Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 4 Dec 2015, at 9:34, alvin nanog wrote:


all that tcpdump jibberish


Is entirely unnecessary, as well as being completely impractical on a 
network of any size.


Reasonable network access policies for the entities under attack plus 
flow telemetry collection/analysis, S/RTBH, and/or flowspec are a good 
start, along with this:




This business of attempting to use packet captures for everything is the 
equivalent of your doctor attempting to diagnose the reason you're 
running a fever by using an electron microscope.


Start with the BCPs, then move to the macroanalytical.  Only dip into 
the microanalytical when required, and even then, do so very 
selectively.


---
Roland Dobbins 

Google Chrome 47.0.2526.73M broken NTLM proxy authentication

[Seth Mos]

Dear Google,

As of Dec 2nd the Google Chrome 47.0.2526.73M breaks NTLM proxy
authentication. This is unfortunate as nobody can get off the company
network now, which is secure I suppose, but not quite what I had in mind.

https://productforums.google.com/forum/#!topic/chrome/G_9eXH9c_ns;context-place=forum/chrome

So if anybody gets called that Google Chrome is throwing a
username/password prompt for every website you try, listing the website
as the authentication domain, instead of the proxy server, this is for you.

If you are ahead of the curve, you can make a GPO to disable Chrome
updates for the time being until this is fixed. If the browser already
updated, well, sorry.

Kind regards,

Seth

Re: Staring Down the Armada Collective

[Roland Dobbins]

On 4 Dec 2015, at 9:28, Lyndon Nerenberg wrote:

Are we perhaps, finally, reaching the cusp where everyone has realized 
that if we all, collectively, tell the rodents to f*** off, they just 
might?


By my very rough and subjective guesstimate, extortion is the motivation 
behind ~15% of all DDoS attacks, FYI.


---
Roland Dobbins 

Re: Staring Down the Armada Collective

[Lyndon Nerenberg]

On Dec 3, 2015, at 6:28 PM, Lyndon Nerenberg  wrote:

> Are we perhaps, finally, reaching the cusp where everyone has realized that 
> if we all, collectively, tell the rodents to f*** off, they just might?

I should also mention that, despite their bluster, they can't keep it up for 
more than half an hour.

By then, the upstream networks have figured it out and have null routed 
anything of consequence - far upstream.  Meanwhile, back haul your traffic in 
via a private network and they won't be able to do shit to you. (E.g. the 
standard Cloudflare model.)

They are not as smart as they make themselves out to be.  Don't let fear drive 
your decisions.

--lyndon



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Staring Down the Armada Collective

[Lyndon Nerenberg]

On Dec 3, 2015, at 9:14 PM, Lyndon Nerenberg  wrote:

> I should also mention that, despite their bluster, they can't keep it up for 
> more than half an hour.

The mailing list has been quiet. All step forward who are scared to say "me 
too" on account of Armada.

--lyndon



signature.asc
Description: Message signed with OpenPGP using GPGMail

Ransom DDoS attack - need help!

[halp us]

All,

I've been a NANOG member for many years but I'm emailing from an anonymous
account to reduce the chance of the attackers finding me.

A company that shall remain anonymous has received a ransom DDoS note from
a very well known group that has been in the news lately. Recently they've
threatened to carry out a major DDoS attack if they are not paid by a
deadline which is approaching. They've performed an attack of a smaller
magnitude to prove that they're serious.

Based on certain details that I can't reveal here, we believe the magnitude
of the upcoming attack may be in the several hundred Gbps.

I would really appreciate help in a few areas (primarily with certain
provider contacts/intros) so we can execute our strategy (which I can't
reveal here for obvious reasons). If you email me off-list with a
name/email that you've previously used on-list, I will reply from my real
email.

Alternatively, if you can post your experiences on-list with large scale
high profile ransom DDoS attacks, I'd really appreciate it!

Thanks

Re: Ransom DDoS attack - need help!

[Josh Reynolds]

Sounds like lizardSquad may be at it again
On Dec 3, 2015 8:53 AM, "halp us"  wrote:

> All,
>
> I've been a NANOG member for many years but I'm emailing from an anonymous
> account to reduce the chance of the attackers finding me.
>
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.
>
> Based on certain details that I can't reveal here, we believe the magnitude
> of the upcoming attack may be in the several hundred Gbps.
>
> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I can't
> reveal here for obvious reasons). If you email me off-list with a
> name/email that you've previously used on-list, I will reply from my real
> email.
>
> Alternatively, if you can post your experiences on-list with large scale
> high profile ransom DDoS attacks, I'd really appreciate it!
>
> Thanks
>

Re: Ransom DDoS attack - need help!

[John Kristoff]

On Thu, 3 Dec 2015 03:15:04 -0500
halp us  wrote:

> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I
> can't reveal here for obvious reasons). If you email me off-list with
> a name/email that you've previously used on-list, I will reply from
> my real email.

Hello,

Sorry for your troubles.  I'm happy to try to put you in touch with
people we know or specific providers that may be particularly important
for you, given the path attack traffic may follow to you.  Generally,
however, you need to be working with your upstream providers or peers.
Those are your best friends that are best able to mitigate traffic from
reaching you or to help trace back where it is coming from.

We also operate a free community service called UTRS, which is
essentially just a community remote triggered black hole (RTBH)
service.  Depending on the attack and where it is coming from, it may
be of some help.  It is another tool in the tool box that is relatively
easy to get going.  Technical details and sign up form here:

  
  

In case an attack does come, you must be able to provide some profile
of the attack traffic for others to help.  A sample of the attack
traffic (e.g. a pcap, flow data, logs), including any characteristics
that might help others help you mitigate is important.  This includes
source network, IP address(es) (but they may be spoofed), protocol,
port, packet size, payload, etc... anything that may uniquely identify
the traffic.  Keep track of the time an attack starts and let people
know what time zone you're working in, or convert to UTC (preferred).

> Alternatively, if you can post your experiences on-list with large
> scale high profile ransom DDoS attacks, I'd really appreciate it!

You should consider engaging your local federal law enforcement
office.  Don't expect miracles, but at least have that ball rolling.
They will probably tell you not to pay, and generally you shouldn't.
Keep a good evidence trail.  Be vigilant, but don't panic.

John

Re: Ransom DDoS attack - need help!

[William Herrin]

On Thu, Dec 3, 2015 at 3:15 AM, halp us  wrote:
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.

Hello,

Are you announcing your IP addresses via BGP or does your ISP manage
routing for you?

If BGP, contract with a DDOS mitigator now. During an attack, you
reroute the /24 containing the attacked destination to the mitigator
and let them scrub the bad traffic for you. I have no idea who to
recommend but I believe there was a recent discussion on nanog about
just that subject.

Make sure your ISP provides you with a small block of its addresses so
that you can anchor the tunnel from the DDOS mitigator no matter which
of your announced address blocks is attacked. And test to make sure
your addresses really do reroute to the mitigator at need: your ISP
can do a number of things to foul up your BGP announcement which you
won't notice until you try to reroute.

If not BGP, this is your ISP's problem. Notify them of the threat so
that they can get ready to mitigate it.


As others have said, don't pay the ransom. Even if the current thieves
honor the bargain, it'll become known that you paid. That paints a
great big target on your back for every other thief out there.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: Ransom DDoS attack - need help!

[Daniel Corbe]

> On Dec 3, 2015, at 10:26 AM, Nick Hilliard  wrote:
> 
> On 03/12/2015 08:15, halp us wrote:
>> a very well known group that has been in the news lately. Recently they've
>> threatened to carry out a major DDoS attack if they are not paid by a
>> deadline which is approaching. They've performed an attack of a smaller
>> magnitude to prove that they're serious.
> 
> bear in mind that if you pay a ransom like this:
> 
> 1. you're opening up a bank account for them to dip into whenever they feel
> they need more money.

Most of these types of service ransom deals are conducted via bitcoin.  So I 
don’t see how this could be the case unless you mean to say that appeasing your 
attackers is a bad idea because they might just be emboldened enough to try and 
extort you again whenever the piggy bank is beginning to run dry.

Re: Ransom DDoS attack - need help!

[Nick Hilliard]

On 03/12/2015 08:15, halp us wrote:
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.

bear in mind that if you pay a ransom like this:

1. you're opening up a bank account for them to dip into whenever they feel
they need more money.

2. you're perpetuating the problem of ddos-or-ransom by turning it into a
viable business.

If you believe that someone who issues a ransom threat will stop if you pay
them off, you're smoking crack.

Nick

RE: Ransom DDoS attack - need help!

[Darden, Patrick]

Talk to your upstream provider.  They may already have mitigation in place 
(e.g. Arbor devices).  If not, then if you know much about this anticipated 
attack (and you seem to have some details) they can certainly implement ACLs 
and other moderating  tools.  Regardless, contact the FBI or similar LEA and 
get them involved: extortion and threats for now, and if they follow through 
then you have civil and very possibly criminal proceedings to look forward to.

I also highly recommend you contact EFF.  Start at eff.org

--patrick darden

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of halp us
Sent: Thursday, December 03, 2015 2:15 AM
To: nanog@nanog.org
Subject: [EXTERNAL]Ransom DDoS attack - need help!

All,

I've been a NANOG member for many years but I'm emailing from an anonymous 
account to reduce the chance of the attackers finding me.

A company that shall remain anonymous has received a ransom DDoS note from a 
very well known group that has been in the news lately. Recently they've 
threatened to carry out a major DDoS attack if they are not paid by a deadline 
which is approaching. They've performed an attack of a smaller magnitude to 
prove that they're serious.

Based on certain details that I can't reveal here, we believe the magnitude of 
the upcoming attack may be in the several hundred Gbps.

I would really appreciate help in a few areas (primarily with certain provider 
contacts/intros) so we can execute our strategy (which I can't reveal here for 
obvious reasons). If you email me off-list with a name/email that you've 
previously used on-list, I will reply from my real email.

Alternatively, if you can post your experiences on-list with large scale high 
profile ransom DDoS attacks, I'd really appreciate it!

Thanks

Re: Ransom DDoS attack - need help!

[Josh Reynolds]

None of those names you just mentioned have made the international news.
On Dec 3, 2015 8:59 AM, "Chris Baker"  wrote:

> Can you provide some additional details? Is it someone claiming
> association with a known group like DD4BC or the Armada Collective or
> unbranded?
>
> Cheers,
> CBaker
>
>
> On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds 
> wrote:
>
>> Sounds like lizardSquad may be at it again
>> On Dec 3, 2015 8:53 AM, "halp us"  wrote:
>>
>> > All,
>> >
>> > I've been a NANOG member for many years but I'm emailing from an
>> anonymous
>> > account to reduce the chance of the attackers finding me.
>> >
>> > A company that shall remain anonymous has received a ransom DDoS note
>> from
>> > a very well known group that has been in the news lately. Recently
>> they've
>> > threatened to carry out a major DDoS attack if they are not paid by a
>> > deadline which is approaching. They've performed an attack of a smaller
>> > magnitude to prove that they're serious.
>> >
>> > Based on certain details that I can't reveal here, we believe the
>> magnitude
>> > of the upcoming attack may be in the several hundred Gbps.
>> >
>> > I would really appreciate help in a few areas (primarily with certain
>> > provider contacts/intros) so we can execute our strategy (which I can't
>> > reveal here for obvious reasons). If you email me off-list with a
>> > name/email that you've previously used on-list, I will reply from my
>> real
>> > email.
>> >
>> > Alternatively, if you can post your experiences on-list with large scale
>> > high profile ransom DDoS attacks, I'd really appreciate it!
>> >
>> > Thanks
>> >
>>
>
>

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 3 Dec 2015, at 22:26, Nick Hilliard wrote:

> If you believe that someone who issues a ransom threat will stop if you pay
> them off, you're smoking crack.

+1

These attacks aren't rocket-science to defend against.

OP, ping me 1:1.

---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 3 Dec 2015, at 15:15, halp us wrote:

Based on certain details that I can't reveal here, we believe the 
magnitude of the upcoming attack may be in the several hundred Gbps.


They lie.  The largest attacks we've seen from these threat actors are 
in the ~60gb/sec range - which is nothing to shake a stick at, mind.


Many times, they don't follow through.  But you're right to be prepared.

See these two presos:





I would really appreciate help in a few areas (primarily with certain 
provider contacts/intros) so we can execute our strategy (which I 
can't reveal here for obvious reasons).


All this super-secret squirrel stuff doesn't help, it's actually a 
hindrance.  The short answer is 'upstream ACLs'.


Nevertheless, contact me 1:1 and I'll work to hook you up with the right 
folks.


---
Roland Dobbins 

TWC RR contact off list ?

[Brandon Applegate]

Could someone from TWC RR contact me off-list ?  I have an IPv6 / DNS question 
/ request.  I’m in Cincinnati, OH and this is residential if that matters.

Otherwise - if anyone non-TWC on list can point me to a person/address etc that 
will let me leap frog frontline support that would be great.  There’s no way 
the support folks are going to know what I’m asking or who/how to escalate.

Thanks in advance.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
830B 4802 1DD4 F4F9 63FE  B966 C0A7 189E 9EC0 3A74
"SH1-0151.  This is the serial number, of our orbital gun."



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: IPv6 Cogent vs Hurricane Electric

[Jared Geiger]

Wouldn't this be a Net Neutrality issue now or would it fall on HE for not
willing to buy transit to Cogent IPv6?

On Wed, Dec 2, 2015 at 5:38 PM, Ryan Rawdon  wrote:

>
> > On Dec 1, 2015, at 1:23 PM, Max Tulyev  wrote:
> >
> > Hi All,
> >
> > we got an issue today that announces from Cogent don't reach Hurricane
> > Electric. HE support said that's a feature, not a bug.
> >
> > So we have splitted Internet again?
> >
> > I have to change at least one of my uplinks because of it, which one is
> > better to drop, HE or Cogent?
>
>
> There is another option, instead of choosing just one - perhaps establish
> a tunnel to HE from a L3 device that can do the tunneling in hardware?  You
> can get a HE tunnel for free, and they will speak BGP to you.
>
> Alternatively, if you are on any IXes where HE is present - they will not
> only peer with you for v6, but announce a full table if you want it.

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 3 Dec 2015, at 22:04, Josh Reynolds wrote:

> None of those names you just mentioned have made the international news.

Of course they have.

---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Chris Baker]

Can you provide some additional details? Is it someone claiming association
with a known group like DD4BC or the Armada Collective or unbranded?

Cheers,
CBaker


On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds  wrote:

> Sounds like lizardSquad may be at it again
> On Dec 3, 2015 8:53 AM, "halp us"  wrote:
>
> > All,
> >
> > I've been a NANOG member for many years but I'm emailing from an
> anonymous
> > account to reduce the chance of the attackers finding me.
> >
> > A company that shall remain anonymous has received a ransom DDoS note
> from
> > a very well known group that has been in the news lately. Recently
> they've
> > threatened to carry out a major DDoS attack if they are not paid by a
> > deadline which is approaching. They've performed an attack of a smaller
> > magnitude to prove that they're serious.
> >
> > Based on certain details that I can't reveal here, we believe the
> magnitude
> > of the upcoming attack may be in the several hundred Gbps.
> >
> > I would really appreciate help in a few areas (primarily with certain
> > provider contacts/intros) so we can execute our strategy (which I can't
> > reveal here for obvious reasons). If you email me off-list with a
> > name/email that you've previously used on-list, I will reply from my real
> > email.
> >
> > Alternatively, if you can post your experiences on-list with large scale
> > high profile ransom DDoS attacks, I'd really appreciate it!
> >
> > Thanks
> >
>

Re: Ransom DDoS attack - need help!

[Chris Baker]

OSINT has a plethora of detail available:

http://www.reuters.com/article/2015/11/30/greece-banks-idUSL8N13P5B420151130
http://www.ibtimes.co.uk/armada-collective-who-are-hackers-extorting-bitcoin-ransoms-what-can-we-do-1528253
http://www.bloomberg.com/news/articles/2015-09-09/bitcoin-ddos-ransom-demands-raise-dd4bc-profile

On Thu, Dec 3, 2015 at 10:04 AM, Josh Reynolds  wrote:

> None of those names you just mentioned have made the international news.
> On Dec 3, 2015 8:59 AM, "Chris Baker"  wrote:
>
>> Can you provide some additional details? Is it someone claiming
>> association with a known group like DD4BC or the Armada Collective or
>> unbranded?
>>
>> Cheers,
>> CBaker
>>
>>
>> On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds 
>> wrote:
>>
>>> Sounds like lizardSquad may be at it again
>>> On Dec 3, 2015 8:53 AM, "halp us"  wrote:
>>>
>>> > All,
>>> >
>>> > I've been a NANOG member for many years but I'm emailing from an
>>> anonymous
>>> > account to reduce the chance of the attackers finding me.
>>> >
>>> > A company that shall remain anonymous has received a ransom DDoS note
>>> from
>>> > a very well known group that has been in the news lately. Recently
>>> they've
>>> > threatened to carry out a major DDoS attack if they are not paid by a
>>> > deadline which is approaching. They've performed an attack of a smaller
>>> > magnitude to prove that they're serious.
>>> >
>>> > Based on certain details that I can't reveal here, we believe the
>>> magnitude
>>> > of the upcoming attack may be in the several hundred Gbps.
>>> >
>>> > I would really appreciate help in a few areas (primarily with certain
>>> > provider contacts/intros) so we can execute our strategy (which I can't
>>> > reveal here for obvious reasons). If you email me off-list with a
>>> > name/email that you've previously used on-list, I will reply from my
>>> real
>>> > email.
>>> >
>>> > Alternatively, if you can post your experiences on-list with large
>>> scale
>>> > high profile ransom DDoS attacks, I'd really appreciate it!
>>> >
>>> > Thanks
>>> >
>>>
>>
>>

RE: SevOne Monitoring

[Tony McKay]

All,
I've been using SevOne for 3 years, and I can confirm some of your 
suspicions around element licensing, in that you will consume more element 
counts than you allowed in your budget.  It does provide a very granular way of 
omitting objects from discovery through regex.  It is not a single pane of 
glass solution, in that fault management is not its forte.  This platform is 
for performance measurement and management primarily.  A good example of this 
is that out of the box, it cannot throw an alert if an interface goes down.  
You have to programmatically build each alert based on an SNMP polled value, so 
there is a long lead time before you can bring it into production.  Compared to 
other similar products out there, price per license seems to be pretty steep, 
since it include the hardware, but you also will continue to pay 18% 
maintenance year over year.

I'm available for any one-on-one discussions you might have about the 
platform offline.


Tony McKay
tony.mc...@rittercommunications.com

-The boundary to your comfort zone fades a little each time you cross it.  
Raise your limits by pushing them.

This electronic mail transmission may contain confidential or privileged 
information. If you believe that you have received this message in error, 
please notify the sender by reply transmission and delete the message without 
copying or disclosing it.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Chad Myers
Sent: Wednesday, December 02, 2015 4:00 PM
To: Naslund, Steve
Cc: nanog@nanog.org
Subject: [BULK] Re: SevOne Monitoring

I took a look at SevOne back when you could download a free, 500-element 
version of it when I was looking for something to deal with Netflow.  I'd heard 
of it prior but nothing from the website seemed overly appealing.  Actually 
-using- the product though it was wonderful seeing a tool built to 
automatically deal with a lot of the things that are fairly routine but are 
time consuming to deal with.  Automatic filtering of what is monitored based on 
user customizable rules.  For example:  Junos device? Ignore all file systems 
that are mounted from /dev/md*, ignore pim([de])|lsi|gre|ipip|dsc interfaces, 
and so on.  If an interface is set to admin-down automatically prevent alarms 
from it.  Then don't alarm on it being down.  If it later changes so it isn't 
admin-down then start monitoring & alerting on it again automatically.

As Steven pointed out though the pricing model escalates rapidly since they do 
it by each individual object.  If using netflow, each netflow interface is 
considered 100 elements if I remember correctly.  Even if I ignored netflow, a 
single EX8216 would consume a few thousand elements or more if I wanted to 
monitor all of the interfaces in the chassis.  Just looking at it for lab usage 
over ~12 Juniper devices, if I wanted to get full monitoring over all devices, 
without netflow/sflow, it was a few hundred thousand elements.  When I try to 
extrapolate that to our production environment with thousands of network 
devices I can't even imagine what the element count and subsequent cost would 
be.  When comparing against similar tools the cost is simply outrageous due to 
the licensing.  And I just realized that it actually becomes more cost 
effective to have an internal development team dedicated to writing & 
maintaining custom network monitoring tools when compared to licensing costs 
like this.

Independent of that, I'm miffed that the free, 500-element version I was using 
for home and lab use is no longer usable.  It says the license is valid until 
sometime in 2031, but won't actually let me beyond that point until I upload an 
updated license file.  Can't even do a reinstall since the original license 
file is only valid for a few weeks before it expires.  I keep forgetting to 
contact support about it when I'm at home but since they completely removed the 
free version I'm doubtful that they will provide an updated license file.

So yeah, fantastic tool, not as pretty as Solarwinds, but it gets really 
expensive, really fast.  And when talking with them I got the impression that 
the licensing was per year versus a one-time license cost and then recurring 
maintenance cost for support & software updates; the above licensing behavior 
in the free version supports that impression.  I don't know if that is correct 
though as I didn't think to ask while I was talking with them.

-Chad


On Nov 25, 2015, at 12:04 PM, "Naslund, Steve"  wrote:

> I looked at SevOne and liked the product a lot.  One thing we found was that 
> the pricing model escalates pretty rapidly because they count every OBJECT 
> you monitor, not every device.  So if I am looking at Bytes In, Bytes Out, 
> Errors In, etc on a single interface those are all counted as a separate 
> OBJECT against your license count.  You really have to be more selective 
> about what you want to see which 

Re: Ransom DDoS attack - need help!

[Dovid Bender]

The last I spoke with NTT they said the largest they ever saw was > 300GB
and most of the time they don't follow through. They threaten 100 networks
and hope that x% will pay them off 'just in case'

On Thu, Dec 3, 2015 at 10:20 AM, Roland Dobbins  wrote:

> On 3 Dec 2015, at 15:15, halp us wrote:
>
> Based on certain details that I can't reveal here, we believe the
>> magnitude of the upcoming attack may be in the several hundred Gbps.
>>
>
> They lie.  The largest attacks we've seen from these threat actors are in
> the ~60gb/sec range - which is nothing to shake a stick at, mind.
>
> Many times, they don't follow through.  But you're right to be prepared.
>
> See these two presos:
>
> 
>
> 
>
> I would really appreciate help in a few areas (primarily with certain
>> provider contacts/intros) so we can execute our strategy (which I can't
>> reveal here for obvious reasons).
>>
>
> All this super-secret squirrel stuff doesn't help, it's actually a
> hindrance.  The short answer is 'upstream ACLs'.
>
> Nevertheless, contact me 1:1 and I'll work to hook you up with the right
> folks.
>
> ---
> Roland Dobbins 
>

Re: Ransom DDoS attack - need help!

[Lyndon Nerenberg]

Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should 
be able to mitigate
some to much of the damage caused by filled pipes by blocking incomming UDP 
trafic at your ISP level.


This is the Armada Collective, based on the description.  We just went 
through a round with them. The hardest they were able to hit us peaked at 
a little under 80 Gbits/second. Primarily DNS and NTP amplification 
attacks. They also hit our web servers with a little over 80 million 
requests over a one hour period, and played some games with TCP to try to 
mess with the protocol stacks on the servers and network gear.


Cloudflare took care of the web attacks.  For DDoS, something like 
Incapsula will take care of the layer 3 stuff.  Not cheap, but very 
effective.


--lyndon

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 4 Dec 2015, at 2:38, Dovid Bender wrote:

> The last I spoke with NTT they said the largest they ever saw was > 300GB

That wasn't DD4BC or Armada Collective.

---
Roland Dobbins 

Re: IPv6 Cogent vs Hurricane Electric

[William Herrin]

On Thu, Dec 3, 2015 at 1:40 PM, Jared Geiger  wrote:
> Wouldn't this be a Net Neutrality issue now or would it fall on HE for not
> willing to buy transit to Cogent IPv6?

Wouldn't it fall on Cogent for being unwilling to buy transit from HE?
HE is the IPv6 leader in the game.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: Ransom DDoS attack - need help!

[Robban]

Hi!
This is my first mail to the list.
Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should 
be able to mitigate 
some to much of the damage caused by filled pipes by blocking incomming UDP 
trafic at your ISP level.
 
//Robban
 
> * On Thu, Dec 03, 2015 at 03:15:04AM -0500, halp us 
>  wrote:
> > All,
> > 
> > I've been a NANOG member for many years but I'm emailing from an anonymous
> > account to reduce the chance of the attackers finding me.
> > 
> > A company that shall remain anonymous has received a ransom DDoS note from
> > a very well known group that has been in the news lately. Recently they've
> > threatened to carry out a major DDoS attack if they are not paid by a
> > deadline which is approaching. They've performed an attack of a smaller
> > magnitude to prove that they're serious.
> > 
> > Based on certain details that I can't reveal here, we believe the magnitude
> > of the upcoming attack may be in the several hundred Gbps.
> > 
> > I would really appreciate help in a few areas (primarily with certain
> > provider contacts/intros) so we can execute our strategy (which I can't
> > reveal here for obvious reasons). If you email me off-list with a
> > name/email that you've previously used on-list, I will reply from my real
> > email.
> > 
> > Alternatively, if you can post your experiences on-list with large scale
> > high profile ransom DDoS attacks, I'd really appreciate it!
> > 
> > Thanks

-- 
Robert Soderlund

Re: IPv6 Cogent vs Hurricane Electric

[Jeff Walter]

As funny as that would be, it would never happen. Cogent thinks they're the
biggest. HE is the biggest (last I checked). HE wants to peer. Cogent wants
HE to pay for transit. Cake reference. Still partitioned.

How do you get them connected? I hate to say it, but it would take a major
shift within Cogent. In the meantime your best option to see the whole IPv6
internet is to pay Cogent and to get free v6 transit with HE over an
exchange or tunnel.

On Thu, Dec 3, 2015 at 12:51 PM, William Herrin  wrote:

> On Thu, Dec 3, 2015 at 1:40 PM, Jared Geiger  wrote:
> > Wouldn't this be a Net Neutrality issue now or would it fall on HE for
> not
> > willing to buy transit to Cogent IPv6?
>
> Wouldn't it fall on Cogent for being unwilling to buy transit from HE?
> HE is the IPv6 leader in the game.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: 
>

Re: Ransom DDoS attack - need help!

[Clay Curtis]

F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos
protection.  Don't pay up, use ddos protection.

Clay



On Thu, Dec 3, 2015 at 3:11 PM, Roland Dobbins  wrote:

> On 4 Dec 2015, at 2:38, Dovid Bender wrote:
>
> > The last I spoke with NTT they said the largest they ever saw was > 300GB
>
> That wasn't DD4BC or Armada Collective.
>
> ---
> Roland Dobbins 
>

Re: Multi-core clamp on ammeter

[Owen DeLong]

The results I was able to find are not promising.

The best I could come up with is to make use of this and some cobbling:

https://moderndevice.com/new-products/current-sensor/ 


I have had good luck with other items from Modern Device, but I have not played 
with this one.

It can be purchased here: https://moderndevice.com/product/current-sensor/ 

for $18.

Not responsive to your query, but something I thought you might also find of 
interest:

http://ipo.lbl.gov/wp-content/uploads/sites/8/2014/12/3165pub2.pdf 


Owen

> On Nov 28, 2015, at 18:06 , Rob Seastrom  wrote:
> 
> 
> Hi folks,
> 
> I own a Megger MMC850 which will read amps in a multi-core cable, such as the 
> 10 gauge SEOOW cable one often finds feeding rack PDUs.
> 
> Datasheet here:  http://www.mouser.com/ds/2/263/MMC850_DS_en_V02-15853.pdf
> 
> Apparently they've been discontinued.  Pity.
> 
> Anyone know of a suitable replacement?  I need more.
> 
> -r

Re: Ransom DDoS attack - need help!

[A . L . M . Buxey]

Hi,
> F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos
> protection.  Don't pay up, use ddos protection.

you know how many ponder whether AV companies write some of the viruses

;-)

alan

Re: IPv6 Cogent vs Hurricane Electric

[Baldur Norddahl]

On 1 December 2015 at 20:23, Max Tulyev  wrote:

> Hi All,
>
> we got an issue today that announces from Cogent don't reach Hurricane
> Electric. HE support said that's a feature, not a bug.
>
> So we have splitted Internet again?
>
> I have to change at least one of my uplinks because of it, which one is
> better to drop, HE or Cogent?
>

Question: Why would you have to drop one of them? You have no problem if
you have both.

Even in the case of a link failure to one of them, you will likely not see
a big impact since everyone else also keeps multiple transits. You will
only have trouble with people that are single homed Cogent or HE, in which
case it is more them having a problem than you.

Regards,

Baldur

Re: TWC RR contact off list ?

[Alan Clegg]

On 12/3/15 10:34 AM, Brandon Applegate wrote:
> Could someone from TWC RR contact me off-list ?  I have an IPv6 / DNS
> question / request.  I’m in Cincinnati, OH and this is residential if
> that matters.

Is the IPv6 problem related to the 7% packet loss that I've been told
can be fixed by power-cycling my cable modem?  I it HAD been up for 71
days, after all.

(and yes, the problem continues if anyone from TWC would like to chat).

AlanC
-- 
Why don't we wander and follow la vie dansante.



signature.asc
Description: OpenPGP digital signature

Re: IPv6 Cogent vs Hurricane Electric

[Matthew Petach]

Or, if you feel that Cogent's stubborn insistence on
partitioning the global v6 internet shouldn't be rewarded
with money, pay someone *other* than cogent for
IPv6 transit and also connect to HE.net; that way
you still have access to cogent routes, but you also
send a subtle economic nudge that says "hey cogent--
trying to get into the tier 1 club by partitioning the
internet isn't a good path for long-term sucess".

Note that this is purely my own opinion, not necessarily
that of my employer, my friends, my family, or even my
cat.  I asked my cat about cogent IPv6, and all I got was
a ghostly hairball as a reply[0].

Matt


[0] https://www.youtube.com/watch?v=6kEME0CxmtY



On Thu, Dec 3, 2015 at 3:19 PM, Baldur Norddahl
 wrote:
> On 1 December 2015 at 20:23, Max Tulyev  wrote:
>
>> Hi All,
>>
>> we got an issue today that announces from Cogent don't reach Hurricane
>> Electric. HE support said that's a feature, not a bug.
>>
>> So we have splitted Internet again?
>>
>> I have to change at least one of my uplinks because of it, which one is
>> better to drop, HE or Cogent?
>>
>
> Question: Why would you have to drop one of them? You have no problem if
> you have both.
>
> Even in the case of a link failure to one of them, you will likely not see
> a big impact since everyone else also keeps multiple transits. You will
> only have trouble with people that are single homed Cogent or HE, in which
> case it is more them having a problem than you.
>
> Regards,
>
> Baldur
>

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi "need help"

On 12/03/15 at 03:15am, halp us wrote:
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. 

use an email reader that allows you to see all the received email headers
to see which STMP routers they came thru to reach your smtp servers

contact each of the ISP that owns those IP# ranges to forewarn them of
your upcoming DDoS attacks .. if you're/we're lucky, the actual DDoS
attacks would pass thru the same ISPs again

> Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.

cool .. more proof that they can carry out an attacks allows you ( law 
enforcement
and the ISP ) to track down who they are, where they come from, etc, etc, etc

since you also kinda know what time/date they will be attacking, the ISP and
law enforcement can be watching for the incoming attacks reverse track the
originating and probably cracked routers ... and hopefully, one-in-a-million
chance to find the ddos-extorter's computers

if the extorter is in the same city ( your local bully ) using the same ISP, 
finding the extorter should be trivial

you can also catch the extorter by "pretending" to have put up the 
and tell the FBI/interpol/ISPs/PayPal/etc to watch the non-existent account
for incoming connections from the extorter ... and keep telling the
extorter the $$$ is there even if they can't seem to get their $$$

> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I can't
> reveal here for obvious reasons).

most folks would like to see that you have done your "homework" too 
trying to stop incoming DDoS attacks ... aka, you need to able to provide 
them the necessary info for them to help you ...

run tcpdump and/or etherreal to capture the DDoS attacks

==

---
ALL servers are under kinda harmless script kiddie attacks every second ...
- defend against those ( free ) ddos attacks scenarios
#
# if you cannot figure out how to stop these harmless probes, you're
# gonna be in trouble when the DDoS attacks are intent on their attacks
#
---

Simple things you should do BEFORE getting outside DDoS mitigation help, 
because they will probably ask and probably perform the same thing:

- prepare a ( time, $$$, technical expertise ) budget to stop that DDoS 
attacks

- get the received headers from the extorter's emails
-

- get the ph# and email contacts of your ISP's security dept and 
their peers/uplinks  .. similarly for the ph# of your local FBI/police 
dept

- at a minimum, update patch all servers to today's patch releases
--

- "confirm" means use the FREE online test tools to test your servers
- confirm your DNS servers are NOT open resolvers
- confirm your SMTP servers are NOT open relays

- use the NTP servers from your ISP if you're not sure if your NTPd is 
secure


---
- install IPtables + tarpit to defend against almost all TCP-based 
attacks
-   imho, it is pointless to run iptables without tarpit support
-   http://NetworkNightmare.net/Tarpits/#Install

---

- defending against UDP attacks requires you get help from your ISP
- usually against DNS, NTP, NFS, SNMP, X11, etc

- defending against ICMP attacks requires you get help from your ISP
  
#
# you cannot stop, block, prevent, mitigate UDP-based or ICMP-based
# ddos attacks at your servers .. 
#
# the ddos attack damage ( wasting your time, $$$ and bandwidth ) 
# is already done if it reaches your servers
#

- backup your user ( /home, /etc ) data ...
- build a brand new server from latest distro and restore your data 
from backup

- if you don't have time for all this DDoS stuff and willing to do only 1 
thing,
  install and learn iptables with tarpits on all your servers exposed to the 
internet

- it's trivial or NOT trivial depending on your abilities
- it is trivial ( few minutes/hours work ) for those folks familiar 
with IPtables

http://IPtables-BlackList.net

- if you do decide to go with outside DDoS scrubbers, you definitely will need 
$$$

if you don't have the time but have the $$$, hire a couple different DDoS 

Re: Ransom DDoS attack - need help!

[dennis]

Many online business have learned how to deal with these threats.  Just 
recently Protonmail hit the news and found out the hard way whether to pay or 
NOT.  Have a quick read at the log of events for yourself.
http://arstechnica.com/security/2015/11/how-extorted-e-mail-provider-got-back-online-after-crippling-ddos-attack/
Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone

 Original message 
From: Roland Dobbins  
Date: 12/3/2015  3:10 PM  (GMT-05:00) 
To: NANOG  
Subject: Re: Ransom DDoS attack - need help! 

On 3 Dec 2015, at 22:04, Josh Reynolds wrote:

> None of those names you just mentioned have made the international news.

Of course they have.

---
Roland Dobbins 

Re: IPv6 Cogent vs Hurricane Electric

[Matt Palmer]

On Thu, Dec 03, 2015 at 04:58:08PM -0800, Matthew Petach wrote:
> Or, if you feel that Cogent's stubborn insistence on partitioning the
> global v6 internet shouldn't be rewarded with money, pay someone *other*
> than cogent for IPv6 transit and also connect to HE.net; that way you
> still have access to cogent routes, but you also send a subtle economic
> nudge that says "hey cogent-- trying to get into the tier 1 club by
> partitioning the internet isn't a good path for long-term sucess".

Sadly, anyone you pay for transit to Cogent routes is going to be giving
Cogent their cut, so it's not a perfect signal to Cogent that we'd prefer to
have one IPv6ternet rather than two.  At the very least, configure the
routers to that any routes you learn via HE are preferenced, and announce
your routes as preferring HE, so that Cogent gets as little of the traffic
as possible.

- Matt

Re: Ransom DDoS attack - need help!

[Lyndon Nerenberg]

On Dec 3, 2015, at 5:00 PM, alvin nanog  wrote:

> run tcpdump and/or etherreal to capture the DDoS attacks

 Of course! If we had only thought of this sooner! 

:-)

--lyndon



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: IPv6 Cogent vs Hurricane Electric

[Jared Mauch]

> On Dec 2, 2015, at 8:38 PM, Ryan Rawdon  wrote:
> 
> 
>> On Dec 1, 2015, at 1:23 PM, Max Tulyev  wrote:
>> 
>> Hi All,
>> 
>> we got an issue today that announces from Cogent don't reach Hurricane
>> Electric. HE support said that's a feature, not a bug.
>> 
>> So we have splitted Internet again?
>> 
>> I have to change at least one of my uplinks because of it, which one is
>> better to drop, HE or Cogent?
> 
> 
> There is another option, instead of choosing just one - perhaps establish a 
> tunnel to HE from a L3 device that can do the tunneling in hardware?  You can 
> get a HE tunnel for free, and they will speak BGP to you.
> 
> Alternatively, if you are on any IXes where HE is present - they will not 
> only peer with you for v6, but announce a full table if you want it.

Looking at the most recent IPv6 data available at CAIDA you can see the 
customer cone size:

http://as-rank.caida.org/?data-selected-id=15

Be careful as the tool seems fragile when switching from the 2014-09-01 IPv6 
dataset and trying to sort by options, it seems to switch back to IPv4 silently.

Prefixes and/or AS’es in customer cone are likely the best measure, but even 
there Cogent is 2x HE.net.  The only place where he.net leads is the transit 
degree with is likely distorted because of what you mention above, full tables, 
etc.

I find this data interesting and wish there was something more recent than 
2014-09-01 to test with.  Perhaps I could do something with all these atlas 
credits I have.  (or someone could use them for me).

- Jared

Re: IPv6 Cogent vs Hurricane Electric

[Jared Mauch]

> On Dec 3, 2015, at 7:58 PM, Matthew Petach  wrote:
> 
> Or, if you feel that Cogent's stubborn insistence on
> partitioning the global v6 internet shouldn't be rewarded
> with money, pay someone *other* than cogent for
> IPv6 transit and also connect to HE.net; that way
> you still have access to cogent routes, but you also
> send a subtle economic nudge that says "hey cogent--
> trying to get into the tier 1 club by partitioning the
> internet isn't a good path for long-term sucess".
> 
> Note that this is purely my own opinion, not necessarily
> that of my employer, my friends, my family, or even my
> cat.  I asked my cat about cogent IPv6, and all I got was
> a ghostly hairball as a reply[0].

I would say that if you buy transit for IPv4, you should have congruent
relationship with IPv6 as well.  A network that does one and not the
other is clearly obvious to a skilled engineer.

Partitioning networks is bad, and I’d like to see this resolved myself.

- Jared

Staring Down the Armada Collective

[Lyndon Nerenberg]

Typically, businesses hide from admitting they've been hit by drive-by attacks 
like Armada is trying to pull off. It has been interesting to see the public 
reaction from the post-Protonmail targets, many of whom are being very visible 
about 1) admitting they have been hit by the attacks, and 2) making it very 
clear the Armada crew can f*** right off as far as collecting ransom is 
concerned. (Also, 3) the amazing support from customers who understand why we 
are working on putting up defences instead of just paying, and therefore put up 
with the inevitable downtime as we reconfigure sometimes large chunks of our 
networks.)

The money asked for was a pittance (around USD$6K) for the attacks I'm 
personally aware of.  The targeted were willing to spend far in excess of that 
to deploy the necessary wall of DDoS protection to keep their services running. 
 If they didn't have it there, already.

What does that say for the business model of the botnet handlers?  They can't 
up their ransom demands, because nobody is paying at the current rates.  And 
they can't lower them, for the same reason.  And if they change their targets 
to sites than might potentially pay a few hundred dollars at best, those sites 
will just shut down anyway.

Are we perhaps, finally, reaching the cusp where everyone has realized that if 
we all, collectively, tell the rodents to f*** off, they just might?

Happy Holidays!

--lyndon



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi lyndon

On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote:
> On Dec 3, 2015, at 5:00 PM, alvin nanog  
> wrote:
> > run tcpdump and/or etherreal to capture the DDoS attacks
>
>  Of course! If we had only thought of this sooner! 
> :-)

yupperz.. the problem is, capturing is nice, you have all this data ... now 
what ,,

all that tcpdump jibberish needs to be converted and presented in a format
suitable for the bean counters to allocate $$$ to mitigate and minimize the
effects of the "free n hopefully relatively harmless" DDoS attacks occuring
every second

lets assume required services are properly configured and excluded
- acl's only for your own dns queries
- ssh only from specific ip#
- ntp to/from your isp

lets assume you allow incoming ssh only from w.x.y.z ... all other connections 
are DoS attacks
  tcpdump -n -l ! host w.x.y.z and port 22

lets assume mail is your mail server .. all traffic NOT on port 25 are DoS 
attacks
  tcpdump -n -l host mail.example.com and ! port 25

lets assume www is your web server .. all traffic NOT on port 80 are DoS attacks
  tcpdump -n -l host mail.example.com and ! port 80

if you are running all the services ( mail + apache + mysql ) on one servr
the remaining tcp connections are DoS attacks
  tcpdump -n -l host mail.example.com and \( ! port 80 and ! port 80 and ! port 
3306 \)

lets assume dns is your dns server .. i consider all tcp traffic from outside 
as DoS attacks
  tcpdump -n -l tcp host dns.example.com

to see possible udp attacks .. don't forget to exclude your own DNS and NTP 
queries
  tcpdump -n -l udp

to see possible icmp attacks
  tcpdump -n -l icmp

too many gazillions options makes the world go round n round ...
- where does it end :-) ... it doesn't ...

if you get a screenful of data flying by of stuff you don't recognize,
you're probably under light DDoS attacks

magic pixie dust
alvin
http://DDoS-Mitigator.net/cgi-bin/IPtables-GUI.pl

Re: IPv6 Cogent vs Hurricane Electric

[Matthew Petach]

On Thu, Dec 3, 2015 at 6:02 PM, Jared Mauch  wrote:
>
> Looking at the most recent IPv6 data available at CAIDA you can see the 
> customer cone size:
>
> http://as-rank.caida.org/?data-selected-id=15
>
> Be careful as the tool seems fragile when switching from the 2014-09-01 IPv6 
> dataset and trying to sort by options, it seems to switch back to IPv4 
> silently.
>
> Prefixes and/or AS’es in customer cone are likely the best measure, but even 
> there Cogent is 2x HE.net.  The only place where he.net leads is the transit 
> degree with is likely distorted because of what you mention above, full 
> tables, etc.
>
> I find this data interesting and wish there was something more recent than 
> 2014-09-01 to test with.  Perhaps I could do something with all these atlas 
> credits I have.  (or someone could use them for me).
>
> - Jared


Note their analysis is horribly flawed,
as it suffers from a 32-bit limitation
for counting IPv6 addresses.

I'd love to see them fix their code
and then re-run the analysis.

Matt