nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [EXTERNAL] Re: Retalitory DDoS

From: Hugo Slabbert <hugo () slabnet com>
Date: Mon, 8 Feb 2021 11:19:23 -0800
Was gonna come to add that.  That and maybe some UDP frags.

You may want to have your hosting provider block all inbound traffic from

reaching your server IP except TCP port 443 (or 80 or whatever port you
actually use) somewhere upstream.



Can also consider dropping by UDP source port on that 3072 and other common
reflection vectors if you've got UDP-based destinations to deal with.

The SYN floods are a different beast; though probably not volumetric, needs
enough capacity (TCP reverse proxies / LBs / etc) to handle that and
possibly things like SYN cookies.  I'll let folks more versed than myself
answer there, though.  Roland probably has a deck ready to link ;)

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
pgp key: B178313E   | also on Signal


On Mon, Feb 8, 2021 at 10:10 AM Compton, Rich A <Rich.Compton () charter com>
wrote:


FYI, that looks like a Web Services Dynamic Discovery UDP amplification
DDoS attack.
https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html
Very easily executed by a booter service.

You may want to have your hosting provider block all inbound traffic from
reaching your server IP except TCP port 443 (or 80 or whatever port you
actually use) somewhere upstream.  This can help reduce the impact of DDoS
attacks on your server.



-Rich



*From: *NANOG <nanog-bounces+rich.compton=charter.com () nanog org> on
behalf of Mike Hammett <nanog () ics-il net>
*Date: *Monday, February 8, 2021 at 10:58 AM
*To: *Jean St-Laurent <jean () ddostest me>
*Cc: *NANOG list <nanog () nanog org>
*Subject: *[EXTERNAL] Re: Retalitory DDoS



*CAUTION:* The e-mail below is from an external source. Please exercise
caution before opening attachments, clicking links, or following guidance.

I don't have RTBH, no. It's just a web server.

Now how my hosting provider handled it, I'm not sure. I don't know if they
just dropped me internally, or if they used RTBH with their upstreams and
peers. Only being 2.5 gigs, that should be well within their ability to
handle internally, but I guess why would you if you didn't have to?



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
[image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image:
Image removed by sender.]
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image:
Image removed by sender.]
<https://www.linkedin.com/company/intelligent-computing-solutions>[image:
Image removed by sender.] <https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
[image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image:
Image removed by sender.]
<https://www.linkedin.com/company/midwest-internet-exchange>[image: Image
removed by sender.] <https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
[image: Image removed by sender.]
<https://www.facebook.com/thebrotherswisp>[image: Image removed by
sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
------------------------------

*From: *"Jean St-Laurent" <jean () ddostest me>
*To: *"Mike Hammett" <nanog () ics-il net>
*Cc: *"NANOG list" <nanog () nanog org>
*Sent: *Monday, February 8, 2021 11:53:43 AM
*Subject: *RE: Retalitory DDoS

You got RTBH?



*From:* Mike Hammett <nanog () ics-il net>
*Sent:* February 8, 2021 12:50 PM
*To:* Jean St-Laurent <jean () ddostest me>
*Cc:* NANOG list <nanog () nanog org>
*Subject:* Re: Retalitory DDoS



In my case, it was against a server not on my own network, so my impact
was a blackhole for an hour at 4 AM local time. I likely wouldn't have even
noticed it, had I not received the threat email, nor the ticket my web
host's NOC opened.



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
[image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image:
Image removed by sender.]
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image:
Image removed by sender.]
<https://www.linkedin.com/company/intelligent-computing-solutions>[image:
Image removed by sender.] <https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
[image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image:
Image removed by sender.]
<https://www.linkedin.com/company/midwest-internet-exchange>[image: Image
removed by sender.] <https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
[image: Image removed by sender.]
<https://www.facebook.com/thebrotherswisp>[image: Image removed by
sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
------------------------------

*From: *"Jean St-Laurent" <jean () ddostest me>
*To: *"Mike Hammett" <nanog () ics-il net>, "NANOG list" <nanog () nanog org>
*Sent: *Monday, February 8, 2021 11:42:12 AM
*Subject: *RE: Retalitory DDoS

Nice report,



If you would have to pick up just one vector out of this “multi-vector”
attack, which one seems to be the one that had the bigger effect on your
network or service?



Was it degraded or total service interruption?



Jean



*From:* NANOG <nanog-bounces+jean=ddostest.me () nanog org> *On Behalf Of *Mike
Hammett
*Sent:* February 8, 2021 8:43 AM
*To:* NANOG list <nanog () nanog org>
*Subject:* Re: Retalitory DDoS



Mike,

I've attached the full information we got from our DDOS protection system
below.

We had a large number of ping loss and data loss tickets begin opening up
for devices sharing the cabinet chi18-313. The high traffic and
interference was determined to be caused by incoming traffic to the ip
address [Not hard to find, but redacted anyway]. Our network engineers will
be back in after 9am until 5pm CST. They have greater access to the network
and may be able to give you more details.

Location : Chicago
Event Time : 2021-02-08 04:17:38 CST (-0600)
Destination IP: [Not hard to find, but redacted anyway]
Traffic : 2520 Mbps 382880 pps
Fragmentation : 11%
Top Transport Protocol:
. 99% Protocol # 17 (UDP)
TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0%
Top Source Port:
. 61% Port # 3702
. 38% Port # 0
Top Destination Port:
. 38% Port # 0
. 14% Port # 45934
. 9% Port # 23680
. 8% Port # 35023
. 7% Port # 25966
Top Source IP:
. 0% 112.164.127.17
Number of unique IP: 7110
Total Bytes : 1259961437 <callto:1259961437>
Total Packets : 1531559
Duration : 4s
Report Run Time : 151.3ms

The 30 day null route count is: 0
Number of hours to null route : 1

Location : Chicago
Event Time : 2021-02-08 04:02:38 CST (-0600)
Destination IP: [Not hard to find, but redacted anyway]
Traffic : 1817 Mbps 275483 pps
Fragmentation : 13%
Top Transport Protocol:
. 99% Protocol # 17 (UDP)
TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0%
Top Source Port:
. 56% Port # 3702
. 43% Port # 0
Top Destination Port:
. 43% Port # 0
. 19% Port # 25966
. 19% Port # 35023
. 17% Port # 23680
Top Source IP:
. 0% 90.49.167.239
Number of unique IP: 3577
Total Bytes : 953894831
Total Packets : 1157017
Duration : 4.199s
Report Run Time : 306.8ms

The 30 day null route count is: 0
Number of hours to null route : 1


Liam Doring
Systems Administrator



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
[image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image:
Image removed by sender.]
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image:
Image removed by sender.]
<https://www.linkedin.com/company/intelligent-computing-solutions>[image:
Image removed by sender.] <https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
[image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image:
Image removed by sender.]
<https://www.linkedin.com/company/midwest-internet-exchange>[image: Image
removed by sender.] <https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
[image: Image removed by sender.]
<https://www.facebook.com/thebrotherswisp>[image: Image removed by
sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
------------------------------

*From: *"Mike Hammett" <nanog () ics-il net>
*To: *"NANOG list" <nanog () nanog org>
*Sent: *Monday, February 8, 2021 5:46:26 AM
*Subject: *Retalitory DDoS

Is there a club for people that have been DDoSed? If so, count me in.



This one was directed at me (as opposed to one of my customers) because I
got an e-mail explaining why I was getting DDoSed. Is that aspect common?



There were also some racial and sexual accusations that were made that
clearly aren't true and just speak to the intelligence of people like this.



Is it safe to assume that they completely anonymized the email they sent
to me?



Is there anyone I should be reporting this to?



I thought my site was running in Cloudflare, but my individual server was
still attacked, so I gotta figure out where I screwed that up.





https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0



-----
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
[image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image:
Image removed by sender.]
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image:
Image removed by sender.]
<https://www.linkedin.com/company/intelligent-computing-solutions>[image:
Image removed by sender.] <https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
[image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image:
Image removed by sender.]
<https://www.linkedin.com/company/midwest-internet-exchange>[image: Image
removed by sender.] <https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
[image: Image removed by sender.]
<https://www.facebook.com/thebrotherswisp>[image: Image removed by
sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>






The contents of this e-mail message and
any attachments are intended solely for the
addressee(s) and may contain confidential
and/or legally privileged information. If you
are not the intended recipient of this message
or if this message has been addressed to you
in error, please immediately alert the sender
by reply e-mail and then delete this message
and any attachments. If you are not the
intended recipient, you are notified that
any use, dissemination, distribution, copying,
or storage of this message or any attachment
is strictly prohibited.
Previous By Date Next
Previous By Thread Next

Current thread: