Re: Ransom DDoS attack - need help!

On 4 Dec 2015, at 9:34, alvin nanog wrote: all that tcpdump jibberish Is entirely unnecessary, as well as being completely impractical on a network of any size. Reasonable network access policies for the entities under attack plus flow telemetry collection/analysis, S/RTBH, and/or

Google Chrome 47.0.2526.73M broken NTLM proxy authentication

Dear Google, As of Dec 2nd the Google Chrome 47.0.2526.73M breaks NTLM proxy authentication. This is unfortunate as nobody can get off the company network now, which is secure I suppose, but not quite what I had in mind.

Re: Staring Down the Armada Collective

On 4 Dec 2015, at 9:28, Lyndon Nerenberg wrote: Are we perhaps, finally, reaching the cusp where everyone has realized that if we all, collectively, tell the rodents to f*** off, they just might? By my very rough and subjective guesstimate, extortion is the motivation behind ~15% of all

Re: Staring Down the Armada Collective

On Dec 3, 2015, at 6:28 PM, Lyndon Nerenberg wrote: > Are we perhaps, finally, reaching the cusp where everyone has realized that > if we all, collectively, tell the rodents to f*** off, they just might? I should also mention that, despite their bluster, they can't keep it

Re: Staring Down the Armada Collective

On Dec 3, 2015, at 9:14 PM, Lyndon Nerenberg wrote: > I should also mention that, despite their bluster, they can't keep it up for > more than half an hour. The mailing list has been quiet. All step forward who are scared to say "me too" on account of Armada. --lyndon

Ransom DDoS attack - need help!

All, I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me. A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've

Re: Ransom DDoS attack - need help!

Sounds like lizardSquad may be at it again On Dec 3, 2015 8:53 AM, "halp us" wrote: > All, > > I've been a NANOG member for many years but I'm emailing from an anonymous > account to reduce the chance of the attackers finding me. > > A company that shall remain

Re: Ransom DDoS attack - need help!

On Thu, 3 Dec 2015 03:15:04 -0500 halp us wrote: > I would really appreciate help in a few areas (primarily with certain > provider contacts/intros) so we can execute our strategy (which I > can't reveal here for obvious reasons). If you email me off-list with > a

Re: Ransom DDoS attack - need help!

On Thu, Dec 3, 2015 at 3:15 AM, halp us wrote: > A company that shall remain anonymous has received a ransom DDoS note from > a very well known group that has been in the news lately. Recently they've > threatened to carry out a major DDoS attack if they are not paid

Re: Ransom DDoS attack - need help!

> On Dec 3, 2015, at 10:26 AM, Nick Hilliard wrote: > > On 03/12/2015 08:15, halp us wrote: >> a very well known group that has been in the news lately. Recently they've >> threatened to carry out a major DDoS attack if they are not paid by a >> deadline which is approaching.

Re: Ransom DDoS attack - need help!

On 03/12/2015 08:15, halp us wrote: > a very well known group that has been in the news lately. Recently they've > threatened to carry out a major DDoS attack if they are not paid by a > deadline which is approaching. They've performed an attack of a smaller > magnitude to prove that they're

RE: Ransom DDoS attack - need help!

Talk to your upstream provider. They may already have mitigation in place (e.g. Arbor devices). If not, then if you know much about this anticipated attack (and you seem to have some details) they can certainly implement ACLs and other moderating tools. Regardless, contact the FBI or

Re: Ransom DDoS attack - need help!

None of those names you just mentioned have made the international news. On Dec 3, 2015 8:59 AM, "Chris Baker" wrote: > Can you provide some additional details? Is it someone claiming > association with a known group like DD4BC or the Armada Collective or > unbranded? > > Cheers,

Re: Ransom DDoS attack - need help!

On 3 Dec 2015, at 22:26, Nick Hilliard wrote: > If you believe that someone who issues a ransom threat will stop if you pay > them off, you're smoking crack. +1 These attacks aren't rocket-science to defend against. OP, ping me 1:1. --- Roland Dobbins

Re: Ransom DDoS attack - need help!

On 3 Dec 2015, at 15:15, halp us wrote: Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps. They lie. The largest attacks we've seen from these threat actors are in the ~60gb/sec range - which is nothing to

TWC RR contact off list ?

Could someone from TWC RR contact me off-list ? I have an IPv6 / DNS question / request. I’m in Cincinnati, OH and this is residential if that matters. Otherwise - if anyone non-TWC on list can point me to a person/address etc that will let me leap frog frontline support that would be great.

Re: IPv6 Cogent vs Hurricane Electric

Wouldn't this be a Net Neutrality issue now or would it fall on HE for not willing to buy transit to Cogent IPv6? On Wed, Dec 2, 2015 at 5:38 PM, Ryan Rawdon wrote: > > > On Dec 1, 2015, at 1:23 PM, Max Tulyev wrote: > > > > Hi All, > > > > we got an issue

Re: Ransom DDoS attack - need help!

On 3 Dec 2015, at 22:04, Josh Reynolds wrote: > None of those names you just mentioned have made the international news. Of course they have. --- Roland Dobbins

Re: Ransom DDoS attack - need help!

Can you provide some additional details? Is it someone claiming association with a known group like DD4BC or the Armada Collective or unbranded? Cheers, CBaker On Thu, Dec 3, 2015 at 9:54 AM, Josh Reynolds wrote: > Sounds like lizardSquad may be at it again > On Dec 3,

Re: Ransom DDoS attack - need help!

OSINT has a plethora of detail available: http://www.reuters.com/article/2015/11/30/greece-banks-idUSL8N13P5B420151130 http://www.ibtimes.co.uk/armada-collective-who-are-hackers-extorting-bitcoin-ransoms-what-can-we-do-1528253

RE: SevOne Monitoring

All, I've been using SevOne for 3 years, and I can confirm some of your suspicions around element licensing, in that you will consume more element counts than you allowed in your budget. It does provide a very granular way of omitting objects from discovery through regex. It is not a

Re: Ransom DDoS attack - need help!

The last I spoke with NTT they said the largest they ever saw was > 300GB and most of the time they don't follow through. They threaten 100 networks and hope that x% will pay them off 'just in case' On Thu, Dec 3, 2015 at 10:20 AM, Roland Dobbins wrote: > On 3 Dec 2015, at

Re: Ransom DDoS attack - need help!

Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should be able to mitigate some to much of the damage caused by filled pipes by blocking incomming UDP trafic at your ISP level. This is the Armada Collective, based on the description. We just went through a round with

Re: Ransom DDoS attack - need help!

On 4 Dec 2015, at 2:38, Dovid Bender wrote: > The last I spoke with NTT they said the largest they ever saw was > 300GB That wasn't DD4BC or Armada Collective. --- Roland Dobbins

Re: IPv6 Cogent vs Hurricane Electric

On Thu, Dec 3, 2015 at 1:40 PM, Jared Geiger wrote: > Wouldn't this be a Net Neutrality issue now or would it fall on HE for not > willing to buy transit to Cogent IPv6? Wouldn't it fall on Cogent for being unwilling to buy transit from HE? HE is the IPv6 leader in the game.

Re: Ransom DDoS attack - need help!

Hi! This is my first mail to the list. Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should be able to mitigate some to much of the damage caused by filled pipes by blocking incomming UDP trafic at your ISP level. //Robban > * On Thu, Dec 03, 2015 at 03:15:04AM

Re: IPv6 Cogent vs Hurricane Electric

As funny as that would be, it would never happen. Cogent thinks they're the biggest. HE is the biggest (last I checked). HE wants to peer. Cogent wants HE to pay for transit. Cake reference. Still partitioned. How do you get them connected? I hate to say it, but it would take a major shift within

Re: Ransom DDoS attack - need help!

F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos protection. Don't pay up, use ddos protection. Clay On Thu, Dec 3, 2015 at 3:11 PM, Roland Dobbins wrote: > On 4 Dec 2015, at 2:38, Dovid Bender wrote: > > > The last I spoke with NTT they said the

Re: Multi-core clamp on ammeter

The results I was able to find are not promising. The best I could come up with is to make use of this and some cobbling: https://moderndevice.com/new-products/current-sensor/ I have had good luck with other items from Modern Device, but

Re: Ransom DDoS attack - need help!

Hi, > F5 Silverline, Arbor Networks, Incapsula, to name a few can do ddos > protection. Don't pay up, use ddos protection. you know how many ponder whether AV companies write some of the viruses ;-) alan

Re: IPv6 Cogent vs Hurricane Electric

On 1 December 2015 at 20:23, Max Tulyev wrote: > Hi All, > > we got an issue today that announces from Cogent don't reach Hurricane > Electric. HE support said that's a feature, not a bug. > > So we have splitted Internet again? > > I have to change at least one of my

Re: TWC RR contact off list ?

On 12/3/15 10:34 AM, Brandon Applegate wrote: > Could someone from TWC RR contact me off-list ? I have an IPv6 / DNS > question / request. I’m in Cincinnati, OH and this is residential if > that matters. Is the IPv6 problem related to the 7% packet loss that I've been told can be fixed by

Re: IPv6 Cogent vs Hurricane Electric

Or, if you feel that Cogent's stubborn insistence on partitioning the global v6 internet shouldn't be rewarded with money, pay someone *other* than cogent for IPv6 transit and also connect to HE.net; that way you still have access to cogent routes, but you also send a subtle economic nudge that

Re: Ransom DDoS attack - need help!

hi "need help" On 12/03/15 at 03:15am, halp us wrote: > A company that shall remain anonymous has received a ransom DDoS note from > a very well known group that has been in the news lately. use an email reader that allows you to see all the received email headers to see which STMP routers

Re: Ransom DDoS attack - need help!

Many online business have learned how to deal with these threats.  Just recently Protonmail hit the news and found out the hard way whether to pay or NOT.  Have a quick read at the log of events for yourself.

Re: IPv6 Cogent vs Hurricane Electric

On Thu, Dec 03, 2015 at 04:58:08PM -0800, Matthew Petach wrote: > Or, if you feel that Cogent's stubborn insistence on partitioning the > global v6 internet shouldn't be rewarded with money, pay someone *other* > than cogent for IPv6 transit and also connect to HE.net; that way you > still have

Re: Ransom DDoS attack - need help!

On Dec 3, 2015, at 5:00 PM, alvin nanog wrote: > run tcpdump and/or etherreal to capture the DDoS attacks Of course! If we had only thought of this sooner! :-) --lyndon signature.asc Description: Message signed with OpenPGP using GPGMail

Re: IPv6 Cogent vs Hurricane Electric

> On Dec 2, 2015, at 8:38 PM, Ryan Rawdon wrote: > > >> On Dec 1, 2015, at 1:23 PM, Max Tulyev wrote: >> >> Hi All, >> >> we got an issue today that announces from Cogent don't reach Hurricane >> Electric. HE support said that's a feature, not a bug. >>

Re: IPv6 Cogent vs Hurricane Electric

> On Dec 3, 2015, at 7:58 PM, Matthew Petach wrote: > > Or, if you feel that Cogent's stubborn insistence on > partitioning the global v6 internet shouldn't be rewarded > with money, pay someone *other* than cogent for > IPv6 transit and also connect to HE.net; that way >

Staring Down the Armada Collective

Typically, businesses hide from admitting they've been hit by drive-by attacks like Armada is trying to pull off. It has been interesting to see the public reaction from the post-Protonmail targets, many of whom are being very visible about 1) admitting they have been hit by the attacks, and 2)

Re: Ransom DDoS attack - need help!

hi lyndon On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote: > On Dec 3, 2015, at 5:00 PM, alvin nanog > wrote: > > run tcpdump and/or etherreal to capture the DDoS attacks > > Of course! If we had only thought of this sooner! > :-) yupperz.. the problem is,

Re: IPv6 Cogent vs Hurricane Electric

On Thu, Dec 3, 2015 at 6:02 PM, Jared Mauch wrote: > > Looking at the most recent IPv6 data available at CAIDA you can see the > customer cone size: > > http://as-rank.caida.org/?data-selected-id=15 > > Be careful as the tool seems fragile when switching from the