Re: Staring Down the Armada Collective
I agree Protonmail took a stance and believe many others can learn from their experience. But let's not over simplify the problem. According to their blogs the attacks were over 100G and went on for hours at a time over several days. Attacks can go on for days and months. Protonmail found themselves up against varying attack tactics and ultimately took a defense in depth approach to mitigate the attack. Null routing original ip completes the attack, game over , sever is down. Granted this can help prevent colateral damages. Combined with proxies can work well for dns redirect to route through cloud scrubbing but these solutions can add latency and impact legitimate traffic also. With redirection there is also the complexity of TLS/SSL (certificate management, privacy, etc.) And then you must also consider ip based (non proxied) targets. These dns redirect/proxy methods don't handle ip based attack targets and cause the need to swing ip prefixes via bgp. Bottom line, attackers can impact the infrastructure by varying their tactics and the approach should be well thought out and multilayered. Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone Original message From: Lyndon Nerenberg Date: 12/4/2015 12:14 AM (GMT-05:00) To: North American Network Operators' Group Subject: Re: Staring Down the Armada Collective On Dec 3, 2015, at 6:28 PM, Lyndon Nerenberg wrote: > Are we perhaps, finally, reaching the cusp where everyone has realized that > if we all, collectively, tell the rodents to f*** off, they just might? I should also mention that, despite their bluster, they can't keep it up for more than half an hour. By then, the upstream networks have figured it out and have null routed anything of consequence - far upstream. Meanwhile, back haul your traffic in via a private network and they won't be able to do shit to you. (E.g. the standard Cloudflare model.) They are not as smart as they make themselves out to be. Don't let fear drive your decisions. --lyndon
Re: Staring Down the Armada Collective
On Dec 3, 2015, at 9:14 PM, Lyndon Nerenberg wrote: > I should also mention that, despite their bluster, they can't keep it up for > more than half an hour. The mailing list has been quiet. All step forward who are scared to say "me too" on account of Armada. --lyndon signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Staring Down the Armada Collective
On Dec 3, 2015, at 6:28 PM, Lyndon Nerenberg wrote: > Are we perhaps, finally, reaching the cusp where everyone has realized that > if we all, collectively, tell the rodents to f*** off, they just might? I should also mention that, despite their bluster, they can't keep it up for more than half an hour. By then, the upstream networks have figured it out and have null routed anything of consequence - far upstream. Meanwhile, back haul your traffic in via a private network and they won't be able to do shit to you. (E.g. the standard Cloudflare model.) They are not as smart as they make themselves out to be. Don't let fear drive your decisions. --lyndon signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Staring Down the Armada Collective
On 4 Dec 2015, at 9:28, Lyndon Nerenberg wrote: Are we perhaps, finally, reaching the cusp where everyone has realized that if we all, collectively, tell the rodents to f*** off, they just might? By my very rough and subjective guesstimate, extortion is the motivation behind ~15% of all DDoS attacks, FYI. --- Roland Dobbins
Staring Down the Armada Collective
Typically, businesses hide from admitting they've been hit by drive-by attacks like Armada is trying to pull off. It has been interesting to see the public reaction from the post-Protonmail targets, many of whom are being very visible about 1) admitting they have been hit by the attacks, and 2) making it very clear the Armada crew can f*** right off as far as collecting ransom is concerned. (Also, 3) the amazing support from customers who understand why we are working on putting up defences instead of just paying, and therefore put up with the inevitable downtime as we reconfigure sometimes large chunks of our networks.) The money asked for was a pittance (around USD$6K) for the attacks I'm personally aware of. The targeted were willing to spend far in excess of that to deploy the necessary wall of DDoS protection to keep their services running. If they didn't have it there, already. What does that say for the business model of the botnet handlers? They can't up their ransom demands, because nobody is paying at the current rates. And they can't lower them, for the same reason. And if they change their targets to sites than might potentially pay a few hundred dollars at best, those sites will just shut down anyway. Are we perhaps, finally, reaching the cusp where everyone has realized that if we all, collectively, tell the rodents to f*** off, they just might? Happy Holidays! --lyndon signature.asc Description: Message signed with OpenPGP using GPGMail