Re: Dyn DDoS this AM?

..@qrator.net> To: "Ronald F. Guilmette" <r...@tristatelogic.com> Cc: "NANOG list" <nanog@nanog.org> Sent: Tuesday, October 25, 2016 3:29:56 AM Subject: Re: Dyn DDoS this AM? Yeah, it sucked to be a Dyn customer that day. However, if you had a backup d

Re: Dyn DDoS this AM?

Yeah, it sucked to be a Dyn customer that day. However, if you had a backup dns provider, it wasnt that bad. You do realize that collateral effect scale is a property of a target and not attack? My point was that implementing MANRS, while isn't covering all of the spectrum of the attacks that

Re: Dyn DDoS this AM?

In message

Re: Dyn DDoS this AM?

> On Oct 24, 2016, at 12:06 PM, Eitan Adler wrote: > > On 24 October 2016 at 01:25, LHC wrote: >> All this TTL talk makes me think. >> >> Why not have two ttls - a 'must-recheck' (does not expire the record but >> forces a recheck; updates

Re: Dyn DDoS this AM?

See, that's the thing... The key to victory here is to defeat the robots. Take away the anonymity of proxies and trojan amplifiers and enforcement gets a lot easier. Sadly, this war doesn't seem likely to be won anytime soon. Especially since there are State entities using (and even deploying) a

Re: Dyn DDoS this AM?

On Fri, Oct 21, 2016 at 12:30:44PM -0400, Alain Hebert wrote: > Rofl, > > Yeah good luck with that... 15+ years later and most of the actors > that could fix that, for the planete, still refuses to do anything. > > Now you can start the usual circular discussion that goes nowhere >

Re: Dyn DDoS this AM?

On Mon, Oct 24, 2016 at 02:38:58PM -0400, Alain Hebert wrote: > And its not the last time the big Tier(s) will refuse to do anything > beside dropping the fault to the CPE vendors. I can say that we had to drop uRPF for technical reasons, namely not enough people ask their vendors

Re: Dyn DDoS this AM?

And its not the last time the big Tier(s) will refuse to do anything beside dropping the fault to the CPE vendors. People love circles. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec

Re: Dyn DDoS this AM?

Its not a first time we have and large scale DDoS incident. Its not a first time we have (a kind of) knee-jerk reaction. I think its a right time to direct community attention to this document https://www.routingmanifesto.org/manrs/ It's work in progress. But its a good start. On Fri, Oct

Re: Dyn DDoS this AM?

On 24 October 2016 at 01:25, LHC wrote: > All this TTL talk makes me think. > > Why not have two ttls - a 'must-recheck' (does not expire the record but > forces a recheck; updates record if server replies & serial has incremented) > and a 'must-delete' (cache

Re: Dyn DDoS this AM?

All this TTL talk makes me think. Why not have two ttls - a 'must-recheck' (does not expire the record but forces a recheck; updates record if server replies & serial has incremented) and a 'must-delete' (cache will be stale at this point)? On October 23, 2016 3:42:58 PM PDT, Mark Andrews

Re: Dyn DDoS this AM?

All this TTL talk makes me think. Why not have two ttls - a 'must-recheck' (does not expire the record but forces a recheck; updates record if server replies & serial has incremented) and a 'must-delete' (cache will be stale at this point)? On October 23, 2016 3:42:58 PM PDT, Mark Andrews

Re: Dyn DDoS this AM?

In message

Re: Dyn DDoS this AM?

On 10/21/2016 7:34 PM, Keenan Tims wrote: I don't have a horse in this race, and haven't used it in anger, but Netflix released denominator to attempt to deal with some of these issues: https://github.com/Netflix/denominator Their goal is to support the highest common denominator of features

Re: Dyn DDoS this AM?

> > > On Oct 21, 2016, at 6:35 PM, Eitan Adler wrote: > > > > [...] > > > > In practice TTLs tend to be ignored on the public internet. In past > > research I've been involved with browser[0] behavior was effectively > > random despite the TTL set. > > > > [0] more

Re: Dyn DDoS this AM?

On 22 October 2016 at 16:40, marcel.duregards--- via NANOG wrote: > What about BCP38+84 on 30 tier-1 instead of asking/hoping 55k others > autonomous-system having good filters in place ? The originating ISPs are in a far better position to check that traffic isn't from

Re: Dyn DDoS this AM?

Patrick, We are client of 3 tier1. On our netflow collector, we can observe that RFC1918 sources ip traffic is entering our AS via 2 of those tier-1. Yes, 2 bigs tier-1 allow private ip traffic coming from their networks, clients, peerings to reach others customers, via Internet link, on public

Re: Dyn DDoS this AM?

(Inband signalling - bad except for BGP?) General comment: why are we blaming the client devices for the lack of security? This is like Microsoft villifying linux in the late 90s because "there's no restrictions on use or packet crafting on the client side" - of course there isn't, in Windows

Re: Dyn DDoS this AM?

* Randy Bush: > anyone who relies on a single dns provider is just asking for stuff such > as this. Blaming the victim isn't helpful. And without end-user-visible changes, most of the victims would still depend on Verisign as a single provider for a critical part of their DNS service.

Re: Dyn DDoS this AM?

On Sat, 22 Oct 2016, Alexander Maassen wrote: Remember ping packets containing +++ATH0 ? THat only worked because of patents: https://en.wikipedia.org/wiki/Time_Independent_Escape_Sequence Inband signaling is bad, mmmkay? -- Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Dyn DDoS this AM?

0) Aan: nanog@nanog.org Onderwerp: Re: Dyn DDoS this AM?     Just a FYI,     That "horrific trend" has been happening since some techie got dissed on an IRC channel over 20 years ago.     He used a bunch of hosted putters to ICMP flood the IRC server.     Whatever the community

Re: Dyn DDoS this AM?

Oh god, you invoked @popehat ... [dyndds and its customers sue XiongMai, the OEM integrators, and Does 1-10,000,000 who own the devices for neglegence?...] Sent from my iPhone > On Oct 21, 2016, at 8:29 PM, Chris Woodfield wrote: > > As a Twitter network engineer (and

Re: Dyn DDoS this AM? - dns

On 10/21/16 at 03:21pm, David Birdsong wrote: > On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush wrote: > > anyone who relies on a single dns provider is just asking for stuff such > > as this. :-) > I'd love to hear how others are handling the overhead of managing two dns >

Re: Dyn DDoS this AM?

As a Twitter network engineer (and the guy Patrick let camp out in your hotel room all day) - thank you for this. Whoever was behind this just poked a hornet’s nest. “Govern yourselves accordingly”. -C (Obviously speaking for myself, not my employer…) > On Oct 21, 2016, at 10:48 AM,

Re: Dyn DDoS this AM?

On Fri, Oct 21, 2016 at 11:45 AM, Patrick W. Gilmore wrote: > My guess is you should track anything to as33517. And AS15135?

Re: Dyn DDoS this AM?

> On Oct 21, 2016, at 6:35 PM, Eitan Adler wrote: > > [...] > > In practice TTLs tend to be ignored on the public internet. In past > research I've been involved with browser[0] behavior was effectively > random despite the TTL set. > > [0] more specifically, the

Re: Dyn DDoS this AM?

On 21 October 2016 at 18:12, Jean-Francois Mezei wrote: > On 2016-10-21 18:45, david raistrick wrote: > >> switch too..). setting TTLs that make sense for a design that supports >> change is also easy. > > Cuts both ways. Had Twitter had TTLs of say 7 days, vast

Re: Dyn DDoS this AM?

On 2016-10-21 18:45, david raistrick wrote: > switch too..). setting TTLs that make sense for a design that supports > change is also easy. Cuts both ways. Had Twitter had TTLs of say 7 days, vast majority wouldn't notice an outage of a few hours because their local cache wa still valid. It

Re: Dyn DDoS this AM?

On Fri, Oct 21, 2016 at 05:11:34PM -0700, Crist Clark wrote: > > Given the scale of these attacks, whether having two providers does any > good may be a crap shoot. > > That is, what if the target happens to share the same providers you do? > Given the whole asymmetry of resources that make this

Re: Dyn DDoS this AM?

likely won't save you if you are the actual target of the attack. On Fri, Oct 21, 2016 at 4:45 PM, Måns Nilsson <mansa...@besserwisser.org> wrote: > Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:37:09AM +0200 > Quoting Niels Bakker (ni...@bakker.net): > > * mansa..

Re: Dyn DDoS this AM?

Ah, disregard. I see what you're saying now. Yes, I can see how that would be problematic. On Oct 21, 2016 6:40 PM, "Josh Reynolds" wrote: > Ansible would be a decent start. > > On Oct 21, 2016 5:26 PM, "David Birdsong" wrote: > >> On Fri, Oct 21, 2016

Re: Dyn DDoS this AM?

Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:37:09AM +0200 Quoting Niels Bakker (ni...@bakker.net): > * mansa...@besserwisser.org (Måns Nilsson) [Sat 22 Oct 2016, 01:27 CEST]: > >Also, do not fall in the "short TTL for service agility" trap. > > Severa

Re: Dyn DDoS this AM?

Ansible would be a decent start. On Oct 21, 2016 5:26 PM, "David Birdsong" wrote: > On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush wrote: > > > anyone who relies on a single dns provider is just asking for stuff such > > as this. > > > > randy > > > > I'd love to

Re: Dyn DDoS this AM?

I don't have a horse in this race, and haven't used it in anger, but Netflix released denominator to attempt to deal with some of these issues: https://github.com/Netflix/denominator Their goal is to support the highest common denominator of features among the supported providers, Maybe

Re: Dyn DDoS this AM?

Subject: Re: Dyn DDoS this AM? Date: Sat, Oct 22, 2016 at 01:19:24AM +0200 Quoting Niels Bakker (niels=na...@bakker.net): > The point of outsourcing DNS isn't just availability of static hostnames, > it's the added services delivered, like returning different answers based on &g

Re: Dyn DDoS this AM?

Subject: Re: Dyn DDoS this AM? Date: Fri, Oct 21, 2016 at 03:21:20PM -0700 Quoting David Birdsong (da...@imgix.com): > On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush <ra...@psg.com> wrote: > > > anyone who relies on a single dns provider is just asking for stuff such > >

Re: Dyn DDoS this AM?

anyone who relies on a single dns provider is just asking for stuff such as this. I'd love to hear how others are handling the overhead of managing two dns providers. * ra...@psg.com (Randy Bush) [Sat 22 Oct 2016, 00:28 CEST]: good question. staying in-band, hidden primary comes to mind. but

Re: Dyn DDoS this AM?

On 10/21/16 3:21 PM, David Birdsong wrote: > On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush wrote: > >> anyone who relies on a single dns provider is just asking for stuff such >> as this. >> >> randy >> > I'd love to hear how others are handling the overhead of managing two dns >

Re: Dyn DDoS this AM?

On Fri, Oct 21, 2016 at 6:21 PM, David Birdsong wrote: > > I'd love to hear how others are handling the overhead of managing two dns > providers. Every time we brainstorm on it, we see it as blackhole of eng > effort WRT to keeping them in sync and and then waiting for TTLs to

Re: Dyn DDoS this AM?

Patrick W. Gilmore wrote: > Our biggest problem is people thinking they cannot or do not want to > help. Our biggest problem is that if the Internet community does not handle problems like this, governments and regulators may decide to intervene. If they do this in the wrong way, it will turn

Re: Dyn DDoS this AM?

>> anyone who relies on a single dns provider is just asking for stuff such >> as this. > I'd love to hear how others are handling the overhead of managing two dns > providers. good question. staying in-band, hidden primary comes to mind. but i am sure clever minds can come up with more clever

Re: Dyn DDoS this AM?

On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush wrote: > anyone who relies on a single dns provider is just asking for stuff such > as this. > > randy > I'd love to hear how others are handling the overhead of managing two dns providers. Every time we brainstorm on it, we see it as

Re: Dyn DDoS this AM?

> amen. >> anyone who relies on a single dns provider is just asking for stuff >> such as this. part of the problem is that we think of it as attack surface when, in fact, it usually has more than two dimensions. randy

Re: Dyn DDoS this AM?

amen. On Fri, Oct 21, 2016 at 2:58 PM, Randy Bush wrote: > anyone who relies on a single dns provider is just asking for stuff such > as this. > > randy >

Re: Dyn DDoS this AM?

The brutal reality in todays world is that anyone that relies on the Internet is just asking for stuff like this. No service is safe. Andrew Andrew Fried andrew.fr...@gmail.com On 10/21/16 5:58 PM, Randy Bush wrote: > anyone who relies on a single dns provider is just asking for stuff such >

Re: Dyn DDoS this AM?

anyone who relies on a single dns provider is just asking for stuff such as this. randy

Re: Dyn DDoS this AM?

Just a FYI, That "horrific trend" has been happening since some techie got dissed on an IRC channel over 20 years ago. He used a bunch of hosted putters to ICMP flood the IRC server. Whatever the community is behind, until the carriers decide to wise up this will keep happening,

Re: Dyn DDoS this AM?

+1! Well said, Patrick. B On Friday, October 21, 2016, Patrick W. Gilmore wrote: > I cannot give additional info other than what’s been on “public media”. > > However, I would very much like to say that this is a horrific trend on > the Internet. The idea that someone can

Re: Dyn DDoS this AM?

On Fri, Oct 21, 2016 at 12:09 PM, Roland Dobbins wrote: > On 21 Oct 2016, at 23:01, Mike Hammett wrote: > > > Are there sites that can test your BCP38\84 compliance? > > Quick note: If anyone has this installed already on OSX, bring

Re: Dyn DDoS this AM?

On Oct 21, 2016, at 12:40 PM, David Hubbard wrote: > > Do we know the attack destinations so we can watch transit traffic destined > for it to help sources that may be unaware? My guess is you should track anything to as33517. -- TTFN, patrick

Re: Dyn DDoS this AM?

Do we know the attack destinations so we can watch transit traffic destined for it to help sources that may be unaware? David

RE: Dyn DDoS this AM?

On Fri, 21 Oct 2016, rar wrote: Anyone want a quick consulting gig helping us configure BCP38 and BCP84? Configurations is all cisco Edge routers connect to Verizon, Level 3 Fiber Each Edge router talks to two BGP routers. $150/hour, I'm guessing it is only an hour for somebody to explain,

Re: Dyn DDoS this AM?

Rofl, Yeah good luck with that... 15+ years later and most of the actors that could fix that, for the planete, still refuses to do anything. Now you can start the usual circular discussion that goes nowhere after 3 days... PS: yeah usual BCP38 rant... but its friday. -

Re: Dyn DDoS this AM?

On 10/21/16 09:05, Matthew Black wrote: LA Times: Why sites like Twitter and Spotify were down for East Coast users this morning http://www.latimes.com/business/la-fi-tn-dyn-attack-20161021-snap-story.html I actually can't resolve twitter.com this morning and I'm west coast. None of the

Re: Dyn DDoS this AM?

tr...@ianai.net> > To: "NANOG list" <nanog@nanog.org> > Sent: Friday, October 21, 2016 10:48:21 AM > Subject: Re: Dyn DDoS this AM? > > I cannot give additional info other than what’s been on “public media”. > > However, I would very much like to say th

Re: Dyn DDoS this AM?

Attack has re-started. This is the time, folks. Rally the troops, offer help, watch your flow. STOP THIS NOW. -- TTFN, patrick > On Oct 21, 2016, at 11:48 AM, Patrick W. Gilmore wrote: > > I cannot give additional info other than what’s been on “public media”. > >

Re: Dyn DDoS this AM?

On 21 Oct 2016, at 23:01, Mike Hammett wrote: > Are there sites that can test your BCP38\84 compliance? --- Roland Dobbins

Re: Dyn DDoS this AM?

Engineer Oorspronkelijk bericht Van: "Patrick W. Gilmore" <patr...@ianai.net> Datum: 21-10-16 17:48 (GMT+01:00) Aan: NANOG list <nanog@nanog.org> Onderwerp: Re: Dyn DDoS this AM? I cannot give additional info other than what’s been on “public media”. Howe

RE: Dyn DDoS this AM?

, 2016 7:56 AM To: nanog@nanog.org Subject: Dyn DDoS this AM? Does anyone have any additional details? Seems to be over now, but I'm very curious about the specifics of such a highly impactful attack (and it's timing following NANOG 68)... https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts

RE: Dyn DDoS this AM?

org> Subject: Re: Dyn DDoS this AM? I cannot give additional info other than what’s been on “public media”. However, I would very much like to say that this is a horrific trend on the Internet. The idea that someone can mention a DDoS then get DDoS’ed Can Not Stand. See Krebs’ on the Democrati

Re: Dyn DDoS this AM?

ick W. Gilmore" <patr...@ianai.net> To: "NANOG list" <nanog@nanog.org> Sent: Friday, October 21, 2016 10:48:21 AM Subject: Re: Dyn DDoS this AM? I cannot give additional info other than what’s been on “public media”. However, I would very much like to say that this is a

Re: Dyn DDoS this AM?

I cannot give additional info other than what’s been on “public media”. However, I would very much like to say that this is a horrific trend on the Internet. The idea that someone can mention a DDoS then get DDoS’ed Can Not Stand. See Krebs’ on the Democratization of Censorship. See lots of

Dyn DDoS this AM?

Does anyone have any additional details? Seems to be over now, but I'm very curious about the specifics of such a highly impactful attack (and it's timing following NANOG 68)... https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/ -- @ChrisGrundemann