Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

[Töma Gavrichenkov <ximaera () gmail com>]

Peace,

On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher <damian () google com> wrote:
> Some additional questions, if you're able to answer them (off-list is fine if there are things that can't be shared 
> broadly):
>   - Was the attack referred to law enforcement?

It is being referred to now.  This would most probably get going under
the jurisdiction of the Netherlands.  Whether the latter would be able
to address it properly or not remains to be seen, but honestly I'm not
quite optimistic here.

>   - Were any transit providers asked to trace the
> source of the spoofing to either stop the attack
> or facilitate the law enforcement investigation?

No.
Initially we were busy setting up the game and pushing the upstreams
to accept our new customer prefix advertisements a.s.a.p.
Afterwards we were too busy trying to understand why some of the
upstreams didn't work as expected (that part was mentioned in the
report).

Hence, tracing the source was not deemed a high priority task.

--
Töma