Re: Reflection DDoS last week

2019-08-28 Thread Denys Fedoryshchenko
On 2019-08-28 02:23, Damian Menscher via NANOG wrote: On Wed, Aug 21, 2019 at 3:21 PM Töma Gavrichenkov wrote: On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher wrote: Some additional questions, if you're able to answer them (off-list is fine if there are things that can't be shared broadly)

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

2019-08-27 Thread Damian Menscher via NANOG
On Wed, Aug 21, 2019 at 3:21 PM Töma Gavrichenkov wrote: > On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher > wrote: > > Some additional questions, if you're able to answer them (off-list is > fine if there are things that can't be shared broadly): > > - Was the attack referred to law enforcem

Re: Reflection DDoS last week

2019-08-24 Thread Denys Fedoryshchenko
Hi, Same happened in Lebanon(country). Similar pattern: carpet bombing for multiple prefixes of specific ASN. I suspect it is a new trend in DDoS-for-hire, and ISP who did not install data scrubbing appliances will feel severe pain from such attacks, since they use SYN + ACK from legit servers

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

2019-08-21 Thread Amir Herzberg
Töma, thanks for this interesting update. The best defense against this type of DDoS attacks seems idd to be relaying to sufficiently-large-bandwidth cloud/CDN, and filtering TCP traffic (received not from the relay). Such relaying should be done well - smart attacks may still be possible for `naiv

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

2019-08-21 Thread Töma Gavrichenkov
Peace, On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher wrote: > Some additional questions, if you're able to answer them (off-list is fine if > there are things that can't be shared broadly): > - Was the attack referred to law enforcement? It is being referred to now. This would most probab

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

2019-08-21 Thread Damian Menscher via NANOG
Thanks for following up, and for publishing two bits of key data: - This was part of a larger attack campaign that included CLDAP amplification - The SYN/ACK amplification resulted in 208Mpps (or more) Some additional questions, if you're able to answer them (off-list is fine if there are thin

Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

2019-08-21 Thread Töma Gavrichenkov
Peace, Here's to confirm that the pattern reported before in NANOG was indeed a reflection DDoS attack. On Sunday, it also hit our customer, here's the report: https://www.prnewswire.com/news-releases/root-cause-analysis-and-incident-report-on-the-august-ddos-attack-300905405.html tl;dr: basical