nanog mailing list archives
Re: Large DDoS, small extortion
From: Frank Doherty <dealing.with.ddos () gmail com>
Date: Thu, 22 May 2014 23:05:54 -0700
Thanks everyone. There's been a lot of great on and off list responses, and we have a much better list of contacts for the next time this happens. We are in contact with the FBI now (very impressed, particularly compared to what I expected), and have access to resources that we didn't know existed. Hopefully I'll meet some of you in bellevue next week. On Wed, May 21, 2014 at 9:51 PM, Beleaguered Admin <dealing.with.ddos () gmail com> wrote:
Apologies for the non-personal email address, but I don't want to give our attacker any additional information than I need to. I'd be happy to send personal contact/ASN information to any nanog admins or regular members of nanog if it's useful. Over the past year or so, we (a decent sized tier 2 with a nationwide US backbone) have had several large DDoS attacks from what appear to be the same person who is (we presume) going down something like the alexa list of top sites, attacking them, and asking for small amounts of money to stop. This has been going on for a long time -- almost every detail is exactly the same as what is described here: http://it.slashdot.org/story/12/11/03/1846252/ask-slashdot-how-to-deal-with-a-ddos-attack and more recently: http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/ and: https://gist.github.com/dhh/9741477 And I believe attacks including vimeo, github, and others. The attacker is smarter than many random attackers, or at least has better tools. He watches when you mitigate the attack, and shifts his attack to something new. He (or his tools) also watch DNS for the thing he's attacking and the attack moves as DNS changes. We've seen UDP amplification (NTP and DNS mainly), syn flood, syn/ack flood, layer 7 cache busting (https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801/), and others we haven't been able to fully mitigate/identify. The largest we've seen (which isn't the largest we've read about) attacks are over 50Gbit and 10s of millions of pps. He is in regular communication (via whois info and other collected contact data) asking for <$1000 USD sums to stop the attacks. While we are interested in technical means to mitigate the attacks (the syn and syn/acks are brutal, all cores pegged on multicore 10G nic servers just dealing with interrupts), what I'd really like to find out is how to help fix the problem. We've tried to engage upstream providers to help trace the attacks, but have gotten nowhere (they didn't seem to understand that the syn attacks were spoofed, and looking at source IPs didn't matter, we wanted to know the ingress points on their network.) What are the best practices for this? Are there secret code words (http://xkcd.com/806/) we can use to get to someone at our upstreams who might know what we're talking about? Is it worth the time? Is it worth talking to law enforcement? Some of these have been >500k costs to the customer, but we assume the person doing it isn't in any western country, so maybe it doesn't even matter? Thanks.
Current thread:
- Re: Large DDoS, small extortion, (continued)
- Re: Large DDoS, small extortion Blake Dunlap (May 22)
- Re: Large DDoS, small extortion Roland Dobbins (May 22)
- Re: Large DDoS, small extortion Barry Shein (May 23)
- Re: Large DDoS, small extortion Roland Dobbins (May 23)
- Re: Large DDoS, small extortion Barry Shein (May 23)
- Re: Large DDoS, small extortion Roland Dobbins (May 23)
- Re: Large DDoS, small extortion Andrew Sullivan (May 23)
- Re: Large DDoS, small extortion Barry Shein (May 24)
- Re: Large DDoS, small extortion Brett Frankenberger (May 23)
- Message not available
- Re: Large DDoS, small extortion Larry Sheldon (May 23)
- Re: Large DDoS, small extortion Randy Bush (May 23)
- Re: Large DDoS, small extortion Matthew Petach (May 23)
- Re: Large DDoS, small extortion Merike Kaeo (May 23)
- Re: Large DDoS, small extortion Merike Kaeo (May 23)