Was gonna come to add that. That and maybe some UDP frags. You may want to have your hosting provider block all inbound traffic from > reaching your server IP except TCP port 443 (or 80 or whatever port you > actually use) somewhere upstream.
Can also consider dropping by UDP source port on that 3072 and other common reflection vectors if you've got UDP-based destinations to deal with. The SYN floods are a different beast; though probably not volumetric, needs enough capacity (TCP reverse proxies / LBs / etc) to handle that and possibly things like SYN cookies. I'll let folks more versed than myself answer there, though. Roland probably has a deck ready to link ;) -- Hugo Slabbert | email, xmpp/jabber: [email protected] pgp key: B178313E | also on Signal On Mon, Feb 8, 2021 at 10:10 AM Compton, Rich A <[email protected]> wrote: > FYI, that looks like a Web Services Dynamic Discovery UDP amplification > DDoS attack. > https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html > Very easily executed by a booter service. > > You may want to have your hosting provider block all inbound traffic from > reaching your server IP except TCP port 443 (or 80 or whatever port you > actually use) somewhere upstream. This can help reduce the impact of DDoS > attacks on your server. > > > > -Rich > > > > *From: *NANOG <[email protected]> on > behalf of Mike Hammett <[email protected]> > *Date: *Monday, February 8, 2021 at 10:58 AM > *To: *Jean St-Laurent <[email protected]> > *Cc: *NANOG list <[email protected]> > *Subject: *[EXTERNAL] Re: Retalitory DDoS > > > > *CAUTION:* The e-mail below is from an external source. Please exercise > caution before opening attachments, clicking links, or following guidance. > > I don't have RTBH, no. It's just a web server. > > Now how my hosting provider handled it, I'm not sure. I don't know if they > just dropped me internally, or if they used RTBH with their upstreams and > peers. Only being 2.5 gigs, that should be well within their ability to > handle internally, but I guess why would you if you didn't have to? > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image: > Image removed by sender.] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > Image removed by sender.] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > Image removed by sender.] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image: > Image removed by sender.] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: Image > removed by sender.] <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: Image removed by sender.] > <https://www.facebook.com/thebrotherswisp>[image: Image removed by > sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > > *From: *"Jean St-Laurent" <[email protected]> > *To: *"Mike Hammett" <[email protected]> > *Cc: *"NANOG list" <[email protected]> > *Sent: *Monday, February 8, 2021 11:53:43 AM > *Subject: *RE: Retalitory DDoS > > You got RTBH? > > > > *From:* Mike Hammett <[email protected]> > *Sent:* February 8, 2021 12:50 PM > *To:* Jean St-Laurent <[email protected]> > *Cc:* NANOG list <[email protected]> > *Subject:* Re: Retalitory DDoS > > > > In my case, it was against a server not on my own network, so my impact > was a blackhole for an hour at 4 AM local time. I likely wouldn't have even > noticed it, had I not received the threat email, nor the ticket my web > host's NOC opened. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image: > Image removed by sender.] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > Image removed by sender.] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > Image removed by sender.] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image: > Image removed by sender.] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: Image > removed by sender.] <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: Image removed by sender.] > <https://www.facebook.com/thebrotherswisp>[image: Image removed by > sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > > *From: *"Jean St-Laurent" <[email protected]> > *To: *"Mike Hammett" <[email protected]>, "NANOG list" <[email protected]> > *Sent: *Monday, February 8, 2021 11:42:12 AM > *Subject: *RE: Retalitory DDoS > > Nice report, > > > > If you would have to pick up just one vector out of this “multi-vector” > attack, which one seems to be the one that had the bigger effect on your > network or service? > > > > Was it degraded or total service interruption? > > > > Jean > > > > *From:* NANOG <[email protected]> *On Behalf Of *Mike > Hammett > *Sent:* February 8, 2021 8:43 AM > *To:* NANOG list <[email protected]> > *Subject:* Re: Retalitory DDoS > > > > Mike, > > I've attached the full information we got from our DDOS protection system > below. > > We had a large number of ping loss and data loss tickets begin opening up > for devices sharing the cabinet chi18-313. The high traffic and > interference was determined to be caused by incoming traffic to the ip > address [Not hard to find, but redacted anyway]. Our network engineers will > be back in after 9am until 5pm CST. They have greater access to the network > and may be able to give you more details. > > Location : Chicago > Event Time : 2021-02-08 04:17:38 CST (-0600) > Destination IP: [Not hard to find, but redacted anyway] > Traffic : 2520 Mbps 382880 pps > Fragmentation : 11% > Top Transport Protocol: > . 99% Protocol # 17 (UDP) > TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% > Top Source Port: > . 61% Port # 3702 > . 38% Port # 0 > Top Destination Port: > . 38% Port # 0 > . 14% Port # 45934 > . 9% Port # 23680 > . 8% Port # 35023 > . 7% Port # 25966 > Top Source IP: > . 0% 112.164.127.17 > Number of unique IP: 7110 > Total Bytes : 1259961437 <callto:1259961437> > Total Packets : 1531559 > Duration : 4s > Report Run Time : 151.3ms > > The 30 day null route count is: 0 > Number of hours to null route : 1 > > Location : Chicago > Event Time : 2021-02-08 04:02:38 CST (-0600) > Destination IP: [Not hard to find, but redacted anyway] > Traffic : 1817 Mbps 275483 pps > Fragmentation : 13% > Top Transport Protocol: > . 99% Protocol # 17 (UDP) > TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% > Top Source Port: > . 56% Port # 3702 > . 43% Port # 0 > Top Destination Port: > . 43% Port # 0 > . 19% Port # 25966 > . 19% Port # 35023 > . 17% Port # 23680 > Top Source IP: > . 0% 90.49.167.239 > Number of unique IP: 3577 > Total Bytes : 953894831 > Total Packets : 1157017 > Duration : 4.199s > Report Run Time : 306.8ms > > The 30 day null route count is: 0 > Number of hours to null route : 1 > > > Liam Doring > Systems Administrator > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image: > Image removed by sender.] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > Image removed by sender.] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > Image removed by sender.] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image: > Image removed by sender.] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: Image > removed by sender.] <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: Image removed by sender.] > <https://www.facebook.com/thebrotherswisp>[image: Image removed by > sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > > *From: *"Mike Hammett" <[email protected]> > *To: *"NANOG list" <[email protected]> > *Sent: *Monday, February 8, 2021 5:46:26 AM > *Subject: *Retalitory DDoS > > Is there a club for people that have been DDoSed? If so, count me in. > > > > This one was directed at me (as opposed to one of my customers) because I > got an e-mail explaining why I was getting DDoSed. Is that aspect common? > > > > There were also some racial and sexual accusations that were made that > clearly aren't true and just speak to the intelligence of people like this. > > > > Is it safe to assume that they completely anonymized the email they sent > to me? > > > > Is there anyone I should be reporting this to? > > > > I thought my site was running in Cloudflare, but my individual server was > still attacked, so I gotta figure out where I screwed that up. > > > > > > https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0 > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image: > Image removed by sender.] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > Image removed by sender.] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > Image removed by sender.] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image: > Image removed by sender.] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: Image > removed by sender.] <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: Image removed by sender.] > <https://www.facebook.com/thebrotherswisp>[image: Image removed by > sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > > > > > > > The contents of this e-mail message and > any attachments are intended solely for the > addressee(s) and may contain confidential > and/or legally privileged information. If you > are not the intended recipient of this message > or if this message has been addressed to you > in error, please immediately alert the sender > by reply e-mail and then delete this message > and any attachments. If you are not the > intended recipient, you are notified that > any use, dissemination, distribution, copying, > or storage of this message or any attachment > is strictly prohibited. >
