Re: UDP Amplification DDoS - Help!

[Faisal Imtiaz]

Not quite sure what kind of info / confirmation you are looking for...

There are lots of articles (do a google search) on this topic as well as 
mitigation ...

e.g.

http://blog.nexusguard.com/ssdp-ddos-attacks/

&
https://tools.ietf.org/html/bcp38

Regards

Faisal Imtiaz
Snappy Internet & Telecom

- Original Message -
> From: "Mitch Dyer" 
> To: "nanog list" 
> Sent: Monday, February 8, 2016 6:14:06 PM
> Subject: UDP Amplification DDoS - Help!

> Hello,
> 
> Hoping someone can point me in the right direction here, even just confirming 
> my
> suspicions would be incredibly helpful.
> 
> A little bit of background: I have a customer I'm working with that is
> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily
> basis. Through several captures I've seen what appear to be a mixture of SSDP
> and DNS amplification attacks (though not at the same time). The attack itself
> seems to target the PAT address associated with a specific site, if we change
> the PAT address for the site, the attack targets the new address at the next
> occurance. We've tried setting up captures and logging inside the network to
> determine if the SSDP/DNS request originate within the network but that does
> not appear to be the case.
> 
> We've reached out for some assistance from the upstream carrier but they've 
> only
> been able to enforce a 24-hour block.
> 
> I'm hoping someone with some experience on this topic would be able to shed 
> some
> light on a better way to attack this or would be willing to confirm that we 
> are
> simply SOL without prolonged assistance from the upstream carrier.
> 
> Thanks in advance for any insight.
> 
> Mitch

Re: UDP Amplification DDoS - Help!

[Tin, James]

Hi Mitch.

My colleagues in the US dealt with something like this and I have dealt with 
something similar to this in Australia.
Does your customer happen to be a school district?

In our cases it turned out to be students buying Ddos as a service and 
targeting the address which comes up when they go to 
www.whatismyip.com.
So the attack would constantly change and follow the network when there was an 
IP block put in place at the upstream.

In my opinion, there are a few options to this:
1)The best solution is to use a comprehensive cloud based Ddos mitigation 
solution.
2) Use a cgnat to dynamically map to different external addresses and change 
them dynamically when there is a Ddos, while putting he used addresses in a 
black hole.
3) Another could be to use an external proxy service where you proxy your 
outbound requests to. So they will eventually become the target. However this 
moves the problem elsewhere and still exposes you to Ddos if they know your Cpe 
address.
4) In combination with this, you can perform incident response check your logs, 
turn on authentication, so you know when users are browsing for whatismyip and 
Ddos attack services.


Sent from my iPhone
James Tin
APJ Principle Enterprise Security Architect
Akamai Technologies
+61 466 961 555
Level 7, 76 Berry St, North Sydney
Australia 2060




On 9 Feb 2016, at 13:27, Mitch Dyer 
> wrote:

Hello,

Hoping someone can point me in the right direction here, even just confirming 
my suspicions would be incredibly helpful.

A little bit of background: I have a customer I'm working with that is 
downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily 
basis. Through several captures I've seen what appear to be a mixture of SSDP 
and DNS amplification attacks (though not at the same time). The attack itself 
seems to target the PAT address associated with a specific site, if we change 
the PAT address for the site, the attack targets the new address at the next 
occurance. We've tried setting up captures and logging inside the network to 
determine if the SSDP/DNS request originate within the network but that does 
not appear to be the case.

We've reached out for some assistance from the upstream carrier but they've 
only been able to enforce a 24-hour block.

I'm hoping someone with some experience on this topic would be able to shed 
some light on a better way to attack this or would be willing to confirm that 
we are simply SOL without prolonged assistance from the upstream carrier.

Thanks in advance for any insight.

Mitch

[NANOG-announce] Nominations for 2016 NANOG Committees

[Valerie Wittkop]

Sent on behalf of the Executive Director

Greetings NANOG Colleagues,

If you missed the nominations deadline for the Program Committee or
Communications Committee, this is your chance to still submit.

If you, or someone you know, would make a great candidate for a NANOG
Committee, please send the name and email address to electi...@nanog.org no
later than 1pm Pacific, Tuesday, February 9.

We will make sure the nominee receives the candidate form and is included
in the 2016 Committee Appointment Process.

Should there be any questions, please send a message to electi...@nanog.org.

Sincerely,

Betty Burke
NANOG Executive Director
2864 Carpenter Rd. Suite 100
Ann Arbor, MI 48108
Tel: +1 866 902 1336

-- 
Valerie Wittkop
NANOG Program Director
+1.866.902.1336, Ext. 103
___
NANOG-announce mailing list
nanog-annou...@mailman.nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog-announce

Re: UDP Amplification DDoS - Help!

[Roland Dobbins]

On 9 Feb 2016, at 9:50, mike.l...@gmail.com wrote:

Sounds like there is a compromised host downstream of the 1G that is 
reporting back it's source IP and that is why changing the IP doesn't 
help.


It's much more likely that the attacker is just following the DNS 
changes.


---
Roland Dobbins 

Re: UDP Amplification DDoS - Help!

[mike . lyon]

Oodles of devices downstream of the 1G? Does the 1G terminate into a router or 
firewall?

Sounds like there is a compromised host downstream of the 1G that is reporting 
back it's source IP and that is why changing the IP doesn't help.

If you look at the PAT table, any oddities?

Good luck!

-Mike

> On Feb 8, 2016, at 15:14, Mitch Dyer  wrote:
> 
> Hello,
> 
> Hoping someone can point me in the right direction here, even just confirming 
> my suspicions would be incredibly helpful.
> 
> A little bit of background: I have a customer I'm working with that is 
> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a 
> daily basis. Through several captures I've seen what appear to be a mixture 
> of SSDP and DNS amplification attacks (though not at the same time). The 
> attack itself seems to target the PAT address associated with a specific 
> site, if we change the PAT address for the site, the attack targets the new 
> address at the next occurance. We've tried setting up captures and logging 
> inside the network to determine if the SSDP/DNS request originate within the 
> network but that does not appear to be the case.
> 
> We've reached out for some assistance from the upstream carrier but they've 
> only been able to enforce a 24-hour block.
> 
> I'm hoping someone with some experience on this topic would be able to shed 
> some light on a better way to attack this or would be willing to confirm that 
> we are simply SOL without prolonged assistance from the upstream carrier.
> 
> Thanks in advance for any insight.
> 
> Mitch
> 

Re: UDP Amplification DDoS - Help!

[Roland Dobbins]

On 9 Feb 2016, at 6:14, Mitch Dyer wrote:

I'm hoping someone with some experience on this topic would be able to 
shed some light on a better way to attack this or would be willing to 
confirm that we are simply SOL without prolonged assistance from the 
upstream carrier.


Take a look at this .pdf preso:



Who's the upstream?  Is it the sole upstream You may well not be 
speaking to the right folks there, the ones who can provide assistance.


Also note that there are multiple overlay MSSPs who can potentially 
help, as well, apart from the immediate upstream.


---
Roland Dobbins 

Re: UDP Amplification DDoS - Help!

[Rubens Kuhl]

1. Move the website to DDoS-resistant reverse proxy like Cloudflare or
Incapsula, using its current IP address; won't make much of a difference as
attacker will go back to attacking the last known IP address.
2. Change the site IP address and only update it at the reverse proxy
provider, not at any DNS record whatsoever.

This should do the trick unless attacker starts a full-range CIDR block
attack, at which point your next escalation path is GRE-based DDoS
providers like, but not limited to, Black Lotus.


Rubens


On Mon, Feb 8, 2016 at 9:14 PM, Mitch Dyer 
wrote:

> Hello,
>
> Hoping someone can point me in the right direction here, even just
> confirming my suspicions would be incredibly helpful.
>
> A little bit of background: I have a customer I'm working with that is
> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a
> daily basis. Through several captures I've seen what appear to be a mixture
> of SSDP and DNS amplification attacks (though not at the same time). The
> attack itself seems to target the PAT address associated with a specific
> site, if we change the PAT address for the site, the attack targets the new
> address at the next occurance. We've tried setting up captures and logging
> inside the network to determine if the SSDP/DNS request originate within
> the network but that does not appear to be the case.
>
> We've reached out for some assistance from the upstream carrier but
> they've only been able to enforce a 24-hour block.
>
> I'm hoping someone with some experience on this topic would be able to
> shed some light on a better way to attack this or would be willing to
> confirm that we are simply SOL without prolonged assistance from the
> upstream carrier.
>
> Thanks in advance for any insight.
>
> Mitch
>
>

UDP Amplification DDoS - Help!

[Mitch Dyer]

Hello,

Hoping someone can point me in the right direction here, even just confirming 
my suspicions would be incredibly helpful.

A little bit of background: I have a customer I'm working with that is 
downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily 
basis. Through several captures I've seen what appear to be a mixture of SSDP 
and DNS amplification attacks (though not at the same time). The attack itself 
seems to target the PAT address associated with a specific site, if we change 
the PAT address for the site, the attack targets the new address at the next 
occurance. We've tried setting up captures and logging inside the network to 
determine if the SSDP/DNS request originate within the network but that does 
not appear to be the case.

We've reached out for some assistance from the upstream carrier but they've 
only been able to enforce a 24-hour block.

I'm hoping someone with some experience on this topic would be able to shed 
some light on a better way to attack this or would be willing to confirm that 
we are simply SOL without prolonged assistance from the upstream carrier.

Thanks in advance for any insight.

Mitch

Re: UDP Amplification DDoS - Help!

[Andrew Kirch]

use a CDN provider or AWS ELBs or something to absorb the attacks?

On Mon, Feb 8, 2016 at 9:55 PM, Faisal Imtiaz  wrote:
> Not quite sure what kind of info / confirmation you are looking for...
>
> There are lots of articles (do a google search) on this topic as well as 
> mitigation ...
>
> e.g.
>
> http://blog.nexusguard.com/ssdp-ddos-attacks/
>
> &
> https://tools.ietf.org/html/bcp38
>
> Regards
>
> Faisal Imtiaz
> Snappy Internet & Telecom
>
> - Original Message -
>> From: "Mitch Dyer" 
>> To: "nanog list" 
>> Sent: Monday, February 8, 2016 6:14:06 PM
>> Subject: UDP Amplification DDoS - Help!
>
>> Hello,
>>
>> Hoping someone can point me in the right direction here, even just 
>> confirming my
>> suspicions would be incredibly helpful.
>>
>> A little bit of background: I have a customer I'm working with that is
>> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a 
>> daily
>> basis. Through several captures I've seen what appear to be a mixture of SSDP
>> and DNS amplification attacks (though not at the same time). The attack 
>> itself
>> seems to target the PAT address associated with a specific site, if we change
>> the PAT address for the site, the attack targets the new address at the next
>> occurance. We've tried setting up captures and logging inside the network to
>> determine if the SSDP/DNS request originate within the network but that does
>> not appear to be the case.
>>
>> We've reached out for some assistance from the upstream carrier but they've 
>> only
>> been able to enforce a 24-hour block.
>>
>> I'm hoping someone with some experience on this topic would be able to shed 
>> some
>> light on a better way to attack this or would be willing to confirm that we 
>> are
>> simply SOL without prolonged assistance from the upstream carrier.
>>
>> Thanks in advance for any insight.
>>
>> Mitch

RE: UDP Amplification DDoS - Help!

[Peter Kranz]

You haven't indicated what the actual inbound attack volume is. If it's
something your network core can handle, you can block the attack fingerprint
upstream so it does not reach the 1Gb link. If it's UDP amplification
chances are you can create a firewall rule.

-PK