Re: Retalitory DDoS

Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to

Retalitory DDoS

Is there a club for people that have been DDoSed? If so, count me in. This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? There were also some racial and sexual accusations that were made that

RE: Retalitory DDoS

You got RTBH? From: Mike Hammett Sent: February 8, 2021 12:50 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed

RE: Retalitory DDoS

I would not for 2.5 Gbps So if you were down for 1 hour with 2.5 Gbps and it’s probably not a black hole. There might be something else valuable in this report. Maybe 2.5 Gbps is not the damaging factor here unless your server has only 1 Gbps nic, then it could explain. But, I doubt.

RE: Retalitory DDoS

Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent:

Re: Retalitory DDoS

In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. - Mike Hammett Intelligent Computing Solutions

Re: Retalitory DDoS

I don't have RTBH, no. It's just a web server. Now how my hosting provider handled it, I'm not sure. I don't know if they just dropped me internally, or if they used RTBH with their upstreams and peers. Only being 2.5 gigs, that should be well within their ability to handle internally, but I

Re: Retalitory DDoS

It would only be a 1G NIC. They did say it was impacting other users in that rack. No clue how hot or what they run to each rack. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Jean St-Laurent"

Internet Routing Registry folks - Important - (Fwd: [arin-announce] Consultation Now Open on the Future of ARIN’s IRR)

NANOGers - If you make use of ARIN’s unauthenticated IRR service or the NONAUTH data stream in your route filtering, please take note of the following ARIN consultation. Thanks! /John John Curran President and CEO American Registry for Internet Numbers Begin forwarded message: From: ARIN

Re: [EXTERNAL] Re: Retalitory DDoS

FYI, that looks like a Web Services Dynamic Discovery UDP amplification DDoS attack. https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html Very easily executed by a booter service. You may want to have your hosting provider block all

Re: Internet Routing Registry folks - Important - (Fwd: [arin-announce] Consultation Now Open on the Future of ARIN’s IRR)

Martijn - This does not affect entries in the ARIN’s Whois system so OriginAS fields are unaffected. The new IRR-online system was a clean slate when announced and all objects therein have been freshly created by the authorized party. Folks with routing information in the unauthenticated

Re: Retalitory DDoS

Peace, On Mon, Feb 8, 2021 at 2:48 PM Mike Hammett wrote: > I got an e-mail explaining why I was getting DDoSed. Is that aspect common? Not quite. But it happens sometimes. > Is it safe to assume that they completely anonymized the email they sent to > me? Likely, but not necessarily. Look

Re: Internet Routing Registry folks - Important - (Fwd: [arin-announce] Consultation Now Open on the Future of ARIN’s IRR)

Hi John, What happens to the route objects (and for that matter the OriginAS field in the Whois-RWS system) that were created before the IRR-online service was launched? Are the route objects (and/or OriginAS fields from the Whois-RWS system) which were registered by ARIN members for their own

Re: Internet Routing Registry folks - Important - (Fwd: [arin-announce] Consultation Now Open on the Future of ARIN’s IRR)

Hi John, Thanks for the answer. In that case I would recommend to continue providing the ARIN-NONAUTH data stream beyond the system shutdown state, while continuing to allow for stale objects to be deleted: manually, or automated based on Whois-RWS OriginAS data, or automated based on

Re: Retalitory DDoS

Not an official club, but the unofficial club is full of members including myself unfortunately...little you can do except consider DDoS mitigation service if it continues. It is a criminal activity, so you can report the attack to the FBI...they can't do much to be honest, but at the very

Re: Problems with newish IP block assignment issues from ARIN

One common cause of this issue is entities out there that have very old 'bogons' filters in place for the larger block, as an entire /8, /12 to /16 size of space that, many years ago, was unallocated space. Without getting the end point organizations running the httpd, firewalls or whatever to fix

RE: [EXTERNAL] Re: Retalitory DDoS

Good analyze Hugo, I believe that all of this volumetric attack is just noise to hide the real attack that really killed your webserver. TCP Flag: SYN: 100% I would start with this line and I agree that Roland’s deck might have something about SYN flood. Jean From: Hugo

Re: [EXTERNAL] Re: Retalitory DDoS

Was gonna come to add that. That and maybe some UDP frags. You may want to have your hosting provider block all inbound traffic from > reaching your server IP except TCP port 443 (or 80 or whatever port you > actually use) somewhere upstream. Can also consider dropping by UDP source port on

Problems with newish IP block assignment issues from ARIN

Folks, Have a gremlin we have been chasing around for several months now and it’s becoming a major issue as we are getting tighter on IPV4 and needing to give some provider assigned space back. In June we received a /22 from ARIN. As is my workflow I started announcing it but waited a month

Re: Problems with newish IP block assignment issues from ARIN

I enabled 134.195.47.1 on one of our routers. Justin Wilson j...@mtin.net — https://j2sw.com - All things jsw (AS209109) https://blog.j2sw.com - Podcast and Blog > On Feb 8, 2021, at 3:46 PM, Job Snijders via NANOG wrote: > > Dear Justin, > > On Mon, Feb 08, 2021 at 03:14:47PM -0500, Justin

Re: Problems with newish IP block assignment issues from ARIN

On Mon, Feb 08, 2021 at 04:02:14PM -0500, Justin Wilson (Lists) wrote: > I enabled 134.195.47.1 on one of our routers. Cool! I noticed the following: from many NLNOG RING nodes I can reach that IP address, but not from 195.66.134.42: deepmedia01.ring.nlnog.net:~$ mtr -z -w -r 134.195.47.1

Re: Problems with newish IP block assignment issues from ARIN

Dear Justin, On Mon, Feb 08, 2021 at 03:14:47PM -0500, Justin Wilson (Lists) wrote: > It acts like the IP block was blacklisted at some point and got on > some bad lists but I don’t want ti limit myself to that theory. > I have opened up a ticket with ARIN asking for any guidance. Has > anyone

Re: Internet Routing Registry folks - Important - (Fwd: [arin-announce] Consultation Now Open on the Future of ARIN’s IRR)

Martijn - Excellent insight. To be fair, it would be best to if you were to subscribe to our arin-consult mailing list and express your views over there so you can be part of the discussion (as others there may have useful feedback or suggest alternatives that may sway your thoughts on how

Spoofer Report for NANOG for Jan 2021

In response to feedback from operational security communities, CAIDA's source address validation measurement project (https://spoofer.caida.org) is automatically generating monthly reports of ASes originating prefixes in BGP for systems from which we received packets with a spoofed source address.

Re: Problems with newish IP block assignment issues from ARIN

Justin, We have had this with recent ARIN assignments, too. When we'd get reports from customers, we would reach out to the site admin contacts (either domain WHOIS or IP address WHOIS), explain the situation, and in every case, they were either blocking it because

Starlink

Can someone from Starlink please contact me off list? Thank you Rob [photo] [cid:image020.png@01D6FE4A.8C381910] Robert DeVita CEO & Founder [cid:image021.png@01D6FE4A.8C381910] [cid:image022.png@01D6FE4A.8C381910]

Re: Problems with newish IP block assignment issues from ARIN

Hi, On 2/8/21 10:22 PM, Hank Nussbacher wrote: On 08/02/2021 22:14, Justin Wilson (Lists) wrote: It acts like the IP block was blacklisted at some point and got on some bad lists but I don’t want ti limit myself to that theory. I have opened up a ticket with ARIN asking for any guidance.

Re: Problems with newish IP block assignment issues from ARIN

On 08/02/2021 22:14, Justin Wilson (Lists) wrote: It acts like the IP block was blacklisted at some point and got on some bad lists but I don’t want ti limit myself to that theory. I have opened up a ticket with ARIN asking for any guidance. Has anyone ran into

Re: Retalitory DDoS

I notice I often get DDoS'd when I post here, to NANOG, usually w/in 2-3 hours, so owing to this note it'll probably happen again tonight! The typical attack is some mixture of DNS whacking from dozens or hundreds of hosts, plus usually UDP packets being flung at basically round-robin ports

Re: Problems with newish IP block assignment issues from ARIN

On Mon, 8 Feb 2021, Justin Wilson (Lists) wrote: Folks, Have a gremlin we have been chasing around for several months now and it’s becoming a major issue as we are getting tighter on IPV4 and needing to give some provider assigned space back. In June we received a /22 from ARIN. As is my

RE: [EXTERNAL] Re: Problems with newish IP block assignment issues from ARIN

Off topic, but curious as to how you were able to procure new ip space? -Original Message- From: NANOG On Behalf Of Justin Wilson (Lists) Sent: Monday, February 8, 2021 2:02 PM To: nanog@nanog.org Subject: [EXTERNAL] Re: Problems with newish IP block assignment issues from ARIN I