Interesting, according to that, the ISP DNS servers are recruited as
part of the attack on the victim’s authoritative DNS servers, by
sending queries from within the ISP’s network.
No spoofing, no amplification, no misconfigured DNS servers required,
yet the ISP’s DNS servers are used to send the attack traffic. All
that is needed is a compromised IoT to send the query.
*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Josh Baird
*Sent:* Friday, October 21, 2016 12:42 PM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
Right - crap IoT devices on the Mirai botnet were responsible for
shoving 620+Gbps of traffic at Akamai to take down Krebs (and over
1Tbps to take down OVH). No spoofing involved.
Interesting article on the techniques used by Mirai:
https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com
<mailto:af...@kwisp.com>> wrote:
The amplifier would receive a query from a spoofed IP address,
and respond using a legit IP address. So the attacker needs to
control some computers that can spoof the victim’s IP address,
but the actual attack traffic comes from the amplifiers using
legit source IPs.
In the case of IoT botnets, I’m not sure any spoofing is required.
*From:*Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of *Josh Baird
*Sent:* Friday, October 21, 2016 12:21 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
It's a good start. It attempts to prevent spoofed traffic
originating from your network to leave your network (or BCP38).
On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman
<j...@imaginenetworksllc.com
<mailto:j...@imaginenetworksllc.com>> wrote:
It can't be that simple...can it?
Josh Luthman
Office: 937-552-2340 <tel:937-552-2340>
Direct: 937-552-2343 <tel:937-552-2343>
1100 Wayne St
Suite 1337
Troy, OH 45373
On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett
<af...@ics-il.net <mailto:af...@ics-il.net>> wrote:
/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy disabled=no
comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy disabled=no
comment="Downstream customer X IPs"
/ip firewall filter
add action=drop chain=forward comment="Drop spoofed
traffic" disabled=no out-interface="To-Upstream"
dst-address-list=!"Public-IPs"
That was largely composed off of the top of my head and
typed on my phone, so it may not be completely accurate.
You should also do it on customer-facing ports not
allowing anything to come in, but that would be best
approached once Mikrotik and the per interface setting
for unicast reverse path filtering. You would then said
customer facing interfaces to strict and all other
interfaces to loose. They accepted the feature request,
just haven't implemented it yet.
-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
------------------------------------------------------------------------
*From: *"Mike Hammett" <af...@ics-il.net
<mailto:af...@ics-il.net>>
*To: *af@afmug.com <mailto:af@afmug.com>
*Sent: *Friday, October 21, 2016 11:21:35 AM
*Subject: *[AFMUG] Another large DDoS, Stop Being a Dick
There's another large DDoS going on now. Go to this page
to see if you can be used for UDP amplification (or other
spoofing) attacks:
https://www.caida.org/projects/spoofer/
Go to these pages for more longer term bad behavior
monitoring:
https://www.shadowserver.org/wiki/
https://radar.qrator.net/
Maybe we need to start a database of ASNs WISPs are using
and start naming and shaming them when they have bad
actors on their network. This is serious, people. Take it
seriously.
-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>