FurrIX, A Furry Virtual Internet Exchange

Tuesday, March 3, 2026

[Incident Report #028][DNS] Name Server Attack

Update:
AS20473 is still attempting to throw a large amount of traffic at
our name servers, but our drop rules are in place and appear to
be working as intended.

What Happened?
From around 0600 to 0730EST this morning, our name servers
were hit with a large amount of traffic originating from a data center
in the Netherlands under AS20473. The traffic was spread across
multiple IPv6 subnets and volume was high enough the it saturated
the virtual bridges that our name servers are operating behind. This
is the fourth attack of this kind that our network seen in the past
two weeks.

Upon looking at the traffic reaching the name servers, it appears that
a handful of IPs originating from AS20473 are performing scattered
shot lookups for all kinds of domain NS records with no rhyme or
reason to the data they are requesting and they are doing so at a
rate that is affecting the usability of our network rate limited services.

What damages Resulted?
During the attack, we saw the following issues:

• Accounting service lost contact with NS2
• Legitimate name lookups were being dropped or timed out
• The NMS lost SNMP contact with NS1 and NS2 momentarily
• High CPU load on Nardoragon router

What are we doing to deal with this?
As a result of repeated abuse from this provider, we have:

• Applied drop rules at edge router for Phy One, dropping AS20473
• Applied drop rules at edge router for Phy Two, dropping AS20473

The FurrIX vIX will not tolerate abuse of our services to the point in
which it affects our operations internally or causes issues for members
of our exchange and going forward, we will be quicker to start dropping
abusive traffic all together.

• Add a comment (10 views)

Monday, March 2, 2026

[Incident Report #027][DNS] Name Server Attack

What Happened?
From around 0000 to 0400EST last night, our name servers were
hit with a large amount of traffic originating from a data center
in the Netherlands. The traffic was spread across multiple IPv6
subnets and volume was high enough the it saturated the virtual
bridges that our name servers are operating behind. This is the
third attack of this kind that our network seen in the past two weeks.

What damages Resulted?
During the attack, we saw the following issues:

• Accounting service lost contact with both NS1 and NS2
• Shell access was slow or non-responsive
• Legitimate name lookups were being dropped or timed out
• The NMS lost SNMP contact entirely with NS1
• High CPU load on Nardoragon router

What are we doing to deal with this?
Going forward, the following steps will be taken to try and maintain
the usability of our name servers during similar attacks:

• Deploy a separate virtual bridge and network interface for management
• Tightening per subnet rate limits and mask sizing
• Banning AS numbers that partake in attacks like this
• Increasing virtual bridge bandwidth to allow for more throughput
• Redirecting recurring problematic subnets and AS ranges to null

• Add a comment (10 views)