nanog mailing list archives

RE: Retalitory DDoS

From: Jean St-Laurent via NANOG <nanog () nanog org>
Date: Mon, 8 Feb 2021 12:42:12 -0500

Nice report,

 

If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had 
the bigger effect on your network or service?

 

Was it degraded or total service interruption?

 

Jean

 

From: NANOG <nanog-bounces+jean=ddostest.me () nanog org> On Behalf Of Mike Hammett
Sent: February 8, 2021 8:43 AM
To: NANOG list <nanog () nanog org>
Subject: Re: Retalitory DDoS

 

Mike,

I've attached the full information we got from our DDOS protection system below.

We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. 
The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, 
but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the 
network and may be able to give you more details.

Location : Chicago
Event Time : 2021-02-08 04:17:38 CST (-0600)
Destination IP: [Not hard to find, but redacted anyway]
Traffic : 2520 Mbps 382880 pps
Fragmentation : 11%
Top Transport Protocol:
. 99% Protocol # 17 (UDP)
TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0%
Top Source Port:
. 61% Port # 3702
. 38% Port # 0
Top Destination Port:
. 38% Port # 0
. 14% Port # 45934
. 9% Port # 23680
. 8% Port # 35023
. 7% Port # 25966
Top Source IP:
. 0% 112.164.127.17
Number of unique IP: 7110
Total Bytes : 1259961437 <callto:1259961437> 
Total Packets : 1531559
Duration : 4s
Report Run Time : 151.3ms

The 30 day null route count is: 0
Number of hours to null route : 1

Location : Chicago
Event Time : 2021-02-08 04:02:38 CST (-0600)
Destination IP: [Not hard to find, but redacted anyway]
Traffic : 1817 Mbps 275483 pps
Fragmentation : 13%
Top Transport Protocol:
. 99% Protocol # 17 (UDP)
TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0%
Top Source Port:
. 56% Port # 3702
. 43% Port # 0
Top Destination Port:
. 43% Port # 0
. 19% Port # 25966
. 19% Port # 35023
. 17% Port # 23680
Top Source IP:
. 0% 90.49.167.239
Number of unique IP: 3577
Total Bytes : 953894831
Total Packets : 1157017
Duration : 4.199s
Report Run Time : 306.8ms

The 30 day null route count is: 0
Number of hours to null route : 1

 
Liam Doring
Systems Administrator



-----
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  <https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  <https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 

  _____  

From: "Mike Hammett" <nanog () ics-il net>
To: "NANOG list" <nanog () nanog org>
Sent: Monday, February 8, 2021 5:46:26 AM
Subject: Retalitory DDoS

Is there a club for people that have been DDoSed? If so, count me in.

 

This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting 
DDoSed. Is that aspect common?

 

There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the 
intelligence of people like this.

 

Is it safe to assume that they completely anonymized the email they sent to me?

 

Is there anyone I should be reporting this to?

 

I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I 
screwed that up.

 

 

https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0



-----
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  <https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  <https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

Current thread:

Retalitory DDoS Mike Hammett (Feb 08)
- Re: Retalitory DDoS Mike Hammett (Feb 08)
  - RE: Retalitory DDoS Jean St-Laurent via NANOG (Feb 08)
    - Re: Retalitory DDoS Mike Hammett (Feb 08)
    - RE: Retalitory DDoS Jean St-Laurent via NANOG (Feb 08)
    - Re: Retalitory DDoS Mike Hammett (Feb 08)
    - RE: Retalitory DDoS Jean St-Laurent via NANOG (Feb 08)
    - Re: Retalitory DDoS Mike Hammett (Feb 08)
- Re: Retalitory DDoS Bret Clark (Feb 08)
- Re: Retalitory DDoS Töma Gavrichenkov (Feb 08)
- Re: Retalitory DDoS bzs (Feb 08)