Thanks everyone. There's been a lot of great on and off list responses, and we have a much better list of contacts for the next time this happens.
We are in contact with the FBI now (very impressed, particularly compared to what I expected), and have access to resources that we didn't know existed. Hopefully I'll meet some of you in bellevue next week. On Wed, May 21, 2014 at 9:51 PM, Beleaguered Admin <[email protected]> wrote: > Apologies for the non-personal email address, but I don't want to give > our attacker any additional information than I need to. > > I'd be happy to send personal contact/ASN information to any nanog > admins or regular members of nanog if it's useful. > > Over the past year or so, we (a decent sized tier 2 with a nationwide > US backbone) have had several large DDoS attacks from what appear to > be the same person who is (we presume) going down something like the > alexa list of top sites, attacking them, > and asking for small amounts of money to stop. > > This has been going on for a long time -- almost every detail is > exactly the same as what is described here: > > http://it.slashdot.org/story/12/11/03/1846252/ask-slashdot-how-to-deal-with-a-ddos-attack > > and more recently: > > http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/ > > and: > > https://gist.github.com/dhh/9741477 > > And I believe attacks including vimeo, github, and others. > > The attacker is smarter than many random attackers, or at least has > better tools. He watches when you mitigate the attack, and shifts his > attack to something new. He (or his tools) also watch DNS for the > thing he's attacking and the attack moves as DNS changes. > > We've seen UDP amplification (NTP and DNS mainly), syn flood, syn/ack > flood, layer 7 cache busting > (https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801/), > and others we haven't been able to fully mitigate/identify. > > The largest we've seen (which isn't the largest we've read about) > attacks are over 50Gbit and 10s of millions of pps. > > He is in regular communication (via whois info and other collected > contact data) asking for <$1000 USD sums to stop the attacks. > > While we are interested in technical means to mitigate the attacks > (the syn and syn/acks are brutal, all cores pegged on multicore 10G > nic servers just dealing with interrupts), what I'd really like to > find out is how to help fix the problem. > > We've tried to engage upstream providers to help trace the attacks, > but have gotten nowhere (they didn't seem to understand that the syn > attacks were spoofed, and looking at source IPs didn't matter, we > wanted to know the ingress points on their network.) > > What are the best practices for this? Are there secret code words > (http://xkcd.com/806/) we can use to get to someone at our upstreams > who might know what we're talking about? Is it worth the time? > > Is it worth talking to law enforcement? Some of these have been >500k > costs to the customer, but we assume the person doing it isn't in any > western country, so maybe it doesn't even matter? > > Thanks.
