Re: DDoS attack with blackmail

[Brandon Svec via NANOG]

I’m also curious if they did as promised.

I read this today:
https://beta.darkreading.com/threat-intelligence/-fancy-lazarus-criminal-group-launches-ddos-extortion-campaign

Best.

On Wed, Jun 9, 2021 at 8:35 AM Edvinas Kairys 
wrote:

> Hey,
>
> Did you get the attack promised ? after 1 week after notice ?
>
> Today we've been warned and got some udp flood for 3 hours.
>
> On Tue, May 25, 2021 at 2:14 PM Jean St-Laurent via NANOG 
> wrote:
>
>> I don’t believe that these companies are complicit at high level.
>>
>> My guess is that there are some business salesmen working there that
>> needs to fulfill their monthly quota of new clients.
>>
>>
>>
>> What is usually common, is that when face by a DDoS for the first time
>> without the  proper tooling, it sounds like it’s an impossible task to
>> solve. The knowledge on internet is pretty limited on the topic.
>>
>> It takes months and sometimes years to configure all the DDoS gates.
>> Rolland’s ppt is a nice place to start as it has valuable knowledge. It’s
>> just tough to figure out what is best for you.
>>
>>
>>
>> The truth is, it will be more beneficial to your organisation in the
>> medium/long term if you start learning and improving your DDoS defenses now
>> than to rely 100% on DDoS mitigators.
>>
>> These companies are fantastic when you protect slow assets like Credit
>> card transactions. The customer don’t really care if his transaction to
>> validate the CC takes 4 seconds instead of 3.
>>
>>
>>
>> In the end, DDoS mitigations is not more complex than what you are used
>> to do daily. Protect your routers, protect the control-plane, protect the
>> SSH lines, etc. It’s just a different kind of protections.
>>
>>
>>
>> Let me know if you need some advices or hints, because I’ve spent some
>> freaking long hours fighting them and together we have a better chance to
>> win and not pay ransom from blackmails.
>>
>> I don’t have all the answers on DDoS, but maybe I have the one that you
>> are looking for.
>>
>>
>>
>> The moment you become very resilient to DDoS attacks, your customers will
>> thank you and also support staff that will see the DDoS bounce like
>> mosquitoes on the windshield of your car at 90 Mph.
>>
>>
>>
>> Start learning now and start improving your DDoS. This won’t go away
>> anytime soon.
>>
>>
>>
>> Jean
>>
>>
>>
>>
>>
>> *From:* jim deleskie 
>> *Sent:* May 24, 2021 12:38 PM
>> *To:* Jean St-Laurent 
>> *Cc:* NANOG Operators' Group 
>> *Subject:* Re: DDoS attack with blackmail
>>
>>
>>
>> While I have no design to engage in over email argument over how much
>> latency people can actually tolerate, I will simply state that most people
>> have a very poor understanding of it and how much additional latency is
>> really introduced by DDoS mitigation.
>>
>>
>>
>> As for implying that DDoS mitigation companies are complicit or involved
>> in attacks, while not the first time i heard that crap it's pretty
>> offensive to those that work long hours for years dealing with the
>> garbage.  If you honestly believe anyone your dealing with is involved with
>> launching attacks you clearly have not done your research into potential
>> partners.
>>
>>
>>
>>
>>
>>
>>
>> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
>> nanog@nanog.org> wrote:
>>
>> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>>
>>
>>
>> The video game industry is one of them and there might be others that
>> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>>
>>
>>
>> As a side note, my former employer in video game was bidding for these
>> vendors offering DDoS protection. While bidding, we were hit with abnormal
>> patterns. As soon as we chose one vendors those very tricky DDoS patterns
>> stopped.
>>
>> I am not saying they are working on both side, but still the coincidence
>> was interesting. In the end, we never used them because they were not able
>> to perfectly block the threat without impacting all the others projects.
>>
>>
>>
>> I think these mitigators are nice to have as a very last resort. I
>> believe what is more important for Network Operators is: to be aware of
>> this, to be able to detect it, mitigate it and/or minimize the impact. It’s
>> like magic, where 

Re: DDoS attack with blackmail

[Edvinas Kairys]

Hey,

Did you get the attack promised ? after 1 week after notice ?

Today we've been warned and got some udp flood for 3 hours.

On Tue, May 25, 2021 at 2:14 PM Jean St-Laurent via NANOG 
wrote:

> I don’t believe that these companies are complicit at high level.
>
> My guess is that there are some business salesmen working there that needs
> to fulfill their monthly quota of new clients.
>
>
>
> What is usually common, is that when face by a DDoS for the first time
> without the  proper tooling, it sounds like it’s an impossible task to
> solve. The knowledge on internet is pretty limited on the topic.
>
> It takes months and sometimes years to configure all the DDoS gates.
> Rolland’s ppt is a nice place to start as it has valuable knowledge. It’s
> just tough to figure out what is best for you.
>
>
>
> The truth is, it will be more beneficial to your organisation in the
> medium/long term if you start learning and improving your DDoS defenses now
> than to rely 100% on DDoS mitigators.
>
> These companies are fantastic when you protect slow assets like Credit
> card transactions. The customer don’t really care if his transaction to
> validate the CC takes 4 seconds instead of 3.
>
>
>
> In the end, DDoS mitigations is not more complex than what you are used to
> do daily. Protect your routers, protect the control-plane, protect the SSH
> lines, etc. It’s just a different kind of protections.
>
>
>
> Let me know if you need some advices or hints, because I’ve spent some
> freaking long hours fighting them and together we have a better chance to
> win and not pay ransom from blackmails.
>
> I don’t have all the answers on DDoS, but maybe I have the one that you
> are looking for.
>
>
>
> The moment you become very resilient to DDoS attacks, your customers will
> thank you and also support staff that will see the DDoS bounce like
> mosquitoes on the windshield of your car at 90 Mph.
>
>
>
> Start learning now and start improving your DDoS. This won’t go away
> anytime soon.
>
>
>
> Jean
>
>
>
>
>
> *From:* jim deleskie 
> *Sent:* May 24, 2021 12:38 PM
> *To:* Jean St-Laurent 
> *Cc:* NANOG Operators' Group 
> *Subject:* Re: DDoS attack with blackmail
>
>
>
> While I have no design to engage in over email argument over how much
> latency people can actually tolerate, I will simply state that most people
> have a very poor understanding of it and how much additional latency is
> really introduced by DDoS mitigation.
>
>
>
> As for implying that DDoS mitigation companies are complicit or involved
> in attacks, while not the first time i heard that crap it's pretty
> offensive to those that work long hours for years dealing with the
> garbage.  If you honestly believe anyone your dealing with is involved with
> launching attacks you clearly have not done your research into potential
> partners.
>
>
>
>
>
>
>
> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
> nanog@nanog.org> wrote:
>
> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>
>
>
> The video game industry is one of them and there might be others that
> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>
>
>
> As a side note, my former employer in video game was bidding for these
> vendors offering DDoS protection. While bidding, we were hit with abnormal
> patterns. As soon as we chose one vendors those very tricky DDoS patterns
> stopped.
>
> I am not saying they are working on both side, but still the coincidence
> was interesting. In the end, we never used them because they were not able
> to perfectly block the threat without impacting all the others projects.
>
>
>
> I think these mitigators are nice to have as a very last resort. I believe
> what is more important for Network Operators is: to be aware of this, to be
> able to detect it, mitigate it and/or minimize the impact. It’s like magic,
> where did that rabbit go?
>
>
>
> The art of war taught me everything there is to know about DDoS attacks
> even if it was written some 2500 years ago.
>
>
>
> I suspect that the attack that impacted Baldur’s assets was a very easy
> DDoS to detect and block, but can’t confirm.
>
>
>
> @Baldur: do you care to share some metrics?
>
>
>
> Jean
>
>
>
> *From:* NANOG  *On Behalf Of *Jean
> St-Laurent via NANOG
> *Sent:* May 21, 2021 10:52 AM
> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur
> Norddahl' 
> *Cc:* 'NANOG Operators' Group' 
> *Subject:* RE: DDoS attack with blackmail
>
>
>
> I also recommend book Art of War from Sun Tzu.
>
>

RE: DDoS attack with blackmail

[Jean St-Laurent via NANOG]

I don’t believe that these companies are complicit at high level. 

My guess is that there are some business salesmen working there that needs to 
fulfill their monthly quota of new clients. 

 

What is usually common, is that when face by a DDoS for the first time without 
the  proper tooling, it sounds like it’s an impossible task to solve. The 
knowledge on internet is pretty limited on the topic. 

It takes months and sometimes years to configure all the DDoS gates. Rolland’s 
ppt is a nice place to start as it has valuable knowledge. It’s just tough to 
figure out what is best for you.

 

The truth is, it will be more beneficial to your organisation in the 
medium/long term if you start learning and improving your DDoS defenses now 
than to rely 100% on DDoS mitigators. 

These companies are fantastic when you protect slow assets like Credit card 
transactions. The customer don’t really care if his transaction to validate the 
CC takes 4 seconds instead of 3.

 

In the end, DDoS mitigations is not more complex than what you are used to do 
daily. Protect your routers, protect the control-plane, protect the SSH lines, 
etc. It’s just a different kind of protections.

 

Let me know if you need some advices or hints, because I’ve spent some freaking 
long hours fighting them and together we have a better chance to win and not 
pay ransom from blackmails. 

I don’t have all the answers on DDoS, but maybe I have the one that you are 
looking for.

 

The moment you become very resilient to DDoS attacks, your customers will thank 
you and also support staff that will see the DDoS bounce like mosquitoes on the 
windshield of your car at 90 Mph.

 

Start learning now and start improving your DDoS. This won’t go away anytime 
soon.

 

Jean

 

 

From: jim deleskie  
Sent: May 24, 2021 12:38 PM
To: Jean St-Laurent 
Cc: NANOG Operators' Group 
Subject: Re: DDoS attack with blackmail

 

While I have no design to engage in over email argument over how much latency 
people can actually tolerate, I will simply state that most people have a very 
poor understanding of it and how much additional latency is really introduced 
by DDoS mitigation.

 

As for implying that DDoS mitigation companies are complicit or involved in 
attacks, while not the first time i heard that crap it's pretty offensive to 
those that work long hours for years dealing with the garbage.  If you honestly 
believe anyone your dealing with is involved with launching attacks you clearly 
have not done your research into potential partners.

 

 

 

On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, mailto:nanog@nanog.org> > wrote:

Some industries can’t afford that extra delay by DDoS mitigation vendors.

 

The video game industry is one of them and there might be others that can’t 
tolerate these extra ms. Telemedicine, video-conference, fintech, etc.

 

As a side note, my former employer in video game was bidding for these vendors 
offering DDoS protection. While bidding, we were hit with abnormal patterns. As 
soon as we chose one vendors those very tricky DDoS patterns stopped.

I am not saying they are working on both side, but still the coincidence was 
interesting. In the end, we never used them because they were not able to 
perfectly block the threat without impacting all the others projects.

 

I think these mitigators are nice to have as a very last resort. I believe what 
is more important for Network Operators is: to be aware of this, to be able to 
detect it, mitigate it and/or minimize the impact. It’s like magic, where did 
that rabbit go?

 

The art of war taught me everything there is to know about DDoS attacks even if 
it was written some 2500 years ago.

 

I suspect that the attack that impacted Baldur’s assets was a very easy DDoS to 
detect and block, but can’t confirm.

 

@Baldur: do you care to share some metrics?

 

Jean

 

From: NANOG mailto:ddostest...@nanog.org> > On Behalf Of Jean St-Laurent via NANOG
Sent: May 21, 2021 10:52 AM
To: 'Lady Benjamin Cannon of Glencoe, ASCE' mailto:l...@6by7.net> >; 'Baldur Norddahl' mailto:baldur.nordd...@gmail.com> >
Cc: 'NANOG Operators' Group' mailto:nanog@nanog.org> >
Subject: RE: DDoS attack with blackmail

 

I also recommend book Art of War from Sun Tzu.

 

All the answers to your questions are in that book.

 

Jean

 

From: NANOG mailto:nanog-bounces+jean=ddostest...@nanog.org> > On Behalf Of Lady Benjamin 
Cannon of Glencoe, ASCE
Sent: May 20, 2021 7:18 PM
To: Baldur Norddahl mailto:baldur.nordd...@gmail.com> >
Cc: NANOG Operators' Group mailto:nanog@nanog.org> >
Subject: Re: DDoS attack with blackmail

 

20 years ago I wrote an automatic teardrop attack.  If your IP spammed us 5 
times, then a script would run, knocking the remote host off the internet 
entirely.

 

Later I modified it to launch 1000 teardrop attacks/second…

 

Today,  contact the FBI.

 

And get a mitigation service above yo

Re: DDoS attack with blackmail

[Jon Sands]

I can also name one recent instance in which a client of mine was without
doubt DdoS'd by a mitigation provider they were getting a quote from, and
sadly this didn't even end up being the worst of the behavior we had to
deal with from them before ultimately terminating our contract with them.
It's not surprising either, if you look into the history of the
owner/founder (hint: fbi serving warrants for cybercrime). The security
sector is sadly rife with this crap in my experience

On Mon, May 24, 2021, 12:59 PM Matt Erculiani  wrote:

> Jim,
>
> While I don't envy those who put in long hours to mitigate DDoSes at the
> 11th hour, the security industry as a whole, DDoS mitigation included,
> doesn't have a perfectly clean track record. Public court records offer
> plenty of evidence, and convictions from foul play while trying to win bids.
>
> An individual I worked with previously personally handled a long, drawn
> out DDoS event that was ultimately perpetrated by a security contractor
> bidding for a job (I didn't work it personally, but it was a frequent topic
> of discussion while it was ongoing). Fortunately, after subsequent months
> of law enforcement investigation, the contractor was brought up on charges.
>
> It's definitely not "crap" , it's a fact, albeit not necessarily common.
>
> -Matt
>
> On Mon, May 24, 2021 at 10:38 AM jim deleskie  wrote:
>
>> While I have no design to engage in over email argument over how much
>> latency people can actually tolerate, I will simply state that most people
>> have a very poor understanding of it and how much additional latency is
>> really introduced by DDoS mitigation.
>>
>> As for implying that DDoS mitigation companies are complicit or involved
>> in attacks, while not the first time i heard that crap it's pretty
>> offensive to those that work long hours for years dealing with the
>> garbage.  If you honestly believe anyone your dealing with is involved with
>> launching attacks you clearly have not done your research into potential
>> partners.
>>
>>
>>
>> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
>> nanog@nanog.org> wrote:
>>
>>> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>>>
>>>
>>>
>>> The video game industry is one of them and there might be others that
>>> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>>>
>>>
>>>
>>> As a side note, my former employer in video game was bidding for these
>>> vendors offering DDoS protection. While bidding, we were hit with abnormal
>>> patterns. As soon as we chose one vendors those very tricky DDoS patterns
>>> stopped.
>>>
>>> I am not saying they are working on both side, but still the coincidence
>>> was interesting. In the end, we never used them because they were not able
>>> to perfectly block the threat without impacting all the others projects.
>>>
>>>
>>>
>>> I think these mitigators are nice to have as a very last resort. I
>>> believe what is more important for Network Operators is: to be aware of
>>> this, to be able to detect it, mitigate it and/or minimize the impact. It’s
>>> like magic, where did that rabbit go?
>>>
>>>
>>>
>>> The art of war taught me everything there is to know about DDoS attacks
>>> even if it was written some 2500 years ago.
>>>
>>>
>>>
>>> I suspect that the attack that impacted Baldur’s assets was a very easy
>>> DDoS to detect and block, but can’t confirm.
>>>
>>>
>>>
>>> @Baldur: do you care to share some metrics?
>>>
>>>
>>>
>>> Jean
>>>
>>>
>>>
>>> *From:* NANOG  *On Behalf Of *Jean
>>> St-Laurent via NANOG
>>> *Sent:* May 21, 2021 10:52 AM
>>> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur
>>> Norddahl' 
>>> *Cc:* 'NANOG Operators' Group' 
>>> *Subject:* RE: DDoS attack with blackmail
>>>
>>>
>>>
>>> I also recommend book Art of War from Sun Tzu.
>>>
>>>
>>>
>>> All the answers to your questions are in that book.
>>>
>>>
>>>
>>> Jean
>>>
>>>
>>>
>>> *From:* NANOG  *On Behalf Of *Lady
>>> Benjamin Cannon of Glencoe, ASCE
>>> *Sent:* May 20, 2021 7:18 PM
>>> *To:* Baldur Norddahl 
>>> *Cc:* NANOG Operators' Group 
>>> *Subject:* Re: DDoS attack with blackmail
>&g

Re: DDoS attack with blackmail

[Matt Erculiani]

Jim,

While I don't envy those who put in long hours to mitigate DDoSes at the
11th hour, the security industry as a whole, DDoS mitigation included,
doesn't have a perfectly clean track record. Public court records offer
plenty of evidence, and convictions from foul play while trying to win bids.

An individual I worked with previously personally handled a long, drawn out
DDoS event that was ultimately perpetrated by a security contractor bidding
for a job (I didn't work it personally, but it was a frequent topic of
discussion while it was ongoing). Fortunately, after subsequent months of
law enforcement investigation, the contractor was brought up on charges.

It's definitely not "crap" , it's a fact, albeit not necessarily common.

-Matt

On Mon, May 24, 2021 at 10:38 AM jim deleskie  wrote:

> While I have no design to engage in over email argument over how much
> latency people can actually tolerate, I will simply state that most people
> have a very poor understanding of it and how much additional latency is
> really introduced by DDoS mitigation.
>
> As for implying that DDoS mitigation companies are complicit or involved
> in attacks, while not the first time i heard that crap it's pretty
> offensive to those that work long hours for years dealing with the
> garbage.  If you honestly believe anyone your dealing with is involved with
> launching attacks you clearly have not done your research into potential
> partners.
>
>
>
> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
> nanog@nanog.org> wrote:
>
>> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>>
>>
>>
>> The video game industry is one of them and there might be others that
>> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>>
>>
>>
>> As a side note, my former employer in video game was bidding for these
>> vendors offering DDoS protection. While bidding, we were hit with abnormal
>> patterns. As soon as we chose one vendors those very tricky DDoS patterns
>> stopped.
>>
>> I am not saying they are working on both side, but still the coincidence
>> was interesting. In the end, we never used them because they were not able
>> to perfectly block the threat without impacting all the others projects.
>>
>>
>>
>> I think these mitigators are nice to have as a very last resort. I
>> believe what is more important for Network Operators is: to be aware of
>> this, to be able to detect it, mitigate it and/or minimize the impact. It’s
>> like magic, where did that rabbit go?
>>
>>
>>
>> The art of war taught me everything there is to know about DDoS attacks
>> even if it was written some 2500 years ago.
>>
>>
>>
>> I suspect that the attack that impacted Baldur’s assets was a very easy
>> DDoS to detect and block, but can’t confirm.
>>
>>
>>
>> @Baldur: do you care to share some metrics?
>>
>>
>>
>> Jean
>>
>>
>>
>> *From:* NANOG  *On Behalf Of *Jean
>> St-Laurent via NANOG
>> *Sent:* May 21, 2021 10:52 AM
>> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur
>> Norddahl' 
>> *Cc:* 'NANOG Operators' Group' 
>> *Subject:* RE: DDoS attack with blackmail
>>
>>
>>
>> I also recommend book Art of War from Sun Tzu.
>>
>>
>>
>> All the answers to your questions are in that book.
>>
>>
>>
>> Jean
>>
>>
>>
>> *From:* NANOG  *On Behalf Of *Lady
>> Benjamin Cannon of Glencoe, ASCE
>> *Sent:* May 20, 2021 7:18 PM
>> *To:* Baldur Norddahl 
>> *Cc:* NANOG Operators' Group 
>> *Subject:* Re: DDoS attack with blackmail
>>
>>
>>
>> 20 years ago I wrote an automatic teardrop attack.  If your IP spammed us
>> 5 times, then a script would run, knocking the remote host off the internet
>> entirely.
>>
>>
>>
>> Later I modified it to launch 1000 teardrop attacks/second…
>>
>>
>>
>> Today,  contact the FBI.
>>
>>
>>
>> And get a mitigation service above your borders if you can.
>>
>>
>>
>>
>>
>> —L.B.
>>
>>
>>
>> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>>
>> 6x7 Networks & 6x7 Telecom, LLC
>>
>> CEO
>>
>> l...@6by7.net
>>
>> "The only fully end-to-end encrypted global telecommunications company in
>> the world.”
>>
>> FCC License KJ6FJJ
>>
>>
>>
>>
>> On May 20, 2021, at 12:26 PM, Baldur Norddahl 
>> wrote:
>>
>>
>>
>> Hello
>>
>>
>>
>> We got attacked by a group that calls themselves "Fancy Lazarus". They
>> want payment in BC to not attack us again. The attack was a volume attack
>> to our DNS and URL fetch from our webserver.
>>
>>
>>
>> I am interested in any experience in fighting back against these guys.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Baldur
>>
>>
>>
>>
>>
>

-- 
Matt Erculiani
ERCUL-ARIN

Re: DDoS attack with blackmail

[jim deleskie]

While I have no design to engage in over email argument over how much
latency people can actually tolerate, I will simply state that most people
have a very poor understanding of it and how much additional latency is
really introduced by DDoS mitigation.

As for implying that DDoS mitigation companies are complicit or involved in
attacks, while not the first time i heard that crap it's pretty offensive
to those that work long hours for years dealing with the garbage.  If you
honestly believe anyone your dealing with is involved with launching
attacks you clearly have not done your research into potential partners.



On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
nanog@nanog.org> wrote:

> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>
>
>
> The video game industry is one of them and there might be others that
> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>
>
>
> As a side note, my former employer in video game was bidding for these
> vendors offering DDoS protection. While bidding, we were hit with abnormal
> patterns. As soon as we chose one vendors those very tricky DDoS patterns
> stopped.
>
> I am not saying they are working on both side, but still the coincidence
> was interesting. In the end, we never used them because they were not able
> to perfectly block the threat without impacting all the others projects.
>
>
>
> I think these mitigators are nice to have as a very last resort. I believe
> what is more important for Network Operators is: to be aware of this, to be
> able to detect it, mitigate it and/or minimize the impact. It’s like magic,
> where did that rabbit go?
>
>
>
> The art of war taught me everything there is to know about DDoS attacks
> even if it was written some 2500 years ago.
>
>
>
> I suspect that the attack that impacted Baldur’s assets was a very easy
> DDoS to detect and block, but can’t confirm.
>
>
>
> @Baldur: do you care to share some metrics?
>
>
>
> Jean
>
>
>
> *From:* NANOG  *On Behalf Of *Jean
> St-Laurent via NANOG
> *Sent:* May 21, 2021 10:52 AM
> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur
> Norddahl' 
> *Cc:* 'NANOG Operators' Group' 
> *Subject:* RE: DDoS attack with blackmail
>
>
>
> I also recommend book Art of War from Sun Tzu.
>
>
>
> All the answers to your questions are in that book.
>
>
>
> Jean
>
>
>
> *From:* NANOG  *On Behalf Of *Lady
> Benjamin Cannon of Glencoe, ASCE
> *Sent:* May 20, 2021 7:18 PM
> *To:* Baldur Norddahl 
> *Cc:* NANOG Operators' Group 
> *Subject:* Re: DDoS attack with blackmail
>
>
>
> 20 years ago I wrote an automatic teardrop attack.  If your IP spammed us
> 5 times, then a script would run, knocking the remote host off the internet
> entirely.
>
>
>
> Later I modified it to launch 1000 teardrop attacks/second…
>
>
>
> Today,  contact the FBI.
>
>
>
> And get a mitigation service above your borders if you can.
>
>
>
>
>
> —L.B.
>
>
>
> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>
> 6x7 Networks & 6x7 Telecom, LLC
>
> CEO
>
> l...@6by7.net
>
> "The only fully end-to-end encrypted global telecommunications company in
> the world.”
>
> FCC License KJ6FJJ
>
>
>
>
> On May 20, 2021, at 12:26 PM, Baldur Norddahl 
> wrote:
>
>
>
> Hello
>
>
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They
> want payment in BC to not attack us again. The attack was a volume attack
> to our DNS and URL fetch from our webserver.
>
>
>
> I am interested in any experience in fighting back against these guys.
>
>
>
> Thanks,
>
>
>
> Baldur
>
>
>
>
>

Re: DDoS attack with blackmail

[Barry Greene]

DDoS Attack Preparation Workbook
https://www.senki.org/ddos-attack-preparation-workbook/ 



> On May 20, 2021, at 12:26 PM, Baldur Norddahl  > wrote:
> 
> Hello
> 
> We got attacked by a group that calls themselves "Fancy Lazarus". They want 
> payment in BC to not attack us again. The attack was a volume attack to our 
> DNS and URL fetch from our webserver.
> 
> I am interested in any experience in fighting back against these guys.
> 
> Thanks,
> 
> Baldur
> 

RE: DDoS attack with blackmail

[Jean St-Laurent via NANOG]

Some industries can’t afford that extra delay by DDoS mitigation vendors.

 

The video game industry is one of them and there might be others that can’t 
tolerate these extra ms. Telemedicine, video-conference, fintech, etc.

 

As a side note, my former employer in video game was bidding for these vendors 
offering DDoS protection. While bidding, we were hit with abnormal patterns. As 
soon as we chose one vendors those very tricky DDoS patterns stopped.

I am not saying they are working on both side, but still the coincidence was 
interesting. In the end, we never used them because they were not able to 
perfectly block the threat without impacting all the others projects.

 

I think these mitigators are nice to have as a very last resort. I believe what 
is more important for Network Operators is: to be aware of this, to be able to 
detect it, mitigate it and/or minimize the impact. It’s like magic, where did 
that rabbit go?

 

The art of war taught me everything there is to know about DDoS attacks even if 
it was written some 2500 years ago.

 

I suspect that the attack that impacted Baldur’s assets was a very easy DDoS to 
detect and block, but can’t confirm.

 

@Baldur: do you care to share some metrics?

 

Jean

 

From: NANOG  On Behalf Of Jean 
St-Laurent via NANOG
Sent: May 21, 2021 10:52 AM
To: 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur Norddahl' 

Cc: 'NANOG Operators' Group' 
Subject: RE: DDoS attack with blackmail

 

I also recommend book Art of War from Sun Tzu.

 

All the answers to your questions are in that book.

 

Jean

 

From: NANOG mailto:nanog-bounces+jean=ddostest...@nanog.org> > On Behalf Of Lady Benjamin 
Cannon of Glencoe, ASCE
Sent: May 20, 2021 7:18 PM
To: Baldur Norddahl mailto:baldur.nordd...@gmail.com> >
Cc: NANOG Operators' Group mailto:nanog@nanog.org> >
Subject: Re: DDoS attack with blackmail

 

20 years ago I wrote an automatic teardrop attack.  If your IP spammed us 5 
times, then a script would run, knocking the remote host off the internet 
entirely.

 

Later I modified it to launch 1000 teardrop attacks/second…

 

Today,  contact the FBI.

 

And get a mitigation service above your borders if you can.

 

 

—L.B.

 

Ms. Lady Benjamin PD Cannon of Glencoe, ASCE

6x7 Networks & 6x7 Telecom, LLC 

CEO 

l...@6by7.net <mailto:l...@6by7.net> 

"The only fully end-to-end encrypted global telecommunications company in the 
world.”

FCC License KJ6FJJ




 

On May 20, 2021, at 12:26 PM, Baldur Norddahl mailto:baldur.nordd...@gmail.com> > wrote:

 

Hello

 

We got attacked by a group that calls themselves "Fancy Lazarus". They want 
payment in BC to not attack us again. The attack was a volume attack to our DNS 
and URL fetch from our webserver.

 

I am interested in any experience in fighting back against these guys.

 

Thanks,

 

Baldur

 

 

RE: DDoS attack with blackmail

[Jean St-Laurent via NANOG]

I also recommend book Art of War from Sun Tzu.

 

All the answers to your questions are in that book.

 

Jean

 

From: NANOG  On Behalf Of Lady 
Benjamin Cannon of Glencoe, ASCE
Sent: May 20, 2021 7:18 PM
To: Baldur Norddahl 
Cc: NANOG Operators' Group 
Subject: Re: DDoS attack with blackmail

 

20 years ago I wrote an automatic teardrop attack.  If your IP spammed us 5 
times, then a script would run, knocking the remote host off the internet 
entirely.

 

Later I modified it to launch 1000 teardrop attacks/second…

 

Today,  contact the FBI.

 

And get a mitigation service above your borders if you can.

 

 

—L.B.

 

Ms. Lady Benjamin PD Cannon of Glencoe, ASCE

6x7 Networks & 6x7 Telecom, LLC 

CEO 

l...@6by7.net <mailto:l...@6by7.net> 

"The only fully end-to-end encrypted global telecommunications company in the 
world.”

FCC License KJ6FJJ








On May 20, 2021, at 12:26 PM, Baldur Norddahl mailto:baldur.nordd...@gmail.com> > wrote:

 

Hello

 

We got attacked by a group that calls themselves "Fancy Lazarus". They want 
payment in BC to not attack us again. The attack was a volume attack to our DNS 
and URL fetch from our webserver.

 

I am interested in any experience in fighting back against these guys.

 

Thanks,

 

Baldur

 

 

Re: DDoS attack with blackmail

[Lady Benjamin Cannon of Glencoe, ASCE]

20 years ago I wrote an automatic teardrop attack.  If your IP spammed us 5 
times, then a script would run, knocking the remote host off the internet 
entirely.

Later I modified it to launch 1000 teardrop attacks/second…

Today,  contact the FBI.

And get a mitigation service above your borders if you can.


—L.B.

Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
6x7 Networks & 6x7 Telecom, LLC 
CEO 
l...@6by7.net 
"The only fully end-to-end encrypted global telecommunications company in the 
world.”
FCC License KJ6FJJ



> On May 20, 2021, at 12:26 PM, Baldur Norddahl  
> wrote:
> 
> Hello
> 
> We got attacked by a group that calls themselves "Fancy Lazarus". They want 
> payment in BC to not attack us again. The attack was a volume attack to our 
> DNS and URL fetch from our webserver.
> 
> I am interested in any experience in fighting back against these guys.
> 
> Thanks,
> 
> Baldur
> 

Re: DDoS attack with blackmail

[William Herrin]

On Thu, May 20, 2021 at 12:28 PM Baldur Norddahl
 wrote:
> We got attacked by a group that calls themselves "Fancy Lazarus". They want 
> payment in BC to not attack us again. The attack was a volume attack to our 
> DNS and URL fetch from our webserver.
>
> I am interested in any experience in fighting back against these guys.

If you announce your addresses with BGP then your first two calls
should be to a DDOS mitigator and the FBI. You can reclaim your
routing from the DDOS mitigator after the group gives up but should
keep the relationship with the mitigator so you can more quickly
activate it next time.

If you don't do BGP, substitute your ISP for the DDOS mitigator and
hope they're among the clueful. Call the FBI either way.

There's nothing super fancy about a DDOS mitigator. They take over
your BGP, bringing packets to them first instead of to you. They have
big enough connections to sink whatever packets the attacker sends
their way. They filter this data and then allow just the legitimate
packets to make their way over a VPN back to you.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: DDoS attack with blackmail

[Tim Howe]

I would encourage you to contact the FBI.  Another ISP told me a fairly
positive story after being in the same situation.

--TimH

On Thu, 20 May 2021 21:26:50 +0200
Baldur Norddahl  wrote:

> Hello
> 
> We got attacked by a group that calls themselves "Fancy Lazarus". They want
> payment in BC to not attack us again. The attack was a volume attack to our
> DNS and URL fetch from our webserver.
> 
> I am interested in any experience in fighting back against these guys.
> 
> Thanks,
> 
> Baldur

Re: DDoS attack with blackmail

[Brandon Svec via NANOG]

Not this Lazarus group, I hope: https://www.bbc.co.uk/programmes/w13xtvg9

Really good podcast, BTW..

Brandon


On Thu, May 20, 2021 at 12:28 PM Baldur Norddahl 
wrote:

> Hello
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They
> want payment in BC to not attack us again. The attack was a volume attack
> to our DNS and URL fetch from our webserver.
>
> I am interested in any experience in fighting back against these guys.
>
> Thanks,
>
> Baldur
>
>

Re: DDoS attack

[Töma Gavrichenkov]

Peace,

On Mon, Dec 9, 2019 at 11:35 PM Florian Brandstetter via NANOG
 wrote:
> if that was to be amplification, the source addresses
> would not be within Google or CloudFlare ranges
> (especially not CloudFlare, as they are not running
> a vulnerable recursor

Well, vulnerable — arguably of course, amplifying — yes, a few, around
twenty.  Not sure if they have any kind of rate limiting there (also
not sure if it's legal for me to check it), expecially given that the
queries could come from spoofed sources.  Anyway, in theory, their
sources *could* be present in a DDoS (though not likely).

12:11:23.726699 IP (tos 0x0, ttl 64, id 9173, offset 0, flags [none],
proto UDP (17), length 60)
$IP.60801 > 172.65.253.110.53: 45631+ [1au] ANY? com. (32)
12:11:23.733976 IP (tos 0x0, ttl 60, id 30234, offset 0, flags [+],
proto UDP (17), length 1500)
172.65.253.110.53 > $IP.60801: 45631$ 22/0/1 com. SOA
a.gtld-servers.net. nstld.verisign-grs.com. 1576020207 1800 900 604800
86400, com. RRSIG, com. NS a.gtld-servers.net., com. NS
b.gtld-servers.net., com. NS c.gtld-servers.net., com. NS
e.gtld-servers.net., com. NS i.gtld-servers.net., com. NS
j.gtld-servers.net., com. NS g.gtld-servers.net., com. NS
f.gtld-servers.net., com. NS l.gtld-servers.net., com. NS
d.gtld-servers.net., com. NS k.gtld-servers.net., com. NS
h.gtld-servers.net., com. NS m.gtld-servers.net., com. RRSIG, com.
DNSKEY, com. DNSKEY, com. DNSKEY, com. RRSIG[|domain]

--
Töma

RE: [EXTERNAL] RE: DDoS attack

[Paul Amaral via NANOG]

Rarely will sourced ips be the same every time a victim gets DDOS'd. Good 
telemetry is key but every time the attack happens it needs to be looked at.  I 
find bogon prefixes are not as used much, especially amplification attacks.  
Gathering good intel and blocking bogons will help,  but there is no one 
strategy that works. You also will always risk blocking some good traffic. 
Again, there's a reason why you can only mitigate and not stop a DDOS 
completely. 

Paul  

-Original Message-
From: Nikos Leontsinis  
Sent: Tuesday, December 10, 2019 5:19 PM
To: Aaron Gould ; 'Paul Amaral' ; 
ahmed.dala...@hrins.net; Nanog@nanog.org
Subject: RE: [EXTERNAL] RE: DDoS attack 

You can get the bogon prefixes from Cymru and defend your network using them in 
combination with rpf The key with the attacks dos or ddos is to have proper 
telemetry (streaming telemetry not polling telemetry) and baselines without 
this information you run the danger of blocking good traffic.

Based on the thread below I don't see any evidence of an attack only 
speculations.

nikos

-Original Message-
From: NANOG  On Behalf Of Aaron Gould
Sent: Tuesday, December 10, 2019 5:05 PM
To: 'Paul Amaral' ; ahmed.dala...@hrins.net; Nanog@nanog.org
Subject: [EXTERNAL] RE: DDoS attack

Years ago, we looked at netflow data and precursors to attacks, and found that 
UDP 3074 Xbox Live was showing up just prior to the attacks...and through other 
research we concluded that gamers are a big cause of large ddos attacks 
apparently they go after each other in retaliation

I've crafted a series of things for dealing with the results of volumetric ddos 
attacks... I've had attacks in upwards of 50 or 60 gig as I recall across 
all of my (3) internet connections at times

- deny acl's ... for ports/protocols that I know are absolutely not needed
- policers of various well known port attack vectors (gleaned from netflow data)
- policers of well-known *good* ports/protocols (like ntp, dns, etc) to some 
realistic level
- a repeat-victims list of ip's with policing udp for this group (note1)
- rtbh (note2)

Note 1 - Also, I've learned that if a customer has been attack once, the 
chances of them being the target of an attack again is highso by crafting 
the repeat victims list, you can catch next-day attacks of differing vectors.
Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we 
trigger a bgp/community route that goes out to the inet cloud and stops attack 
further into the upstream providers network... I know I "complete" the attack, 
but, I save my network ;) ...I use an old cisco 2600 as my trigger router and 
wrote a job aid that I shared with the NOC for triggering rtbh when needed, 
couple commands.
...I would like to automate my rtbh using what I understand is a possibly use 
case for FastNetMon, but haven't got around to it

I also wonder if team cymru's utrs project and other things like that would 
benefit my security posture.


-Aaron


This email is from Equinix (EMEA) B.V. or one of its associated companies in 
the territory from where this email has been sent. This email, and any files 
transmitted with it, contains information which is confidential, is solely for 
the use of the intended recipient and may be legally privileged. If you have 
received this email in error, please notify the sender and delete this email 
immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA 
Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.

RE: [EXTERNAL] RE: DDoS attack

[Nikos Leontsinis]

You can get the bogon prefixes from Cymru and defend your network using them in 
combination with rpf
The key with the attacks dos or ddos is to have proper telemetry (streaming 
telemetry not polling telemetry)
and baselines without this information you run the danger of blocking good 
traffic.

Based on the thread below I don't see any evidence of an attack only 
speculations.

nikos

-Original Message-
From: NANOG  On Behalf Of Aaron Gould
Sent: Tuesday, December 10, 2019 5:05 PM
To: 'Paul Amaral' ; ahmed.dala...@hrins.net; Nanog@nanog.org
Subject: [EXTERNAL] RE: DDoS attack

Years ago, we looked at netflow data and precursors to attacks, and found that 
UDP 3074 Xbox Live was showing up just prior to the attacks...and through other 
research we concluded that gamers are a big cause of large ddos attacks 
apparently they go after each other in retaliation

I've crafted a series of things for dealing with the results of volumetric ddos 
attacks... I've had attacks in upwards of 50 or 60 gig as I recall across 
all of my (3) internet connections at times

- deny acl's ... for ports/protocols that I know are absolutely not needed
- policers of various well known port attack vectors (gleaned from netflow data)
- policers of well-known *good* ports/protocols (like ntp, dns, etc) to some 
realistic level
- a repeat-victims list of ip's with policing udp for this group (note1)
- rtbh (note2)

Note 1 - Also, I've learned that if a customer has been attack once, the 
chances of them being the target of an attack again is highso by crafting 
the repeat victims list, you can catch next-day attacks of differing vectors.
Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we 
trigger a bgp/community route that goes out to the inet cloud and stops attack 
further into the upstream providers network... I know I "complete" the attack, 
but, I save my network ;) ...I use an old cisco 2600 as my trigger router and 
wrote a job aid that I shared with the NOC for triggering rtbh when needed, 
couple commands.
...I would like to automate my rtbh using what I understand is a possibly use 
case for FastNetMon, but haven't got around to it

I also wonder if team cymru's utrs project and other things like that would 
benefit my security posture.


-Aaron


This email is from Equinix (EMEA) B.V. or one of its associated companies in 
the territory from where this email has been sent. This email, and any files 
transmitted with it, contains information which is confidential, is solely for 
the use of the intended recipient and may be legally privileged. If you have 
received this email in error, please notify the sender and delete this email 
immediately. Equinix (EMEA) B.V.. Registered Office: Amstelplein 1, 1096 HA 
Amsterdam, The Netherlands. Registered in The Netherlands No. 57577889.

Re: DDoS attack

[Saku Ytti]

On Tue, 10 Dec 2019 at 19:08, Aaron Gould  wrote:

> - policers of well-known *good* ports/protocols (like ntp, dns, etc) to some 
> realistic level

You might want to downpref these to a scavanger class, instead of
police. Since ultimately policing makes it just easier to ddos the
service, which is actually needed.

-- 
  ++ytti

RE: DDoS attack

[Aaron Gould]

Years ago, we looked at netflow data and precursors to attacks, and found that 
UDP 3074 Xbox Live was showing up just prior to the attacks...and through other 
research we concluded that gamers are a big cause of large ddos attacks 
apparently they go after each other in retaliation

I've crafted a series of things for dealing with the results of volumetric ddos 
attacks... I've had attacks in upwards of 50 or 60 gig as I recall across 
all of my (3) internet connections at times

- deny acl's ... for ports/protocols that I know are absolutely not needed
- policers of various well known port attack vectors (gleaned from netflow data)
- policers of well-known *good* ports/protocols (like ntp, dns, etc) to some 
realistic level
- a repeat-victims list of ip's with policing udp for this group (note1)
- rtbh (note2)

Note 1 - Also, I've learned that if a customer has been attack once, the 
chances of them being the target of an attack again is highso by crafting 
the repeat victims list, you can catch next-day attacks of differing vectors.
Note 2 - for sustained attacks lasting a long time (30 mins, an hour, etc), we 
trigger a bgp/community route that goes out to the inet cloud and stops attack 
further into the upstream providers network... I know I "complete" the attack, 
but, I save my network ;)
...I use an old cisco 2600 as my trigger router and wrote a job aid that I 
shared with the NOC for triggering rtbh when needed, couple commands.
...I would like to automate my rtbh using what I understand is a possibly use 
case for FastNetMon, but haven't got around to it

I also wonder if team cymru's utrs project and other things like that would 
benefit my security posture.


-Aaron

RE: DDoS attack

[Paul Amaral via NANOG]

Normally these attacks are spoofed IPs, usually amplification attacks based on 
UDP using DNS/LDAP etc. This is something that is common and usually is towards 
schools, financial institutions. This an easy attack to orchestrate by anyone, 
most of these attacks can be launch via stresser services online. 800mbs to 
most smaller ISPs is a lot of traffic and can deeply impact not only the victim 
prefix but other non-targeted customers, as traffic consumed by the attack will 
cause problems for all users on that circuit.

There's a few things you can do, ask your upstream provider to rate limit UDP 
packets towards you. Rate limit them to what you think a normal UDP rate should 
be. I don’t recommend blocking UDP as you will block legit UDP packets from 
reaching any of your customer when the attack is not ongoing. Note most larger 
providers will not help or care to help, I know Comcast probably will not help 
you, their support techs will have no idea what you are taking about neither 
will most entry level engineers. However, it's worth taking a shot and asking 
you upstream provider. 

Another way you can minimize this is if you are multi-hommed with BGP. In this 
case take the targeted prefix and advertise to be preferred through one of your 
upstreams and move all over prefixes to the other link. This will ensure that 
most of your customers will not be impacted during the DDOS. Once you have the 
victim prefix preferred on that specific BGP link then you can rate limit on 
your edge, or the provider can do this for you. You will still have the full 
force of the attack at the edge unless you can get one of your providers to 
help you out. With DDOS you can only mitigate it and not necessarily stop it.  
Someone will always get that DDOS traffic. rather is your, your provider or 
your customers. The problem is figuring out where you want the traffic to be 
rate-limited, stopped etc and that who's expense. 

BTW those stresser services are usually free for a set about 0-15 min than you 
must pay thus why its not ongoing. 


Good luck, 

Paul 



-Original Message-
From: NANOG  On Behalf Of ahmed.dala...@hrins.net
Sent: Monday, December 09, 2019 3:08 PM
To: nanog@nanog.org
Subject: DDoS attack 

Dear All, 

My network is being flooded with UDP packets, Denial of Service attack, soucing 
from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, 
the destination in my network are IP prefixes that is currnetly not used but 
still getting traffic with high volume.
The traffic is being generated with high intervals between 10-30 Minutes for 
each time, maxing to 800 mbps When reached out cloudflare support, they 
mentioned that there services are running on Nat so they can’t pin out which 
server is attacking based on ip address alone, as a single IP has more than 
5000 server behind it, providing 1 source IP and UDP source port, didn’t help 
either Any suggestions?

Regards,
Ahmed Dala Ali 

Re: DDoS attack

[Alain Hebert]

     BCP38 

    After all this time and knowledge why people still think ip> are legit evidence in DDoS instances...


-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 2019-12-09 15:15, Tim Požár wrote:

This is lame.  They should be able to view NAT translation tables or
better yet have some method of watching flows.

Tim

On 12/9/19 12:11 PM, Christopher Morrow wrote:

I'd note that: "what prefixes?" isn't answered here... like: "what is
the thing on your network which is being attacked?"

On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net
 wrote:

Dear All,

My network is being flooded with UDP packets, Denial of Service attack, soucing 
from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, 
the destination in my network are IP prefixes that is currnetly not used but 
still getting traffic with high volume.
The traffic is being generated with high intervals between 10-30 Minutes for 
each time, maxing to 800 mbps
When reached out cloudflare support, they mentioned that there services are 
running on Nat so they can’t pin out which server is attacking based on ip 
address alone, as a single IP has more than 5000 server behind it, providing 1 
source IP and UDP source port, didn’t help either
Any suggestions?

Regards,
Ahmed Dala Ali

Re: DDoS attack

[Mark Tinka]

On 9/Dec/19 22:32, Florian Brandstetter via NANOG wrote:

>
> In any regard, <1 Gbps is pretty piss poor for an amplification attack
> too.

Must be nice :-)...

Mark.

Re: DDoS attack

[william manning]

see also:   https://en.wikipedia.org/wiki/Smurf_attack

On Mon, Dec 9, 2019 at 12:09 PM ahmed.dala...@hrins.net <
ahmed.dala...@hrins.net> wrote:

> Dear All,
>
> My network is being flooded with UDP packets, Denial of Service attack,
> soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum
> traffic, the destination in my network are IP prefixes that is currnetly
> not used but still getting traffic with high volume.
> The traffic is being generated with high intervals between 10-30 Minutes
> for each time, maxing to 800 mbps
> When reached out cloudflare support, they mentioned that there services
> are running on Nat so they can’t pin out which server is attacking based on
> ip address alone, as a single IP has more than 5000 server behind it,
> providing 1 source IP and UDP source port, didn’t help either
> Any suggestions?
>
> Regards,
> Ahmed Dala Ali

Re: DDoS attack

[Sabri Berisha]

Hi,

> On 12/9/19 3:32 PM, Florian Brandstetter via NANOG wrote:

> "how much do I care?" part of the abuse team's line-up.

If people cared, they would have anti-spoofing filters in place. Most on this 
list will agree that amplification attacks can be mitigated or at least 
severely reduced by anti-spoofing filters on the networks of the attackers. 

Thanks,

Sabri

Re: DDoS attack

[Brandon Martin]

On 12/9/19 3:32 PM, Florian Brandstetter via NANOG wrote:
> In any regard, <1 Gbps is pretty piss poor for an amplification attack too.

But, as others have pointed out, plenty to knock a single subscriber, shared 
access link (DOCSIS, wireless, or even well loaded GPON), or even a small 
regional PoP down.  Plenty of opportunity for mayhem even with just a couple 
100Mbps which is trivial to come up with these days as the spread of 
consumer-accessible speeds keeps growing.  Keeping it small makes it less 
likely to get noticed and, perhaps even more importantly for the perpetrator, 
harder for the networks responsible for the reflection/amplification to track 
down the problem using traffic analysis as well as coming in on the lower end 
of the "how much do I care?" part of the abuse team's line-up.
-- 
Brandon Martin

Re: DDoS attack

[Töma Gavrichenkov]

Peace,

On Tue, Dec 10, 2019, 12:08 AM Mike Lewinski 
wrote:

> My working theory is that with the Dec 3rd release of Halo Reach for PC,
> there are gamers attempting to lag, but not knock off, their opponents.
> This would be one reason to target adjacent unused addresses.
>

+1
Either this, or something resembling that, happens all the time.

--
Töma

>

Re: DDoS attack

[Christopher Morrow]

On Mon, Dec 9, 2019 at 4:08 PM Michael Sherlock
 wrote:
>
> You asked what is being attacked
>
> IP addresses that are currently not assigned to end users
>
> And ip addresses assigned to end users
>
> End user= Home broadband customers
>
> We are not hosting any significant servers

I'm being unclear or you are being overly pedantic.. neither is helping.
"what ip address can I look in netflow for traffic destined to which
is part of this attack?"

Anyone trying to help you is going to want to know what destination
address in your network is receiving this traffic... not providing
same after ~15 emails is going to make your situation not get better.
I'd suggest you post the addresses to the list though... so other folk
can go looking as well.

> Regards,
>
> Michael Sherlock
> Mobile: +44 75070 92392
>
> Sent from my iPhone
>
> > On Dec 9, 2019, at 9:04 PM, Christopher Morrow  
> > wrote:
> >
> > On Mon, Dec 9, 2019 at 3:42 PM Michael Sherlock
> >  wrote:
> >>
> >> Cristopher,
> >>
> >> Ip addresses that are not currently in use, and IP addresses that is 
> >> currently used for CGNAT for end users
> >>
> >
> > I'm 100% sure that those words mean something to you.. but not
> > operating your network they don't mean anything to me.
> >
> >
> >>
> >> Regards,
> >>
> >> Michael Sherlock
> >> Mobile: +44 75070 92392
> >>
> >> Sent from my iPhone
> >>
> >> On Dec 9, 2019, at 8:36 PM, "ahmed.dala...@hrins.net" 
> >>  wrote:
> >>
> >> 
> >>
> >> Begin forwarded message:
> >>
> >> From: Christopher Morrow 
> >> Subject: Re: DDoS attack
> >> Date: December 9, 2019 at 11:11:31 PM GMT+3
> >> To: "ahmed.dala...@hrins.net" 
> >> Cc: nanog list 
> >>
> >> I'd note that: "what prefixes?" isn't answered here... like: "what is
> >> the thing on your network which is being attacked?"
> >>
> >> On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net
> >>  wrote:
> >>
> >>
> >> Dear All,
> >>
> >> My network is being flooded with UDP packets, Denial of Service attack, 
> >> soucing from Cloud flare and Google IP Addresses, with 200-300 mbps 
> >> minimum traffic, the destination in my network are IP prefixes that is 
> >> currnetly not used but still getting traffic with high volume.
> >> The traffic is being generated with high intervals between 10-30 Minutes 
> >> for each time, maxing to 800 mbps
> >> When reached out cloudflare support, they mentioned that there services 
> >> are running on Nat so they can’t pin out which server is attacking based 
> >> on ip address alone, as a single IP has more than 5000 server behind it, 
> >> providing 1 source IP and UDP source port, didn’t help either
> >> Any suggestions?
> >>
> >> Regards,
> >> Ahmed Dala Ali
> >>
> >>

Re: DDoS attack

[Mike Lewinski]

> In any regard, <1 Gbps is pretty piss poor for an amplification attack too.

We've observed a customer receiving relative low volume attacks in the last 
week (so low they didn't trigger our alarms).

My working theory is that with the Dec 3rd release of Halo Reach for PC, there 
are gamers attempting to lag, but not knock off, their opponents. This would be 
one reason to target adjacent unused addresses.

Re: DDoS attack

[Christopher Morrow]

On Mon, Dec 9, 2019 at 3:42 PM Michael Sherlock
 wrote:
>
> Cristopher,
>
> Ip addresses that are not currently in use, and IP addresses that is 
> currently used for CGNAT for end users
>

I'm 100% sure that those words mean something to you.. but not
operating your network they don't mean anything to me.


>
> Regards,
>
> Michael Sherlock
> Mobile: +44 75070 92392
>
> Sent from my iPhone
>
> On Dec 9, 2019, at 8:36 PM, "ahmed.dala...@hrins.net" 
>  wrote:
>
> 
>
> Begin forwarded message:
>
> From: Christopher Morrow 
> Subject: Re: DDoS attack
> Date: December 9, 2019 at 11:11:31 PM GMT+3
> To: "ahmed.dala...@hrins.net" 
> Cc: nanog list 
>
> I'd note that: "what prefixes?" isn't answered here... like: "what is
> the thing on your network which is being attacked?"
>
> On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net
>  wrote:
>
>
> Dear All,
>
> My network is being flooded with UDP packets, Denial of Service attack, 
> soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum 
> traffic, the destination in my network are IP prefixes that is currnetly not 
> used but still getting traffic with high volume.
> The traffic is being generated with high intervals between 10-30 Minutes for 
> each time, maxing to 800 mbps
> When reached out cloudflare support, they mentioned that there services are 
> running on Nat so they can’t pin out which server is attacking based on ip 
> address alone, as a single IP has more than 5000 server behind it, providing 
> 1 source IP and UDP source port, didn’t help either
> Any suggestions?
>
> Regards,
> Ahmed Dala Ali
>
>

Re: DDoS attack

[Randy Bush]

> My network is being flooded with UDP packets, Denial of Service
> attack, soucing from Cloud flare and Google IP Addresses

but, until nancy drew walks the attack back upstream step by step, you
really do not know it's coming from clodflare or gobble.

> the destination in my network are IP prefixes that is currnetly not
> used

them it should be pretty easy for your upstreams to filter without
doing damage to goodput.

randy

Re: DDoS attack

[Florian Brandstetter via NANOG]

Hello,

you're forgetting if that was to be amplification, the source addresses would 
not be within Google or CloudFlare ranges (especially not CloudFlare, as they 
are not running a vulnerable recursor, and merely authoritative nameservers), 
the only possibility would be Google as in Google Cloud, with clueless people 
running open recursors that are prone to DNS(-SEC) reflection. It would pretty 
much be beyond the point using authoritative servers of parties such as 
CloudFlare as a) the scope of replies you will get is limited, b) they will 
high likely take a close look at your (forged) DNS queries and c) they will 
most certainly have limits in place defeating the entire point.

In any regard, <1 Gbps is pretty piss poor for an amplification attack too.

Cheers.
On 9 Dec 2019, 9:17 PM +0100, Filip Hruska , wrote:
> Hello,
>
> which attack protocol are seeing? I suspect you're seeing DNS based 
> amplification or similar, in which case you can't really pinpoint the attack 
> source...
>
> 800Mbps is not a whole lot of traffic - does it cause any disruptions to you? 
> If the prefixes are not in use, I would suggest the use of RTBH (null routing 
> / blackholing)
>
> Kind Regards,
> Filip Hruska
>
>
>
> > On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dala...@hrins.net" 
> >  wrote:
> > > Dear All,
> > >
> > > My network is being flooded with UDP packets, Denial of Service attack, 
> > > soucing from Cloud flare and Google IP Addresses, with 200-300 mbps 
> > > minimum traffic, the destination in my network are IP prefixes that is 
> > > currnetly not used but still getting traffic with high volume.
> > > The traffic is being generated with high intervals between 10-30 Minutes 
> > > for each time, maxing to 800 mbps
> > > When reached out cloudflare support, they mentioned that there services 
> > > are running on Nat so they can’t pin out which server is attacking based 
> > > on ip address alone, as a single IP has more than 5000 server behind it, 
> > > providing 1 source IP and UDP source port, didn’t help either
> > > Any suggestions?
> > >
> > > Regards,
> > > Ahmed Dala Ali
>
> --
> Sent from my mobile device. Please excuse my brevity.

Re: DDoS attack

[Christopher Morrow]

I'm going to take a guess that ahmed is:
  AS  | BGP IPv4 Prefix | AS Name
198735  | 185.51.220.0/22 | HRINS-AS, IQ
198735  | 185.51.220.0/24 | HRINS-AS, IQ
198735  | 185.51.221.0/24 | HRINS-AS, IQ
198735  | 185.51.222.0/24 | HRINS-AS, IQ
198735  | 185.51.223.0/24 | HRINS-AS, IQ
198735  | 217.145.228.0/22| HRINS-AS, IQ
198735  | 217.145.228.0/24| HRINS-AS, IQ
198735  | 217.145.229.0/24| HRINS-AS, IQ
198735  | 217.145.230.0/24| HRINS-AS, IQ
198735  | 217.145.231.0/24| HRINS-AS, IQ
198735  | 5.1.104.0/21| HRINS-AS, IQ
198735  | 5.1.104.0/24| HRINS-AS, IQ
198735  | 5.1.105.0/24| HRINS-AS, IQ
198735  | 5.1.106.0/24| HRINS-AS, IQ
198735  | 5.1.107.0/24| HRINS-AS, IQ
198735  | 5.1.108.0/24| HRINS-AS, IQ
198735  | 5.1.109.0/24| HRINS-AS, IQ
198735  | 5.1.110.0/24| HRINS-AS, IQ
198735  | 5.1.111.0/24| HRINS-AS, IQ

and that their upstream is:
  41032   | 62.201.210.181   | IQNETWORKS, IQ

and that ideally IQnetworks can block this traffic for them...

On Mon, Dec 9, 2019 at 3:17 PM Mel Beckman  wrote:
>
> For short term relief, you might consider asking your upstream provider to 
> block the unused IPs in your network that are being attacked. It may not get 
> everything, but it could drop the volume considerably. Just be sure that the 
> provider blocks them silently, without sending “no route to host” ICMP back 
> to the hacker. That way the hacker won’t know that you’ve done anything and 
> reshape his attack.
>
>  -mel
>
> > On Dec 9, 2019, at 12:11 PM, Christopher Morrow  
> > wrote:
> >
> > I'd note that: "what prefixes?" isn't answered here... like: "what is
> > the thing on your network which is being attacked?"
> >
> > On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net
> >  wrote:
> >>
> >> Dear All,
> >>
> >> My network is being flooded with UDP packets, Denial of Service attack, 
> >> soucing from Cloud flare and Google IP Addresses, with 200-300 mbps 
> >> minimum traffic, the destination in my network are IP prefixes that is 
> >> currnetly not used but still getting traffic with high volume.
> >> The traffic is being generated with high intervals between 10-30 Minutes 
> >> for each time, maxing to 800 mbps
> >> When reached out cloudflare support, they mentioned that there services 
> >> are running on Nat so they can’t pin out which server is attacking based 
> >> on ip address alone, as a single IP has more than 5000 server behind it, 
> >> providing 1 source IP and UDP source port, didn’t help either
> >> Any suggestions?
> >>
> >> Regards,
> >> Ahmed Dala Ali
>

Re: DDoS attack

[Jean | ddostest.me via NANOG]

On which UDP port?

On 2019-12-09 15:07, ahmed.dala...@hrins.net wrote:

Dear All,

My network is being flooded with UDP packets, Denial of Service attack, soucing 
from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, 
the destination in my network are IP prefixes that is currnetly not used but 
still getting traffic with high volume.
The traffic is being generated with high intervals between 10-30 Minutes for 
each time, maxing to 800 mbps
When reached out cloudflare support, they mentioned that there services are 
running on Nat so they can’t pin out which server is attacking based on ip 
address alone, as a single IP has more than 5000 server behind it, providing 1 
source IP and UDP source port, didn’t help either
Any suggestions?

Regards,
Ahmed Dala Ali

Re: DDoS attack

[Mike Hammett]

An additional 800 Mbps would severely constrain if not topple dozens if not 
hundreds of ISPs I know. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Filip Hruska"  
To: nanog@nanog.org 
Sent: Monday, December 9, 2019 2:15:39 PM 
Subject: Re: DDoS attack 

Hello, 

which attack protocol are seeing? I suspect you're seeing DNS based 
amplification or similar, in which case you can't really pinpoint the attack 
source... 

800Mbps is not a whole lot of traffic - does it cause any disruptions to you? 
If the prefixes are not in use, I would suggest the use of RTBH (null routing / 
blackholing) 

Kind Regards, 
Filip Hruska 




On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dala...@hrins.net" 
 wrote: 

Dear All, 

My network is being flooded with UDP packets, Denial of Service attack, soucing 
from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, 
the destination in my network are IP prefixes that is currnetly not used but 
still getting traffic with high volume. 
The traffic is being generated with high intervals between 10-30 Minutes for 
each time, maxing to 800 mbps 
When reached out cloudflare support, they mentioned that there services are 
running on Nat so they can’t pin out which server is attacking based on ip 
address alone, as a single IP has more than 5000 server behind it, providing 1 
source IP and UDP source port, didn’t help either 
Any suggestions? 

Regards, 
Ahmed Dala Ali 



-- 
Sent from my mobile device. Please excuse my brevity. 

Re: DDoS attack

[Mel Beckman]

For short term relief, you might consider asking your upstream provider to 
block the unused IPs in your network that are being attacked. It may not get 
everything, but it could drop the volume considerably. Just be sure that the 
provider blocks them silently, without sending “no route to host” ICMP back to 
the hacker. That way the hacker won’t know that you’ve done anything and 
reshape his attack.

 -mel

> On Dec 9, 2019, at 12:11 PM, Christopher Morrow  
> wrote:
> 
> I'd note that: "what prefixes?" isn't answered here... like: "what is
> the thing on your network which is being attacked?"
> 
> On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net
>  wrote:
>> 
>> Dear All,
>> 
>> My network is being flooded with UDP packets, Denial of Service attack, 
>> soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum 
>> traffic, the destination in my network are IP prefixes that is currnetly not 
>> used but still getting traffic with high volume.
>> The traffic is being generated with high intervals between 10-30 Minutes for 
>> each time, maxing to 800 mbps
>> When reached out cloudflare support, they mentioned that there services are 
>> running on Nat so they can’t pin out which server is attacking based on ip 
>> address alone, as a single IP has more than 5000 server behind it, providing 
>> 1 source IP and UDP source port, didn’t help either
>> Any suggestions?
>> 
>> Regards,
>> Ahmed Dala Ali

Re: DDoS attack

[Tim Požár]

This is lame.  They should be able to view NAT translation tables or
better yet have some method of watching flows.

Tim

On 12/9/19 12:11 PM, Christopher Morrow wrote:
> I'd note that: "what prefixes?" isn't answered here... like: "what is
> the thing on your network which is being attacked?"
> 
> On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net
>  wrote:
>>
>> Dear All,
>>
>> My network is being flooded with UDP packets, Denial of Service attack, 
>> soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum 
>> traffic, the destination in my network are IP prefixes that is currnetly not 
>> used but still getting traffic with high volume.
>> The traffic is being generated with high intervals between 10-30 Minutes for 
>> each time, maxing to 800 mbps
>> When reached out cloudflare support, they mentioned that there services are 
>> running on Nat so they can’t pin out which server is attacking based on ip 
>> address alone, as a single IP has more than 5000 server behind it, providing 
>> 1 source IP and UDP source port, didn’t help either
>> Any suggestions?
>>
>> Regards,
>> Ahmed Dala Ali

Re: DDoS attack

[Filip Hruska]

Hello, 

which attack protocol are seeing? I suspect you're seeing DNS based 
amplification or similar, in which case you can't really pinpoint the attack 
source... 

800Mbps is not a whole lot of traffic - does it cause any disruptions to you? 
If the prefixes are not in use, I would suggest the use of RTBH (null routing / 
blackholing) 

Kind Regards, 
Filip Hruska



On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dala...@hrins.net" 
 wrote:
>Dear All, 
>
>My network is being flooded with UDP packets, Denial of Service attack,
>soucing from Cloud flare and Google IP Addresses, with 200-300 mbps
>minimum traffic, the destination in my network are IP prefixes that is
>currnetly not used but still getting traffic with high volume.
>The traffic is being generated with high intervals between 10-30
>Minutes for each time, maxing to 800 mbps
>When reached out cloudflare support, they mentioned that there services
>are running on Nat so they can’t pin out which server is attacking
>based on ip address alone, as a single IP has more than 5000 server
>behind it, providing 1 source IP and UDP source port, didn’t help
>either
>Any suggestions?
>
>Regards, 
>Ahmed Dala Ali 

-- 
Sent from my mobile device. Please excuse my brevity.

Re: DDoS attack

[Christopher Morrow]

I'd note that: "what prefixes?" isn't answered here... like: "what is
the thing on your network which is being attacked?"

On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net
 wrote:
>
> Dear All,
>
> My network is being flooded with UDP packets, Denial of Service attack, 
> soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum 
> traffic, the destination in my network are IP prefixes that is currnetly not 
> used but still getting traffic with high volume.
> The traffic is being generated with high intervals between 10-30 Minutes for 
> each time, maxing to 800 mbps
> When reached out cloudflare support, they mentioned that there services are 
> running on Nat so they can’t pin out which server is attacking based on ip 
> address alone, as a single IP has more than 5000 server behind it, providing 
> 1 source IP and UDP source port, didn’t help either
> Any suggestions?
>
> Regards,
> Ahmed Dala Ali

Re: ddos attack blog

[Mark Tinka]

On Friday, February 14, 2014 03:01:27 AM Jared Mauch wrote:

 I would actually like to ask for those folks to un-block
 NTP so there is proper data on the number of hosts for
 those researching this.  The right thing to do is
 reconfigure them.  I've seen a good trend line in NTP
 servers being fixed, and hope we will see more of that
 in the next few weeks.

Depending on your OS, the fixes can be quite simple or 
interesting.

On my FreeBSD servers, simply updating with freebsd-update 
was enough to fix the issue (in addition to limiting 
who/what can access the service).

On Cisco devices, the ACL's you can attach to the NTP 
process are quite effective.

On Juniper devices, it is less intuitive, and even though 
NTP is enabled only as a client, it, sadly, runs the server 
as well. A firewall filter helps here when applied 
correctly.

Can't speak to other OS's.

Mark.


signature.asc
Description: This is a digitally signed message part.

Re: ddos attack blog

[Wayne E Bouchard]

On Thu, Feb 13, 2014 at 08:01:27PM -0500, Jared Mauch wrote:
 I would actually like to ask for those folks to un-block NTP so there is 
 proper data on the number of hosts for those researching this.  The right 
 thing to do is reconfigure them.  I've seen a good trend line in NTP servers 
 being fixed, and hope we will see more of that in the next few weeks.


A slight exception to that statement, if I may...

The right thing to do is for people to not permit services to operate
on hosts they do not intend to operate on and not to be visible to
those they do not intend to use them. In other words, to properly
manage their networks. If that means blocking all access to
potentially faulty implementations, then that's the right thing to do.
In short, companies should do what is right for their companies and
nevermind anyone else.

Never forget that researches are just part of the public and should
never consider that their usage of the internet is any more or less
valid to the average third party than the next guy.

-Wayne

---
Wayne Bouchard
w...@typo.org
Network Dude
http://www.typo.org/~web/

Permitting spoofed traffic [Was: Re: ddos attack blog]

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2/14/2014 10:22 AM, Wayne E Bouchard wrote:

 On Thu, Feb 13, 2014 at 08:01:27PM -0500, Jared Mauch wrote:
 I would actually like to ask for those folks to un-block NTP so
 there is proper data on the number of hosts for those researching
 this.  The right thing to do is reconfigure them.  I've seen a
 good trend line in NTP servers being fixed, and hope we will see
 more of that in the next few weeks.
 
 
 A slight exception to that statement, if I may...
 
 The right thing to do is for people to not permit services to
 operate on hosts they do not intend to operate on and not to be
 visible to those they do not intend to use them. In other words, to
 properly manage their networks. If that means blocking all access
 to potentially faulty implementations, then that's the right thing
 to do. In short, companies should do what is right for their
 companies and nevermind anyone else.
 
 Never forget that researches are just part of the public and
 should never consider that their usage of the internet is any more
 or less valid to the average third party than the next guy.
 

Taken to the logical extreme, the right thing to do is to deny any
spoofed traffic from abusing these services altogether. NTP is not the
only one; there is also SNMP, DNS, etc.

- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlL+Y68ACgkQKJasdVTchbJ/dgEAqgERvP6HMl2v5fbhZDwI9QKT
YEe/c3mN5gZlxsIKFo0A/3BH9KMV6ln7XMrlnk4c/GuwZ9X4LAgqO6l2p8u3aA49
=yWZU
-END PGP SIGNATURE-

Re: ddos attack blog

[John]

On 02/13/2014 06:01 PM, Jared Mauch wrote:

On Feb 13, 2014, at 1:47 PM, John jsch...@flowtools.net wrote:

snip

UDP won't be blocked. There are some vendors that have their own hidden 
protocol inside UDP packets to control and communicate with their devices.

Thinking on it again, maybe blocking UDP isn't all that bad. Would force the 
vendors to not 'hide' their protocol.

Be careful what you wish for.  I know some people have just blocked all NTP to 
keep their servers from participating in attacks.  This is common in places 
where they hand off a VM/host to a customer and no longer have access despite 
it being in their environment.
I was being a bit extreme, I don't expect UDP to be blocked and there 
are valid uses for NTP and it needs to pass. Can you imagine the trading 
servers not having access to NTP?


The knee jerk reaction to just block NTP is a temporary measure that can 
be used while other mitigation steps are implemented.


I kinda hijacked the NTP issue a bit and expanded it to cover the 
undocumented uses of device control in UDP. I'll leave that issue for 
another day, just wanted to raise awareness if it was not already known.



--John


I would actually like to ask for those folks to un-block NTP so there is proper 
data on the number of hosts for those researching this.  The right thing to do 
is reconfigure them.  I've seen a good trend line in NTP servers being fixed, 
and hope we will see more of that in the next few weeks.

I've seen maybe 100-200 per-ASN reports handed out to network operators.  If 
you want yours, please e-mail ntp-s...@puck.nether.net to obtain it.  Put your 
ASN in the subject line and/or body.

- Jared (and others like Patrick that presented on the projects behalf).

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

[Larry Sheldon]

On 2/14/2014 12:42 PM, Paul Ferguson wrote:

Taken to the logical extreme, the right thing to do is to deny any
spoofed traffic from abusing these services altogether.


Since the 1990s I have argued (ineffectively, it turns out) a case that 
says that sentence can be edited down to good advantage as:


 Taken to the logical extreme, the right thing to do is to deny any
 spoofed traffic.

--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: ddos attack blog

[Hal Murray]

 I was being a bit extreme, I don't expect UDP to be blocked and there  are
 valid uses for NTP and it needs to pass. Can you imagine the trading
 servers not having access to NTP? 

Sure.

They could setup internal NTP servers listening to GPS.  Would it be as good 
overall as using external servers?   Probably not, but it might be good 
enough.  I doubt if it would be very high on any trading floors list of nasty 
problems.

They could arrange to poke holes through the generic UDP block - whitelist 
the few known cases where UDP traffic is expected.  Would it be a pain to 
administer?  Probably, but I'll bet it could be made to work.


-- 
These are my opinions.  I hate spam.

Re: ddos attack blog

[joel jaeggli]

On 2/14/14, 3:00 PM, Hal Murray wrote:
 
 I was being a bit extreme, I don't expect UDP to be blocked and there  are
 valid uses for NTP and it needs to pass. Can you imagine the trading
 servers not having access to NTP? 
 
 Sure.
 
 They could setup internal NTP servers listening to GPS.  Would it be as good 
 overall as using external servers?   Probably not, but it might be good 
 enough.  I doubt if it would be very high on any trading floors list of nasty 
 problems.
 
 They could arrange to poke holes through the generic UDP block - whitelist 
 the few known cases where UDP traffic is expected.  Would it be a pain to 
 administer?  Probably, but I'll bet it could be made to work.

High value concentrated applications are relatively easy things to get
high quality time to.

it's all the consumer electronics devices and everything that uses
ssl/tls that needs access to time that is a more diffuse and less
tractable problem.

joel

 




signature.asc
Description: OpenPGP digital signature

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

[Joe Provo]

On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote:
[snip]
 Taken to the logical extreme, the right thing to do is to deny any
 spoofed traffic from abusing these services altogether. NTP is not the
 only one; there is also SNMP, DNS, etc.
 
...and then we're back to implement BCP38 already! (like one of 
the authors of the document didn't think of that, ferg? ;-)

NB: Some Entities believe all filtering is 'bcp 38' and thus have 
given this stone-dead logical and sane practice a bad rap. If 
someone is sloppy with their IRR-based filters or can't drive loose 
RPF correctly, that isn't the fault of BCP38.  

The document specifically speaks to aggregation points, most clearly
in the introduction:
In other words, if an ISP is aggregating routing announcements 
 for multiple downstream networks, strict traffic filtering should 
 be used to prohibit traffic which claims to have originated from 
 outside of these aggregated announcements.

This goes for access, hosting, and most recently virtual hosting 
in teh cloude. Stop forgery at your edges and your life will be 
easier.

Cheers,

Joe

-- 
RSUC / GweepNet / Spunk / FnB / CotSG / Usenix / NANOG

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2/14/2014 3:00 PM, Larry Sheldon wrote:

 On 2/14/2014 12:42 PM, Paul Ferguson wrote:
 Taken to the logical extreme, the right thing to do is to deny
 any spoofed traffic from abusing these services altogether.
 
 Since the 1990s I have argued (ineffectively, it turns out) a case
 that says that sentence can be edited down to good advantage as:
 
 Taken to the logical extreme, the right thing to do is to deny
 any spoofed traffic.
 

But of course. :-)

- - ferg

- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlL+y1QACgkQKJasdVTchbIgWgEAns/Nw6pqK+BaXSmI2DmP5J9Z
mxeVg3KTCHdMBSDeZXAA/2+PlVSwHXdFem6hwRC/iv1+zscghkwUgimGbhKA5Gnx
=VXx2
-END PGP SIGNATURE-

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2/14/2014 4:09 PM, Joe Provo wrote:

 On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote: 
 [snip]
 Taken to the logical extreme, the right thing to do is to deny
 any spoofed traffic from abusing these services altogether. NTP
 is not the only one; there is also SNMP, DNS, etc.
 
 ...and then we're back to implement BCP38 already! (like one of 
 the authors of the document didn't think of that, ferg? ;-)
 
 NB: Some Entities believe all filtering is 'bcp 38' and thus have 
 given this stone-dead logical and sane practice a bad rap. If 
 someone is sloppy with their IRR-based filters or can't drive loose
  RPF correctly, that isn't the fault of BCP38.
 
 The document specifically speaks to aggregation points, most
 clearly in the introduction: In other words, if an ISP is
 aggregating routing announcements for multiple downstream networks,
 strict traffic filtering should be used to prohibit traffic which
 claims to have originated from outside of these aggregated
 announcements.
 
 This goes for access, hosting, and most recently virtual hosting in
 teh cloude. Stop forgery at your edges and your life will be 
 easier.
 

Indeed -- I'm not in the business of bit-shipping these days, so I
can't endorse or advocate any particular method of blocking spoofed IP
packets in your gear.

I can, however, say with confidence that it is still a good idea.
Great idea, even. :-)

- - ferg



- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlL+y8sACgkQKJasdVTchbKTXAEA0/czP0ECsFX4CyUr6yt4Dkap
D0NZT/UIo6h5E/dl0KEA/3hpxN2NLxZRix6JUTVHyv+LZ4RzgpG2myoXbgAq1+WS
=QQjA
-END PGP SIGNATURE-

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

[Jeff Kell]

On 2/14/2014 9:07 PM, Paul Ferguson wrote:
 Indeed -- I'm not in the business of bit-shipping these days, so I
 can't endorse or advocate any particular method of blocking spoofed IP
 packets in your gear.

If you're dead-end, a basic ACL that permits ONLY your prefixes on
egress, and blocks your prefixes on ingress, is perhaps the safest bet. 
Strict uRPF has it's complications, and loose uRPF is almost too
forgiving.  If you're providing transit, it gets much more complicated
much more quickly, but the same principles apply (they just get to be a
less-than-100% solution)  :)

 I can, however, say with confidence that it is still a good idea.
 Great idea, even. :-)

Oh yeah :)

Jeff



signature.asc
Description: OpenPGP digital signature

Re: ddos attack blog

[Jared Mauch]

On Feb 13, 2014, at 12:06 PM, Cb B cb.li...@gmail.com wrote:

 Good write up, includes name and shame for ATT Wireless, IIJ, OVH,
 DTAG and others
 
 http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
 
 Standard plug for http://openntpproject.org/ and
 http://openresolverproject.org/ and bcp38 , please fix/help.
 
 For those of you paying attention to the outage list, this is a pretty
 big deal that has had daily ramification for some very big networks
 https://puck.nether.net/pipermail/outages/2014-February/date.html
 
 In general, i think UDP is doomed to be blocked and rate limited --
 tragedy of the commons.  But, it would be nice if folks would just fix
 the root of the issue so the rest of us don't have go there...

While I'm behind some of the inventory projects (so you can go ahead and fix.. 
let me know
if you need/want the URLs to see data for your networks)...

I must provide credit to those behind the Amplification Hell talk at NDSS.  
If you
are at all interested in what is going on, you should attend or review the 
content.

http://www.internetsociety.org/ndss2014/programme

BCP-38 on your customers is going to be critical to prevent the abuse reaching 
your
network.  Please ask your vendors for it, and ask for your providers to filter 
your
network to prevent you originating this abuse.

If you operate hosted VMs, servers, etc.. please make sure those netblocks are
secured as well.

You can easily check your network (As can the bad guys!) here:

http://spoofer.cmand.org/

- Jared

Re: ddos attack blog

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2/13/2014 9:06 AM, Cb B wrote:

 Good write up, includes name and shame for ATT Wireless, IIJ,
 OVH, DTAG and others
 
 http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack

  Standard plug for http://openntpproject.org/ and 
 http://openresolverproject.org/ and bcp38 , please fix/help.
 
 For those of you paying attention to the outage list, this is a
 pretty big deal that has had daily ramification for some very big
 networks 
 https://puck.nether.net/pipermail/outages/2014-February/date.html
 
 In general, i think UDP is doomed to be blocked and rate limited
 -- tragedy of the commons.  But, it would be nice if folks would
 just fix the root of the issue so the rest of us don't have go
 there...
 

The alternative is get people to understand that anti-spoofing is
good, and efforts to combat spoofing should be encouraged.

- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlL9AR4ACgkQKJasdVTchbJZYwEAivI00Yq7RSMze74GFQKEyCeH
pS2s8TH0ba08NWKC22AA/jyN35xonJBzldJA8/xlzhnuLnyOFB0Y7GKZ8NiqRiRl
=ItxR
-END PGP SIGNATURE-

Re: ddos attack blog

[John]

On 02/13/2014 10:06 AM, Cb B wrote:

Good write up, includes name and shame for ATT Wireless, IIJ, OVH,
DTAG and others

http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack

Standard plug for http://openntpproject.org/ and
http://openresolverproject.org/ and bcp38 , please fix/help.

For those of you paying attention to the outage list, this is a pretty
big deal that has had daily ramification for some very big networks
https://puck.nether.net/pipermail/outages/2014-February/date.html

In general, i think UDP is doomed to be blocked and rate limited --
tragedy of the commons.  But, it would be nice if folks would just fix
the root of the issue so the rest of us don't have go there...


UDP won't be blocked. There are some vendors that have their own hidden 
protocol inside UDP packets to control and communicate with their devices.


Thinking on it again, maybe blocking UDP isn't all that bad. Would force 
the vendors to not 'hide' their protocol.


--John



Regards,

CB

Re: ddos attack blog

[Jared Mauch]

On Feb 13, 2014, at 1:47 PM, John jsch...@flowtools.net wrote:

 On 02/13/2014 10:06 AM, Cb B wrote:
 Good write up, includes name and shame for ATT Wireless, IIJ, OVH,
 DTAG and others
 
 http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
 
 Standard plug for http://openntpproject.org/ and
 http://openresolverproject.org/ and bcp38 , please fix/help.
 
 For those of you paying attention to the outage list, this is a pretty
 big deal that has had daily ramification for some very big networks
 https://puck.nether.net/pipermail/outages/2014-February/date.html
 
 In general, i think UDP is doomed to be blocked and rate limited --
 tragedy of the commons.  But, it would be nice if folks would just fix
 the root of the issue so the rest of us don't have go there...
 
 UDP won't be blocked. There are some vendors that have their own hidden 
 protocol inside UDP packets to control and communicate with their devices.
 
 Thinking on it again, maybe blocking UDP isn't all that bad. Would force the 
 vendors to not 'hide' their protocol.
 

Be careful what you wish for.  I know some people have just blocked all NTP to 
keep their servers from participating in attacks.  This is common in places 
where they hand off a VM/host to a customer and no longer have access despite 
it being in their environment.

I would actually like to ask for those folks to un-block NTP so there is proper 
data on the number of hosts for those researching this.  The right thing to do 
is reconfigure them.  I've seen a good trend line in NTP servers being fixed, 
and hope we will see more of that in the next few weeks.

I've seen maybe 100-200 per-ASN reports handed out to network operators.  If 
you want yours, please e-mail ntp-s...@puck.nether.net to obtain it.  Put your 
ASN in the subject line and/or body.

- Jared (and others like Patrick that presented on the projects behalf).

Re: DDOS attack via as702 87.118.210.122

[Jack Carrozzo]

Whois is hard, let's go shopping:

ja...@anna ~ $ whois as701

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/asns;q=as701?showDetails=true
#

ASNumber:   701 - 705
ASName: UUNET
ASHandle:   AS701
RegDate:1990-08-03
Updated:2008-07-24
Ref:http://whois.arin.net/rest/asn/AS701

OrgName:MCI Communications Services, Inc. d/b/a Verizon Business
OrgId:  MCICS
Address:22001 Loudoun County Pkwy
City:   Ashburn
StateProv:  VA
PostalCode: 20147
Country:US
RegDate:2006-05-30
Updated:2009-12-07
Ref:http://whois.arin.net/rest/org/MCICS

OrgTechHandle: JHU140-ARIN
OrgTechName:   Huffines, Jody
OrgTechPhone:  +1-703-886-6093
OrgTechEmail:  jody.huffi...@verizonbusiness.com
OrgTechRef:http://whois.arin.net/rest/poc/JHU140-ARIN

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName:   abuse
OrgAbusePhone:  +1-800-900-0241
OrgAbuseEmail:  abuse-m...@verizonbusiness.com
OrgAbuseRef:http://whois.arin.net/rest/poc/ABUSE3-ARIN

OrgNOCHandle: OA12-ARIN
OrgNOCName:   UUnet Technologies, Inc., Technologies
OrgNOCPhone:  +1-800-900-0241
OrgNOCEmail:  hel...@verizonbusiness.com
OrgNOCRef:http://whois.arin.net/rest/poc/OA12-ARIN

OrgTechHandle: SWIPP-ARIN
OrgTechName:   swipper
OrgTechPhone:  +1-800-900-0241
OrgTechEmail:  swip...@verizonbusiness.com
OrgTechRef:http://whois.arin.net/rest/poc/SWIPP-ARIN

-Jack Carrozzo

On Tue, Oct 26, 2010 at 7:51 AM, Serg Shubenkov s...@macomnet.net wrote:


 Hello, list.

 Please send me off-list abuse contact for as702.

 --
 Serg Shubenkov, MAcomnet, Internet Dept., Head of Inet Department
 phone: +7 495 7969392/9079, +7 916 5316625, mailto:s...@macomnet.net
 icq uin: 101964103, Skype: serg.v.shubenkov

Re: DDOS attack via as702 87.118.210.122

[Adrian Chadd]

On Tue, Oct 26, 2010, Cutler James R wrote:
 Jack,
 
 I agree that whois is hard. Please explain how you knew to query AS701 when 
 Serg asked about AS702.  

Brainfart. I understand why people confuse 701 with 702.

$ whois -h whois.ripe.net AS702

% Information related to 'AS702'

aut-num:AS702
as-name:AS702
descr:  Verizon Business EMEA - Commercial IP service provider in Europe

...



Adrian


 
 computer:~ me$ whois as702
 SNIP
 No match for AS702.
  Last update of whois database: Tue, 26 Oct 2010 13:47:47 UTC 
 
 Regards.
 
   Cutler
 
 On Oct 26, 2010, at 9:22 AM, Jack Carrozzo wrote:
 
  Whois is hard, let's go shopping:
  
  ja...@anna ~ $ whois as701
  
  SNIP/
  -Jack Carrozzo
  
  On Tue, Oct 26, 2010 at 7:51 AM, Serg Shubenkov s...@macomnet.net wrote:
  
  
  Hello, list.
  
  Please send me off-list abuse contact for as702.
  
  --
  Serg Shubenkov, MAcomnet, Internet Dept., Head of Inet Department
  phone: +7 495 7969392/9079, +7 916 5316625, mailto:s...@macomnet.net
  icq uin: 101964103, Skype: serg.v.shubenkov
  
  
  
  
 
 James R. Cutler
 james.cut...@consultant.com
 
 
 
 

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -

Re: DDOS attack via as702 87.118.210.122

[Tim Jackson]

Whois really isn't that hard Maybe reading: ASNumber: 701 - 705 is though..

t...@shitbox:/var/log$ whois a 702 -h whois.arin.net
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/asns;q=702?showDetails=true
#

ASNumber:   701 - 705
ASName: UUNET
ASHandle:   AS701
RegDate:1990-08-03
Updated:2008-07-24
Ref:http://whois.arin.net/rest/asn/AS701

OrgName:MCI Communications Services, Inc. d/b/a Verizon Business
OrgId:  MCICS
Address:22001 Loudoun County Pkwy
City:   Ashburn
StateProv:  VA
PostalCode: 20147
Country:US
RegDate:2006-05-30
Updated:2009-12-07
Ref:http://whois.arin.net/rest/org/MCICS

OrgTechHandle: JHU140-ARIN
OrgTechName:   Huffines, Jody
OrgTechPhone:  +1-703-886-6093
OrgTechEmail:  jody.huffi...@verizonbusiness.com
OrgTechRef:http://whois.arin.net/rest/poc/JHU140-ARIN

OrgNOCHandle: OA12-ARIN
OrgNOCName:   UUnet Technologies, Inc., Technologies
OrgNOCPhone:  +1-800-900-0241
OrgNOCEmail:  hel...@verizonbusiness.com
OrgNOCRef:http://whois.arin.net/rest/poc/OA12-ARIN

OrgTechHandle: SWIPP-ARIN
OrgTechName:   swipper
OrgTechPhone:  +1-800-900-0241
OrgTechEmail:  swip...@verizonbusiness.com
OrgTechRef:http://whois.arin.net/rest/poc/SWIPP-ARIN

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName:   abuse
OrgAbusePhone:  +1-800-900-0241
OrgAbuseEmail:  abuse-m...@verizonbusiness.com
OrgAbuseRef:http://whois.arin.net/rest/poc/ABUSE3-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#




On Tue, Oct 26, 2010 at 8:54 AM, Cutler James R
james.cut...@consultant.com wrote:
 Jack,

 I agree that whois is hard. Please explain how you knew to query AS701 when 
 Serg asked about AS702.

 computer:~ me$ whois as702
 SNIP
 No match for AS702.
 Last update of whois database: Tue, 26 Oct 2010 13:47:47 UTC 

 Regards.

        Cutler

Re: DDOS attack via as702 87.118.210.122

[Jack Carrozzo]

Well, I whois'd 702, got no match, said hm, I see 701 all over the place,
lemmy take a look and found:

ASNumber:   701 - 705
ASName: UUNET

etc. Sorry, it was left as an exercise to the reader - didn't mean to be
flippant.

-Jack CArrozzo

On Tue, Oct 26, 2010 at 10:07 AM, Adrian Chadd adr...@creative.net.auwrote:

 On Tue, Oct 26, 2010, Cutler James R wrote:
  Jack,
 
  I agree that whois is hard. Please explain how you knew to query AS701
 when Serg asked about AS702.

 Brainfart. I understand why people confuse 701 with 702.

 $ whois -h whois.ripe.net AS702

 % Information related to 'AS702'

 aut-num:AS702
 as-name:AS702
 descr:  Verizon Business EMEA - Commercial IP service provider in
 Europe

 ...



 Adrian


 
  computer:~ me$ whois as702
  SNIP
  No match for AS702.
   Last update of whois database: Tue, 26 Oct 2010 13:47:47 UTC 
 
  Regards.
 
Cutler
 
  On Oct 26, 2010, at 9:22 AM, Jack Carrozzo wrote:
 
   Whois is hard, let's go shopping:
  
   ja...@anna ~ $ whois as701
  
   SNIP/
   -Jack Carrozzo
  
   On Tue, Oct 26, 2010 at 7:51 AM, Serg Shubenkov s...@macomnet.net
 wrote:
  
  
   Hello, list.
  
   Please send me off-list abuse contact for as702.
  
   --
   Serg Shubenkov, MAcomnet, Internet Dept., Head of Inet Department
   phone: +7 495 7969392/9079, +7 916 5316625, mailto:s...@macomnet.net
   icq uin: 101964103, Skype: serg.v.shubenkov
  
  
  
  
 
  James R. Cutler
  james.cut...@consultant.com
 
 
 
 

 --
 - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid
 Support -
 - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA
 -

RE: DDOS attack via as702 87.118.210.122

[Steve Adcock]

Must admit I thought what Jack supplied said between AS 701 - 705 which is 
MCI/Verizon and correct?

ASNumber:   701 - 705
ASName: UUNET
ASHandle:   AS701
RegDate:1990-08-03
Updated:2008-07-24
Ref:http://whois.arin.net/rest/asn/AS701

If you done some manual work like a bit of ripe/cidr-report and used network 
tools for a whois you would get the answer.

Cheers

Steven

-Original Message-
From: Cutler James R [mailto:james.cut...@consultant.com] 
Sent: 26 October 2010 14:54
To: na...@merit.edu
Subject: Re: DDOS attack via as702 87.118.210.122

Jack,

I agree that whois is hard. Please explain how you knew to query AS701 when 
Serg asked about AS702.  

computer:~ me$ whois as702
SNIP
No match for AS702.
 Last update of whois database: Tue, 26 Oct 2010 13:47:47 UTC 

Regards.

Cutler

On Oct 26, 2010, at 9:22 AM, Jack Carrozzo wrote:

 Whois is hard, let's go shopping:
 
 ja...@anna ~ $ whois as701
 
 SNIP/
 -Jack Carrozzo
 
 On Tue, Oct 26, 2010 at 7:51 AM, Serg Shubenkov s...@macomnet.net wrote:
 
 
 Hello, list.
 
 Please send me off-list abuse contact for as702.
 
 --
 Serg Shubenkov, MAcomnet, Internet Dept., Head of Inet Department
 phone: +7 495 7969392/9079, +7 916 5316625, mailto:s...@macomnet.net
 icq uin: 101964103, Skype: serg.v.shubenkov
 
 
 
 

James R. Cutler
james.cut...@consultant.com





---BeginMessage---
Whois is hard, let's go shopping:

ja...@anna ~ $ whois as701

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/asns;q=as701?showDetails=true
#

ASNumber:   701 - 705
ASName: UUNET
ASHandle:   AS701
RegDate:1990-08-03
Updated:2008-07-24
Ref:http://whois.arin.net/rest/asn/AS701

OrgName:MCI Communications Services, Inc. d/b/a Verizon Business
OrgId:  MCICS
Address:22001 Loudoun County Pkwy
City:   Ashburn
StateProv:  VA
PostalCode: 20147
Country:US
RegDate:2006-05-30
Updated:2009-12-07
Ref:http://whois.arin.net/rest/org/MCICS

OrgTechHandle: JHU140-ARIN
OrgTechName:   Huffines, Jody
OrgTechPhone:  +1-703-886-6093
OrgTechEmail:  jody.huffi...@verizonbusiness.com
OrgTechRef:http://whois.arin.net/rest/poc/JHU140-ARIN

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName:   abuse
OrgAbusePhone:  +1-800-900-0241
OrgAbuseEmail:  abuse-m...@verizonbusiness.com
OrgAbuseRef:http://whois.arin.net/rest/poc/ABUSE3-ARIN

OrgNOCHandle: OA12-ARIN
OrgNOCName:   UUnet Technologies, Inc., Technologies
OrgNOCPhone:  +1-800-900-0241
OrgNOCEmail:  hel...@verizonbusiness.com
OrgNOCRef:http://whois.arin.net/rest/poc/OA12-ARIN

OrgTechHandle: SWIPP-ARIN
OrgTechName:   swipper
OrgTechPhone:  +1-800-900-0241
OrgTechEmail:  swip...@verizonbusiness.com
OrgTechRef:http://whois.arin.net/rest/poc/SWIPP-ARIN

-Jack Carrozzo

On Tue, Oct 26, 2010 at 7:51 AM, Serg Shubenkov s...@macomnet.net wrote:


 Hello, list.

 Please send me off-list abuse contact for as702.

 --
 Serg Shubenkov, MAcomnet, Internet Dept., Head of Inet Department
 phone: +7 495 7969392/9079, +7 916 5316625, mailto:s...@macomnet.net
 icq uin: 101964103, Skype: serg.v.shubenkov




---End Message---

Re: DDOS attack via as702 87.118.210.122

[Beavis]

whois on 702(Verizon)

http://www.robtex.com/as/as702.html

goodluck.

On Tue, Oct 26, 2010 at 5:51 AM, Serg Shubenkov s...@macomnet.net wrote:

 Hello, list.

 Please send me off-list abuse contact for as702.

 --
 Serg Shubenkov, MAcomnet, Internet Dept., Head of Inet Department
 phone: +7 495 7969392/9079, +7 916 5316625, mailto:s...@macomnet.net
 icq uin: 101964103, Skype: serg.v.shubenkov







-- 
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Re: DDOS attack via as702 87.118.210.122

[James Hess]

On Tue, Oct 26, 2010 at 9:12 AM, Jack Carrozzo j...@crepinc.com wrote:
 Well, I whois'd 702, got no match, said hm, I see 701 all over the place,
 lemmy take a look and found:

There is a match...  I think  WHOIS as702  is erroneous  WHOIS query syntax,
typing  asX  not being the way to search for an AS number.
See the full WHOIS help for the details about how to use all the flags,

Try searching for the number and use an 'a'  search type instead of
searching for 'as702'.

Try
telnet whois.arin.net nicname
Escape character is '^]'.
a 702

a 702 Gives a match...
as702  does not.
as701 does;   probably   because there is the ASHANDLE field
or something else in the record that matches that query other than the
AS number itself.


 ASNumber:       701 - 705
 ASName:         UUNET


--
-JH

Re: DDoS Attack in Progress.

[Steve Linford]

On 10 Oct 2008, at 20:46, Beavis wrote:


Hi All,

  DoS attack in progress, any upstream info for these guys? their
phone number doesn't respond.

inetnum: 88.247.0.0 - 88.247.79.255
netname: TurkTelekom
descr:   TT ADSL-alcatel static_ulus
country: tr


The Spamhaus folk on this list have the address of TurkTelekom's  
chief security/abuse guy who would take take of this, but we would  
not be inclined to give his address to someone identifying themselves  
as Beavis with a gmail address. Can you elaborate on who you are,  
what's being DoSsed (a router, an http server, a mail server?), and  
whether you can ACL the source (since you know the source is in  
88.247.0.0/17, why not ACL the source at your router or at whatever  
device is being DoSsed).


  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

Re: DDoS Attack in Progress.

[Beavis]

Sorry for the anonymity part Steve This is the only one email i got
that is added to the NANOG List.


John Lopez
NOC Manager
Constructora Pura Vida
(506)243-018-35 Ext. 2901





On Sat, Oct 11, 2008 at 2:05 AM, Steve Linford [EMAIL PROTECTED] wrote:
 On 10 Oct 2008, at 20:46, Beavis wrote:

 Hi All,

  DoS attack in progress, any upstream info for these guys? their
 phone number doesn't respond.

 inetnum: 88.247.0.0 - 88.247.79.255
 netname: TurkTelekom
 descr:   TT ADSL-alcatel static_ulus
 country: tr

 The Spamhaus folk on this list have the address of TurkTelekom's chief
 security/abuse guy who would take take of this, but we would not be inclined
 to give his address to someone identifying themselves as Beavis with a
 gmail address. Can you elaborate on who you are, what's being DoSsed (a
 router, an http server, a mail server?), and whether you can ACL the source
 (since you know the source is in 88.247.0.0/17, why not ACL the source at
 your router or at whatever device is being DoSsed).

  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

Re: DDoS Attack in Progress.

[Steve Church]

Beavis aka John Lopez:
I, for one, am glad you're interested in stopping the abuse at its source.
Thank you.

Steve Linford:
 why not ACL the source at your router or at whatever device is being
(packeted).
Mr. Lopez is contributing to the welfare of the net as a whole by addressing
the cause, rather than applying a bandage locally to lessen the symptom.  I
sincerely hope your dismissive advice is not characteristic of Spamhaus
policy regarding abused hosts, considering the mission statement at the top
of your homepage.

Steve Church


On Sat, Oct 11, 2008 at 4:05 AM, Steve Linford [EMAIL PROTECTED] wrote:

 On 10 Oct 2008, at 20:46, Beavis wrote:

  Hi All,

  DoS attack in progress, any upstream info for these guys? their
 phone number doesn't respond.

 inetnum: 88.247.0.0 - 88.247.79.255
 netname: TurkTelekom
 descr:   TT ADSL-alcatel static_ulus
 country: tr


 The Spamhaus folk on this list have the address of TurkTelekom's chief
 security/abuse guy who would take take of this, but we would not be inclined
 to give his address to someone identifying themselves as Beavis with a
 gmail address. Can you elaborate on who you are, what's being DoSsed (a
 router, an http server, a mail server?), and whether you can ACL the source
 (since you know the source is in 88.247.0.0/17, why not ACL the source at
 your router or at whatever device is being DoSsed).

  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

Re: DDoS Attack in Progress.

[Steve Linford]

On 11 Oct 2008, at 16:22, Steve Church wrote:


Beavis aka John Lopez:
I, for one, am glad you're interested in stopping the abuse at its  
source.

Thank you.

Steve Linford:

why not ACL the source at your router or at whatever device is being

(packeted).
Mr. Lopez is contributing to the welfare of the net as a whole by  
addressing
the cause, rather than applying a bandage locally to lessen the  
symptom.  I
sincerely hope your dismissive advice is not characteristic of  
Spamhaus
policy regarding abused hosts, considering the mission statement at  
the top

of your homepage.

Steve Church


OK, you don't know much about Spamhaus. Dealing with network abuse  
issues is what we do 24/7. John Lopez contacted my privately and I've  
given him the address of TurkTelekom's security guy, but the reality  
of things is that today is a Saturday and tomorrow is a Sunday,  
unless TurkTelekom's guy is working weekends (unlikely) ACL'ing the  
source is not just an advisable option but is probably until Monday  
the only option.


  Steve Linford
  The Spamhaus Project
  http://www.spamhaus.org

Re: DDoS Attack in Progress.

[Andrew D Kirch]

Steve Church wrote:
 Beavis aka John Lopez:
 I, for one, am glad you're interested in stopping the abuse at its source.
 Thank you.

 Steve Linford:
   
 why not ACL the source at your router or at whatever device is being
 
 (packeted).
 Mr. Lopez is contributing to the welfare of the net as a whole by addressing
 the cause, rather than applying a bandage locally to lessen the symptom.  I
 sincerely hope your dismissive advice is not characteristic of Spamhaus
 policy regarding abused hosts, considering the mission statement at the top
 of your homepage.

 Steve Church
Come on, even I think Steve Linford's bonafides are strong enough that
this was uncalled for.

Andrew

Re: DDoS Attack in Progress.

[Suresh Ramasubramanian]

On Sat, Oct 11, 2008 at 7:52 PM, Steve Church [EMAIL PROTECTED] wrote:

 Mr. Lopez is contributing to the welfare of the net as a whole by addressing
 the cause, rather than applying a bandage locally to lessen the symptom.  I
 sincerely hope your dismissive advice is not characteristic of Spamhaus
 policy regarding abused hosts, considering the mission statement at the top
 of your homepage.

Let's put it this way.  Contacts given in confidence arent meant to be
shared randomly.  Or to people who dont identify themselves and post
using freemail addresses.  Linford seems to have shared this contact
offlist with the guy, after he identified himelf, so case closed.

srs

-- 
Suresh Ramasubramanian ([EMAIL PROTECTED])

Re: DDoS Attack in Progress.

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Not surprising -- TurkTelekom has long been known to be a hotbed of
malicious activity, a known hoster for Russian/Ukrainian cyber criminals,
and perhaps one of the most botnetted ISPs on  the planet:

http://itw.trendmicro-europe.com/index.php?id=64

- - ferg


On Fri, Oct 10, 2008 at 11:46 AM, Beavis [EMAIL PROTECTED] wrote:

 Hi All,

  DoS attack in progress, any upstream info for these guys? their
 phone number doesn't respond.

  This is the RIPE Whois query server #1.
 % The objects are in RPSL format.
 %
 % Rights restricted by copyright.
 % See http://www.ripe.net/db/copyright.html

 % Note: This output has been filtered.
 %   To receive output for a database update, use the -B flag.

 % Information related to '88.247.0.0 - 88.247.79.255'

 inetnum: 88.247.0.0 - 88.247.79.255
 netname: TurkTelekom
 descr:   TT ADSL-alcatel static_ulus
 country: tr
 admin-c: TTBA1-RIPE
 tech-c:  TTBA1-RIPE
 status:  ASSIGNED PA status: definitions
 mnt-by:  as9121-mnt
 source:  RIPE # Filtered

 role:TT Administrative Contact Role
 address: Turk Telekom
 address: Bilisim Aglari Dairesi
 address: Aydinlikevler
 address: 06103 ANKARA
 phone:   +90 312 313 1950
 fax-no:  +90 312 313 1949
 e-mail:  [EMAIL PROTECTED]
 admin-c: BADB3-RIPE
 tech-c:  ZA66-RIPE
 tech-c:  NO638-RIPE
 tech-c:  SO351-RIPE
 nic-hdl: TTBA1-RIPE
 mnt-by:  AS9121-MNT
 source:  RIPE # Filtered

 % Information related to '88.247.0.0/17AS9121'

 route:   88.247.0.0/17
 descr:   TurkTelecom
 origin:  AS9121
 mnt-by:  AS9121-MNT
 source:  RIPE # Filtered



-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFI76Ucq1pz9mNUZTMRAiJoAJ9v5DTn5TZZtBwno+c4JB/zun0AeQCg7vqz
uS4eSff62RIus6Qi1foH8II=
=S4jc
-END PGP SIGNATURE-



-- 
Fergie, a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

Re: DDoS Attack in Progress.

[Mehmet Akcin]

Try,

NOC ITMC/NOC +902125209898  [EMAIL PROTECTED]

Mehmet



From: Paul Ferguson [EMAIL PROTECTED]
Date: Fri, 10 Oct 2008 11:55:41 -0700
To: Beavis [EMAIL PROTECTED]
Cc: NANOG list nanog@nanog.org
Subject: Re: DDoS Attack in Progress.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Not surprising -- TurkTelekom has long been known to be a hotbed of
malicious activity, a known hoster for Russian/Ukrainian cyber criminals,
and perhaps one of the most botnetted ISPs on  the planet:

http://itw.trendmicro-europe.com/index.php?id=64

- - ferg


On Fri, Oct 10, 2008 at 11:46 AM, Beavis [EMAIL PROTECTED] wrote:

 Hi All,

  DoS attack in progress, any upstream info for these guys? their
 phone number doesn't respond.

  This is the RIPE Whois query server #1.
 % The objects are in RPSL format.
 %
 % Rights restricted by copyright.
 % See http://www.ripe.net/db/copyright.html

 % Note: This output has been filtered.
 %   To receive output for a database update, use the -B flag.

 % Information related to '88.247.0.0 - 88.247.79.255'

 inetnum: 88.247.0.0 - 88.247.79.255
 netname: TurkTelekom
 descr:   TT ADSL-alcatel static_ulus
 country: tr
 admin-c: TTBA1-RIPE
 tech-c:  TTBA1-RIPE
 status:  ASSIGNED PA status: definitions
 mnt-by:  as9121-mnt
 source:  RIPE # Filtered

 role:TT Administrative Contact Role
 address: Turk Telekom
 address: Bilisim Aglari Dairesi
 address: Aydinlikevler
 address: 06103 ANKARA
 phone:   +90 312 313 1950
 fax-no:  +90 312 313 1949
 e-mail:  [EMAIL PROTECTED]
 admin-c: BADB3-RIPE
 tech-c:  ZA66-RIPE
 tech-c:  NO638-RIPE
 tech-c:  SO351-RIPE
 nic-hdl: TTBA1-RIPE
 mnt-by:  AS9121-MNT
 source:  RIPE # Filtered

 % Information related to '88.247.0.0/17AS9121'

 route:   88.247.0.0/17
 descr:   TurkTelecom
 origin:  AS9121
 mnt-by:  AS9121-MNT
 source:  RIPE # Filtered



-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFI76Ucq1pz9mNUZTMRAiJoAJ9v5DTn5TZZtBwno+c4JB/zun0AeQCg7vqz
uS4eSff62RIus6Qi1foH8II=
=S4jc
-END PGP SIGNATURE-



--
Fergie, a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/





smime.p7s
Description: S/MIME cryptographic signature