DMIT不得不说是一个非常好的vps厂商,日常使用非常稳定,偶尔出现故障还会提供补偿,这一点做的非常不错,而且节日特价机器购买的机器例如pro.wee  还有稳定溢价 230的LAX.AN4.EB.INTRO,都是可以溢价卖出的。

近期的香港起火事件,大妈也捐款了几千美元。

直达链接:https://www.dmit.io

可以提前注册账号,免得后面突然活动别人已经买了你还没注册好….

机翻:

DMIT网络事件报告:洛杉矶国际机场(LAX)与香港国际机场(HKG)
本次为最后一次更新,除非出现重大事件需要更新。

以下是关于近期网络不稳定的综合技术总结。

🇺🇸 洛杉矶国际机场(LAX)CN2 GIA事件
当前状态:已实施所有紧急缓解措施。由于中国全境“网络冻结”(12月15日结束),CTG的最后校正工作暂缓。

  1. 根本原因:前缀限制超出

不一致之处:DMIT下单了1k前缀限制,但供应商(CTG)将其默认值保留为300。由于该参数在服务交付后无法测试,我们便信赖了供应商的配置。

触发因素:两个客户增加路由通告量,加上多个DDoS RTBH路由,使前缀计数超过300。

结果:AS4809(CN2)在超出限制后立即关闭BGP会话。

  1. 为何故障切换导致数据包丢失?

设计:备用会话(CoreSite)按设计保持UP状态(过滤DDoS路由以节省前缀空间)。

关键故障:供应商LACP配置错误。CTG将我们的链路聚合配置为单个接口容量,忽略了我们的多个10G物理连接。

影响:当流量切换至CoreSite时,其逻辑10G容量被超出,导致物理容量可用的情况下仍出现严重拥塞和数据包丢失。

  1. 为何恢复时间如此漫长?

管理:由于“网络冻结”,路由器CLI访问被暂停。

审批:CTA/CTG要求从集团层面获得紧急访问授权。由于当时已是中国时间深夜,获得授权耗时较长。

香港国际机场(HKG)事件
当前状态:99.9%的流量已成功过滤。持续进行主动监控,10Mpps流量持续传输。

  1. 根本原因:“地毯式轰炸攻击”

攻击类型:针对3个特定子网的大规模地毯式轰炸攻击。

攻击向量:TCP-SYN、TCP-ACK(零/空)、SYN-ACK、TCP Null、FIN、RST等混合攻击流量。

  1. 为何缓解措施最初失效?

漏洞:错误配置的绕行规则与硬件故障共同导致流量绕过本地清洗设备。恶意流量直接通过骨干网(LAX IP Transit)进入。

“误导因素”:我们最初专注于优化规则,却未意识到缓解设备本身存在硬件/软件故障。这导致我们的诊断偏离正轨,延误了修复进度。

  1. 资源竞争 LAX的同时重大故障需要不间断协调,分散了我们的工程资源,不可避免地延缓了HKG诊断进度。

🛡️ 未来预防与承诺
更严格的审计:我们将增设一层额外审核,手动检查供应商订单中的每个文本字段,确保交付的配置(如前缀限制和LACP速度)完全符合我们的要求。

现实情况:DDoS攻击向量快速演变。虽然我们无法保证零事故,但DMIT承诺将竭尽全力以合理成本维护稳定并保护您的业务。

赔偿:无论位于何处、网络配置如何,所有服务的流量将于今日重置,用户可在2026年5月前免费重置一次流量。(未来通过网站功能实现)

原文:

DMIT Network Incident Report: LAX & HKG
This is the last update until there is another major event needs to be updated.

Here is the combined technical postmortem regarding the recent network instability.

🇺🇸 LAX CN2 GIA Incident
Current Status: All immediate mitigations applied. Final correction from CTG is pending due to the China-wide “Network Freeze” (ending Dec 15).

  1. Root Cause: Prefix Limit Exceeded

The Mismatch: DMIT ordered a 1k prefix-limit, but the provider (CTG) left it at the default 300. This parameter is non-testable after service delivery, so we trusted the configuration.

The Trigger: Two clients increased route announcements + multiple DDoS RTBH routes pushed the count over 300.

The Result: AS4809 (CN2) immediately idled the BGP session upon exceeding the limit.

  1. Why did failover result in packet loss?

Design: The backup session (CoreSite) remained UP as designed (filtering DDoS routes to save prefix space).

The Critical Failure: Provider LACP Misconfiguration. CTG configured our link aggregation as a single interface capacity, ignoring our multiple physical 10G connections.

Impact: When traffic shifted to CoreSite, it exceeded the logical 10G cap, causing severe congestion and packet loss despite physical capacity being available.

  1. Why the long recovery?

Administration: Due to the “Network Freeze,” router CLI access is suspended.

Approval: CTA/CTG required emergency access approval from the Group level. Since it was after-hours in China, getting this authorization took significant time.

🇭🇰 HKG Incident
Current Status: 99.9% of traffic is successfully filtered. Active monitoring in place. 10Mpps ongoing.

  1. Root Cause: “Carpet Bombing”

Attack Type: A massive Carpet Bombing attack targeted 3 specific subnets.

Vectors: Mixed volume of TCP-SYN, TCP-ACK (Zero/Empty), SYN-ACK, TCP Null, FIN, RST.

  1. Why did mitigation fail initially?

The Leak: A combination of misconfigured detour rules and a hardware fault caused traffic to bypass local scrubbers. Malicious traffic entered directly via the backbone (LAX IP Transit).

The “Red Herring”: We initially focused on refining rules, not realizing the mitigation equipment itself had a hardware/software fault. This misled our diagnosis and delayed the fix.

  1. Resource Contention The concurrent critical failure in LAX required non-stop coordination, splitting our engineering resources and inevitably slowing down the HKG diagnosis.

🛡️ Future Prevention & Commitment
Stricter Auditing: We will implement an extra layer to manually review every text field on vendor orders to ensure delivered configurations (like Prefix Limits and LACP speeds) match our requirements perfectly.

The Reality: DDoS vectors evolve rapidly. While we cannot guarantee zero incidents, DMIT commits to using every resource to maintain stability and protect your business at reasonable costs.

Reimbursement: All services no matter location and network profile will have traffic reset on today, and everything an extra chance for free to reset the traffic before May 2026. (Deliver in the future by the website feature.)

# #