Re: did facebook just DoS me?

Any proof that you can provide that Facebook did indeed DoS you? Unless it is an attack after a tcp 3-way handshake I highly doubt that it was actually Facebook and probably an attacker spoofing Facebook¹s source IPs (perhaps in hopes that the source IPs would be on your whitelist and not be

Re: CGNAT

Hi Aaron, thanks for the info. I¹m curious what you or others do about DDoS attacks to CGNAT devices. It seems that a single attack could affect the thousands of customers that use those devices. Also, do you have issues detecting attacks vs. legitimate traffic when you have so much traffic

Re: Financial services BGP hijack last week?

li...@gmail.com<mailto:morrowc.li...@gmail.com>> Date: Tuesday, May 2, 2017 at 6:34 PM To: Compton Rich A <rich.comp...@charter.com<mailto:rich.comp...@charter.com>> Cc: Job Snijders <j...@ntt.net<mailto:j...@ntt.net>>, Nikos Leontsinis <nikosi...@gmail.com<mail

Re: BCP38/84 and DDoS ACLs

To block UDP port 19 you can add something like: deny udp any eq 19 any deny udp any any eq 19 This will prevent the DDoS attack traffic entering your network (source port 19) as well as the hosts scanning around looking for hosts on your network that can be used in amplification attacks

Re: Financial services BGP hijack last week?

That¹s the million dollar question. I think that there will be more adoption from the Internet at large when some big players adopt it. Right now the use of rsync in RPKI is preventing a lot of large ISPs from implementing it (too difficult to provide redundancy with rsync). There is a protocol

Re: SP security knowledge build up

Barry Greene's site has some good info on ISP security as well: http://www.senki.org On 7/23/18, 8:08 AM, "NANOG on behalf of Christopher Morrow" wrote: I thought also there was a set of videos from nanog meetings... I can't find a set, but here are some: ISP Security 101

Re: CGNAT

; 256.256.130.4:80 Drop O 1 UDP256.256.191.133:2 -> 256.256.130.4:80 Drop O 1 - Aaron -Original Message- From: Compton, Rich A [mailto:rich.comp...@charter.com] Sent: Thursday, April 6, 2017 3:49 PM To

Re: AT/as7018 now drops invalid prefixes from peers

That's great! Do you guys have plans to publish ROAs for your own netblocks? If so, can you please share info on your process (tools, pitfalls, etc.)? Thanks! On 2/11/19, 7:55 AM, "NANOG on behalf of Jay Borkenhagen" wrote: FYI: The AT/as7018 network is now dropping all

Any info on devices that are running eBGP on the Internet?

Hi, I am working with MANRS (https://www.manrs.org) on a tool for checking router configs for BGP security / spoofing prevention (e.g. uRPF) https://github.com/manrs-tools/MANRS-validator We are wondering if there is any research on the percentages of different types of devices running BGP on

Re: China’s Slow Transnational Network

My guess is that it’s all the DDoS traffic coming from China saturating the links. From: NANOG Email List on behalf of Pengxiong Zhu Date: Monday, March 2, 2020 at 8:58 AM To: NANOG list Cc: Zhiyun Qian Subject: China’s Slow Transnational Network Hi all, We are a group of researchers at

Re: FlowSpec

Hi Colton, It is fairly common to use flowspec internally at an ISP for mitigation of DDoS attacks. eBGP flowspec is not very common though. I know of only a couple of ISPs that allow flowspec rules to be advertised by their customers. The biggest issue with this is that other providers are

Re: Best way to get foreign ISPs to shut down DDoS reflectors?

The answer is “it depends”. What are you trying to accomplish? Are you trying to detect and surgically mitigate every DDoS attack? If so, you will need a good DDoS attack detection and mitigation solution and a team of people to run it or a 3rd party company that can do this for you. Do you

Re: Best way to get foreign ISPs to shut down DDoS reflectors?

Good luck with that.  As Damian Menscher has presented at NANOG, even if we do an amazing job and shut down 99% of all DDoS reflectors, there will still be enough bandwidth to generate terabit size attacks. https://stats.cybergreen.net I think we need to instead collectively focus on stopping

Re: UDP/123 policers & status

Yes, we still see lots of UDP amplification attacks using NTP monlist. We use a filter to block UDP src 123 packets of 468 bytes in length (monlist reply with the max 6 IPs). -Rich On 3/17/20, 8:55 AM, "NANOG on behalf of Jared Mauch" wrote: I’m curious what people are seeing these

Re: [EXTERNAL] Re: RTBH and Flowspec Measurements - Stop guessing when the attack will over

Hi, here is a Flowspec best practices document that I helped write that will hopefully help folks from shooting themselves in the foot http://m3aawg.org/flowspec-BP. As you stated, route policies can be applied to restrict what type of flowspec rules can or can’t be accepted. For example,

Re: [EXTERNAL] RE: shadowserver.org

If you want to identify which peering links are sending you spoofed DDoS amplification request traffic and which (Shadowserver identified) IPs in your network the traffic is going to, please take a look at my Tattle Tale project: https://github.com/racompton/tattle-tale Identify which peers are

Re: [EXTERNAL] Re: Retalitory DDoS

FYI, that looks like a Web Services Dynamic Discovery UDP amplification DDoS attack. https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html Very easily executed by a booter service. You may want to have your hosting provider block all

Re: [EXTERNAL] Re: Famous operational issues

There was the outage in 2014 when we got to 512K routes. http://www.bgpmon.net/what-caused-todays-internet-hiccup/ On 2/16/21, 1:04 PM, "NANOG on behalf of Job Snijders via NANOG" wrote: CAUTION: The e-mail below is from an external source. Please exercise caution before opening

Re: [EXTERNAL] Re: An update on the AfriNIC situation

Can't AfriNIC just create ROAs for the prefixes and point them to AS0? That would pretty much make the prefixes unusable since most tier 1's are doing ROV now. -Rich On 8/27/21, 10:20 AM, "NANOG on behalf of Aaron Wendel" wrote: CAUTION: The e-mail below is from an external source.

Squat space is now being advertised by AS 749 (DoD Network Information Center)

Hi, this week it looks like the DoD owned squat space that was previously advertised by AS 8008 (a shadow company called Global Resource Systems, see https://apnews.com/article/technology-business-government-and-politics-b26ab809d1e9fdb53314f56299399949) is now being advertised by AS 749 (DoD

Re: [EXTERNAL] VoIP Provider DDoSes

Most of the larger DDoS mitigation appliances can block malformed SIP traffic and also can block volumetric/state exhaustion UDP floods. A lot of VoIP companies have Session Border Controllers (SBCs) to protect public facing VoIP services. SBCs are more application aware. Kind of like a

Re: [EXTERNAL] VoIP Provider DDoSes

stop a lot of common DDoS attacks before they ever get to your SBCs. Even better if you can get your upstream ISP to apply the ACL. DDoS attack traffic should be dropped as close to the source as possible. -Rich From: Mike Hammett Date: Tuesday, September 21, 2021 at 4:39 PM To: "Co

Re: [EXTERNAL] Re: VoIP Provider DDoSes

FYI, UTRS (Unwanted Traffic Removal Service https://team-cymru.com/community-services/utrs/) from Team Cymru is a free service where you can send a blackhole advertisement (sacrificing the one IP that’s under attack to save the rest of the network) and they will propagate that via BGP to

Re: [EXTERNAL] Re: Flow collection and analysis

Elastiflow is pretty cool. https://www.elastiflow.com or the old open source version: https://github.com/robcowart/elastiflow You can pretty much do the same thing with Elastic’s filebeat (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-netflow.html). Pmacct is also good

Re: [EXTERNAL] Re: Charter DNS servers returning invalid IP addresses

VirusTotal and other domain reputation sites say the domain is malicious. Specifically there have been multiple malware samples that were scanned (latest was 10-09-2023) that had this domain hard coded in it. https://www.virustotal.com/gui/domain/bonesinjars.com You may want to get a new

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

No, Charter doesn't use those. Charter runs its own anycasted recursive nameservers. On 10/30/23, 2:46 PM, "NANOG on behalf of Livingood, Jason via NANOG" mailto:charter@nanog.org> on behalf of nanog@nanog.org > wrote: CAUTION: The e-mail below is from an

Re: [EXTERNAL] Re: Free-ish Linux Netflow collector/analyser options

The ELK stack does a good job of collecting netflow records with the addition of Filebeat. Check out my tattle-tale tool that collects netflow data: https://github.com/racompton/tattle-tale It has numerous rules in logstash/conf.d to try to just look for spoofed DDoS amplification requests but

Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509

I was under the impression that ASPA could prevent route leaks as well as path spoofing. This "BGP Route Security Cycling to the Future!" presentation from NANOG seems to indicate this is the case: https://youtu.be/0Fi2ghCnXi0?t=1093 Also, can't the path spoofing protection that BGPsec provides

Re: [EXTERNAL] Re: FCC chairwoman: Fines alone aren't enough (Robocalls)

DDoS traffic coming from legit/botted sources that is not spoofed is not DDoS amplification. DDoS amplification requires spoofing. If everyone did BCP38/84, there would be no DDoS amplification attacks. -Rich On 10/4/22, 1:14 PM, "NANOG on behalf of Robert Blayzor via NANOG" wrote:

Re: [EXTERNAL] Re: BCP38 For BGP Customers

Hi Joel, can you please point us to the IETF draft document that describes how a "combination of ASPA and RPKI can be used to help with DDoS prevention". I was not able to find it. Thanks! -Rich On 11/8/22, 8:05 AM, "NANOG on behalf of Joel Halpern" wrote: CAUTION: The e-mail below is

Re: SOVC - BGp RPKI

ChatGPT says: SOVC in the context of RPKI (Resource Public Key Infrastructure) on a Cisco router stands for "Stale Origin Validation Cache". RPKI is a security framework designed to secure the Internet's routing infrastructure, primarily through route origin validation. It ensures that the

Re: SOVC - BGp RPKI

31, 2024 at 3:06 PM To: NANOG list Subject: Re: SOVC - BGp RPKI I'd be curious to know why it thinks that the S is "Stale". I don't suppose it cites its sources? Compton, Rich via NANOG wrote: > > ChatGPT says: > > SOVC in the context of RPKI (Resource Public Key