1.1 30304 0.006 Hit image/jpeg 1165745

If possible we would appreciate some additional information to help us resolve this behavior and stop the unneccesary requests to your system:

  • During what timeframe(s) were the DDOS-like behaviors seen?
  • For which MLS Feed(s) was the behavior seen?

  • Can we get any additional logs/examples of what Paragon was seeing during this timeframe(s)?

  • Can we get metrics around the requests causing the behavior? # requests within a 5-10 min period, etc
  • Any additional information that would help us identify the nature of the behavior that triggered this notification

Thank you

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by IHRTechServices
close date 2021-11-15 09:40:17.469147

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-11-11 17:12:16 -0500

Hello,

Over the last week, we identified several IP's sourcing from AWS exhibiting DDOS behavior. Unfortunately due to a miscommunication with AWS, AWS's Abuse team included many more IP's than necessary in scope of their communication to AWS customers. Based on the logs you provided above, your source IP is not on our list of abusers. So I would like to apologize for the confusion.

Thank you.

edit flag offensive delete link more

Comments

Thanks a lot for confirming this. Appreciate your response.

IHRTechServices gravatar imageIHRTechServices ( 2021-11-12 05:15:02 -0500 )edit

One more follow-up question: Did Paragon block any requests for a certain period of time while investigating this behaviour? Thank you

IHRTechServices gravatar imageIHRTechServices ( 2021-11-12 08:43:04 -0500 )edit

Yes, Paragon had to block the attack and it did create instability for some users depending on what resources were accessed. If you saw lack of communication from our servers then you were likely impacted. We are working with AWS and already took measures to prevent this type of activity in the future.

vendorsupport gravatar imagevendorsupport ( 2021-11-12 09:07:54 -0500 )edit

Thank you for your response.

IHRTechServices gravatar imageIHRTechServices ( 2021-11-12 09:14:28 -0500 )edit

Question Tools

1 follower

Stats

Asked: 2021-11-11 16:19:55 -0500

Seen: 182 times

Last updated: Nov 11 '21