Confidential Information, Disclaimer and Trade Marks
This document serves as a Root Cause Analysis for the Primo service interruption experienced by Ex Libris customers on October 26 and 28, 2016
The goal of this document is to share our findings regarding the event, specify the root cause analysis, outline actions to be taken to solve the downtime event, as well as preventive measures Ex Libris is taking to avoid similar cases in future.
Service interruption was experienced by Ex Libris customers served by the Primo MT EU01 instance at the Europe Data Center during the following hours:
October 26, 2016 from 4:38PM until 4:53PM Amsterdam time zone
October 28, 2016 from 12:29PM until 12:35PM Amsterdam time Zone
During the event, the service was unavailable for the environment.
Root Cause Analysis
Ex Libris Engineers investigated this event to determine the root cause analysis with the following results:
Ex Libris engineers were able to identify a new form of DDoS (Distributed Denial Of Service) attack. The attacks change their form from one time to another.
The main difference identified in this attack was with the "Distributed" feature of the alert - i.e. - the attack was from significantly more sources, each with a lower attack rate then before.
We have verified that the attack impacted the service availability but had no data impact.
Technical Action Items and Preventive Measures
Ex Libris has taken the following action and preventive measures to avoid such an occurrence in future:
- The DDoS protection is built out of layers of blocking features.
- We were able to identify the increased use of multiple resources attacking, with a lower attacking usage. We were able to improve the blocking mechanism and allow blockage of the attack, event when it is done with a lower usage.
- We are constantly analyzing the attack patterns and were able to identify a new unique pattern in the attack and set a new control to allow the blockage.
- We are constantly analyzing new threats, improving our control systems and tune the DDoS protection mechanisms.
- We are constantly improving our analyzing and troubleshooting processes to permit for a shorter resolution time once a new attack takes place.
ExLibris is committed to providing customers with prompt and ongoing updates during Cloud events. Ongoing and prompt updates on service interruptions appear in the system status portal at this address: http://status.exlibrisgroup.com/