Re: What are these Google IPs hammering on my DNS server?

Google Public DNS (8.8.8.8) attempts to identify and filter abuse, and while we think we're fairly effective for large attacks (eg, those above 1Mpps), it gets more challenging (due to risk of false positives) to adequately filter small attacks. I should note that we generally see the attack traff

Re: IP Reputation Services

On Mon, Apr 4, 2022 at 9:12 AM Laura Smith via NANOG wrote: > On Monday, April 4th, 2022 at 15:37, Mike Hammett > wrote: > > > I'm checking in to see what people think of IP reputation services. > > Pre-IPv6 I was always a little apprehensive of using them for general use > because it was always

Re: Google uploading your plain text passwords

On Fri, Jun 11, 2021 at 12:48 PM Matthew Petach wrote: > > That's the part that would leave me concerned. > Having my email password compromised? > That's a bit of a "meh" moment. > Suddenly discovering that one password now gave access to > potentially all my financial accounts as well? > That's

Re: Famous operational issues

https://en.wikipedia.org/wiki/SQL_Slammer was interesting in that it was an application-layer issue that affected the network layer. Damian On Tue, Feb 16, 2021 at 11:37 AM John Kristoff wrote: > Friends, > > I'd like to start a thread about the most famous and widespread Internet > operational

Re: Best way to get foreign ISPs to shut down DDoS reflectors?

On Thu, Apr 23, 2020 at 3:26 PM Ca By wrote: > On Thu, Apr 23, 2020 at 3:14 PM Compton, Rich A > wrote: > >> Good luck with that. 😊 As Damian Menscher has presented at NANOG, >> even if we do an amazing job and shut down 99% of all DDoS reflectors, >> there will still be enough bandwidth to ge

Re: UDP/123 policers & status

On Wed, Mar 18, 2020 at 7:05 PM Harlan Stenn wrote: > On 3/18/2020 4:46 PM, Damian Menscher via NANOG wrote: > > On Wed, Mar 18, 2020 at 8:45 AM Steven Sommars > > mailto:stevesommars...@gmail.com>> wrote: > > > > The various NTP filters (rat

Re: UDP/123 policers & status

On Wed, Mar 18, 2020 at 8:45 AM Steven Sommars wrote: > The various NTP filters (rate limits, packet size limits) are negatively > affecting the NTP Pool, the new secure NTP protocol (Network Time Security) > and other clients. NTP filters were deployed several years ago to solve > serious DDoS

Re: backtracking forged packets?

I don't recommend filtering the SYN-ACK packets. That's what Octolus did, and the result was leaving half-open SYN_RECV connections on all the nodes used for reflection. That has two downsides: - the reflectors will retry the SYN-ACK (several times), which increases your PPS load (amplifying t

Re: backtracking forged packets?

Transit providers can check their netflow and to identify the true source. Know any good mailing lists where transit providers hang out? If you can share the victim IP and a timestamp, I may be able to offer additional advice off-list. Damian On Fri, Mar 13, 2020 at 11:24 PM William Herrin wrot

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

On Sun, Mar 8, 2020 at 2:18 PM wrote: > > It's really not analogous to most of the mass attacks on the net > because the entire telco system is built to know who is using it in > great detail. > You don't think transit providers bill their customers? The analogy holds surprisingly well. Any tr

Re: Chairman Pai Proposes Mandating STIR/SHAKEN To Combat Robocalls

On Fri, Mar 6, 2020 at 8:05 PM Brian J. Murrell wrote: > On Fri, 2020-03-06 at 18:37 -0500, b...@theworld.com wrote: > > > > Why don't they just ask the phone companies who are billing these > > robocallers who they are and we can arrest them. > > Exactly. > > I have always maintained that if my

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

Amir: you're exactly correct -- but since you asked, here's their answer from the last time I suggested they respond with RSTs: https://seclists.org/nanog/2020/Jan/612 Damian On Thu, Feb 20, 2020 at 5:36 PM Amir Herzberg wrote: > If I read your description correctly: > > - Attacker sends spoofe

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

On Thu, Feb 20, 2020 at 3:40 PM Jean | ddostest.me via NANOG < nanog@nanog.org> wrote: > It doesn't sound to be a real amplification.. If it is, can anyone provide > the amplification factor? 1x? > > It sounds more like a TCP spoofing. > Some reading for you: https://www.usenix.org/conference/woo

Re: QUIC traffic throttled on AT&T residential

On Tue, Feb 18, 2020 at 8:48 PM Daniel Sterling wrote: [snip impressive debugging story] As much as I would on principle rather not stick to a legacy, TCP-only > home network -- > > I can say that right now, my home internet, blocking UDP 443, and > making tons of insecure DNS queries -- is the

Re: DiviNetworks

They're not sending traffic from their own IPs, right? So they're leasing yours (whether they make that explicit or not). And that carries all the implications/risks Mike mentioned. Damian On Thu, Feb 6, 2020 at 12:37 PM Justin Wilson wrote: > They don’t lease your IP space is the thing. > >

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

I recommend you *not* block the outgoing RST packets, as blocking them will only make matters worse: - it leaves the webservers being abused for reflection in the half-open SYN_RECV state, which may attract more attention (and blacklisting) - retries from those servers will increase the load to

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov wrote: > On Tue, Jan 28, 2020, 4:32 AM Damian Menscher wrote: > >> On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov >> wrote: >> >>> If this endpoint doesn't connect to anything outside of their network, >>> then yes. >>> If it does though, the

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov wrote: > On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG > wrote: > >> The victim already posted the signature to this thread: >> - source IP: 51.81.119.7 >> - protocol: 6 (tcp) >> - tcp_f

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

The victim already posted the signature to this thread: - source IP: 51.81.119.7 - protocol: 6 (tcp) - tcp_flags: 2 (syn) That alone is sufficient for Level3/CenturyLink/etc to identify the source of this abuse and apply filters, if they choose. For a more detailed explanation of how to tra

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

One approach would be to trace the true origin of the spoofed packets, and get it filtered by their upstream. To that end, can you share some details of a recent tcp-amp attack? Eg, the victim IP and a timestamp? Damian On Mon, Jan 27, 2020 at 12:06 PM Octolus Development wrote: > Hey everyon

Re: Data on latency and loss-rates during congestion DDoS attacks

Getting (and releasing) numbers from DDoS attacks will be challenging for most, but I think your research could apply to more than just DDoS. There are often cases where one might want to work from an environment which has very poor networking. As an extreme example, in 2007 I got online from an

Re: Data on latency and loss-rates during congestion DDoS attacks

I suggest testing with a broad variety of values, as losses as low as 5% can be annoying, but losses at 50% or more are not uncommon. Damian On Fri, Jan 24, 2020 at 4:41 AM Amir Herzberg wrote: > Dear NANOG, > > One of my ongoing research works is about a transport protocol that > ensures (crit

Re: Google

On Thu, Dec 19, 2019 at 2:08 PM ahmed.dala...@hrins.net < ahmed.dala...@hrins.net> wrote: > Pleas I need someone from google security operations center to contact me > offlist. I couldn't reach them by google ISP portal. > If this is about the DDoS you think you're seeing from our IPs, feel free

Re: Energy Efficiency - Data Centers

On Wed, Dec 18, 2019 at 10:48 AM Thomas Bellman wrote: > On 2019-12-18 15:57, Rod Beck wrote: > > > This led me to wonder what is the inefficiency of these servers in data> > centers. Every time I am in a data center I am impressed by how much> heat > comes off these semiconductor chips. Looks to

Re: D'oH III: In 3-D! Plot Twist from Google/Chrome, Vixie approves?

On Wed, Oct 30, 2019 at 9:02 AM Todd Underwood wrote: > the relevant sentiment is: thanks for whitelisting a fixed number of them > so i can block them. > Not quite... Vixie wants the services to not exist to any (possibly compromised) device on his network. So it's less about what Chrome does

Re: Unable to email anyone from my primary domain name; thanks Google Mail and G Suite.

On Thu, Oct 24, 2019 at 5:34 AM Rich Kulawiec wrote: > On Wed, Oct 23, 2019 at 06:18:46PM -0600, Constantine A. Murenin wrote: > > it is revealed that Postmaster Tools cannot tell me anything at all, with > > all tabs and screens being 100% blank, allegedly because I'm not > actually a > > mass e

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 2:06 PM Jeroen Massar wrote: > On 2019-10-01 23:03, Damian Menscher wrote: > > On Tue, Oct 1, 2019 at 1:22 PM Jeroen Massar jer...@massar.ch>> wrote: > > > > On 2019-10-01 21:38, Damian Menscher wrote: > > > > > Could someone provide a reference of Google saying th

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 1:22 PM Jeroen Massar wrote: > On 2019-10-01 21:38, Damian Menscher wrote: > > > Could someone provide a reference of Google saying they'll change the > default nameserver? Without that, I think all of Jeroen's arguments fall > apart? > > While I stated: > > >> Moving only

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 12:24 PM Jay R. Ashworth wrote: > - Original Message - > > From: "Stephane Bortzmeyer" > > To: "Jeroen Massar" > > >> While the 'connection to the recursor' is 'encrypted', the recursor > >> is still in clear text... one just moves who can see what you are > >> do

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

On Wed, Aug 21, 2019 at 3:21 PM Töma Gavrichenkov wrote: > On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher > wrote: > > Some additional questions, if you're able to answer them (off-list is > fine if there are things that can't be shared broadly): > > - Was the attack referred to law enforcem

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

Thanks for following up, and for publishing two bits of key data: - This was part of a larger attack campaign that included CLDAP amplification - The SYN/ACK amplification resulted in 208Mpps (or more) Some additional questions, if you're able to answer them (off-list is fine if there are thin

Re: syn flood attacks from NL-based netblocks

On Mon, Aug 19, 2019 at 4:15 AM Töma Gavrichenkov wrote: > Dealing with TCP flags is a different story: > I agree these attacks can be large: the one under discussion probably exceeded 10Mpps (Gbps is the wrong metric for small-packet attacks) I agree they can cause significant outages: this sty

Re: syn flood attacks from NL-based netblocks

On Sun, Aug 18, 2019 at 6:42 AM Amir Herzberg wrote: > The current packets could be part of a research experiment about this > threat, or the instrumentation part of preparing such attack. I would not > rule out research, since it isn't trivial to know if the attack can be > really viable to clog

Re: syn flood attacks from NL-based netblocks

.. they've already determined they can be abused and are using those machines to conduct an actual attack against victims in NL. Damian On Sat, Aug 17, 2019 at 6:18 PM Damian Menscher via NANOG > wrote: > >> On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland >> wrote: >>

Re: syn flood attacks from NL-based netblocks

On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland wrote: > I'm seeing slow-motion (a few per second, per IP/port pair) syn flood > attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 > , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" because ... syn flood, > and BCP 38 not yet fu

Re: well-known Anycast prefixes

Careful thought should be given into whether the BGP community means "this is an anycast prefix" vs "please hot-potato to this prefix". Latency-sensitive applications may prefer hot-potato to their network even if it's not technically an anycast range, as their private backbone may be faster (less

Re: Bulk IP abuse reporting

Take a look at https://www.abusix.com/contactdb Damian On Wed, Nov 28, 2018 at 12:46 PM micah anderson wrote: > > Hi all, > > It seems that outdated CLDAP servers on the internet are being used > again for DDoS amplification attacks. I've got about 16k IPs that have > participated in several of

Re: Google Captcha

Solving a captcha issues an exemption cookie. If you're being blocked again on the "next search" this implies that cookie isn't working because: - your "next search" was several hours later, and the exemption cookie expired - you cleared cookies (or used a different browser) - you're doing s

Re: Dedicated Server and IP anycast provider recommendation

Not quite a dedicated server, but may meet your needs anyway: https://cloud.google.com/load-balancing/ Damian On Tue, Aug 7, 2018 at 6:50 AM John Kristoff wrote: > Friends, > > For those that may have used or know of a service like this. I know > some exist, but it doesn't seem to be that popu

Re: Google DNS intermittent ServFail for Disney subdomain

On Fri, Oct 20, 2017 at 6:29 AM, Filip Hruska wrote: > Would be great if makers of home routers would implement full recursive > DNS resolvers > instead of just forwards in their gear. Ignoring the latency impact of your proposal, I wonder what would happen to the world's authoritative servers

Re: loc.gov

There are two lists, depending on whether you're reporting an ongoing outage, or just talking about one: https://puck.nether.net/mailman/listinfo/outages https://puck.nether.net/mailman/listinfo/outages-discussion Damian On Sat, Jul 8, 2017 at 6:41 PM, Nicholas Oas wrote: > I'd be interested t

Re: Question to Google

On Mon, May 15, 2017 at 8:07 AM, Stephane Bortzmeyer wrote: > On Mon, May 15, 2017 at 07:55:41AM -0700, > Damian Menscher wrote > a message of 82 lines which said: > > > Can you point to published studies where the root and .com server > > operators analyzed Todd's questions? > > For the root,

Re: Question to Google

On Mon, May 15, 2017 at 7:06 AM, Stephane Bortzmeyer wrote: > On Mon, May 15, 2017 at 09:20:17AM -0400, > Todd Underwood wrote > a message of 66 lines which said: > > > so implications that this is somehow related to Google dragging > > their feet are silly. > > Implying that the root name ser

Re: did facebook just DoS me?

It might have been even more innocent than that. There are some really crappy consumer-grade firewalls out there that say "DoS Attack" any time they receive an unexpected packet. This most commonly occurs when the device reboots (power outage) and a live TCP connection sends a keepalive or a RST.

Re: Recent NTP pool traffic increase

On Tue, Dec 20, 2016 at 6:41 PM, Keenan Tims wrote: > In a similar vein, I've always been curious what the ratio Google sees of > ICMP echo vs. DNS traffic to 8.8.8.8 is... > The more fun question is how many pagers would go off around the world if Google stopped responding to ICMP echo. Damian

Re: IP addresses being attacked in Krebs DDoS?

On Sun, Sep 25, 2016 at 1:01 PM, Brett Glass wrote: > As an ISP who is pro-active when it comes to security, I'd like to know > what IP address(es) are being hit by the Krebs on Security DDoS attack. If > we know, we can warn customers that they are harboring infected PCs and/or > IoT devices. (A

Re: DNS Services for a registrar

On Fri, Aug 12, 2016 at 7:07 PM, Mehmet Akcin wrote: > On a serious note, what are the providers out there that can do a decent > secondary dns hosting service?. looks like a lot of people stopped offering > this service for bulk amount of domains at reasonable price. Let's say > (100K domains) >

Re: Google captcha problem on newly rented subnet

If you send details off-list I can take a quick look for you. Using a hosting provider that ignores abuse complaints is a likely cause, but I'm curious about the '3 captchas' thing as one should be sufficient. Please also explain what you're using the machine for. Damian On Mon, Jul 25, 2016 at

Re: any way to deal with google's captcha for whole /21 v4?

This usually happens because we've detected abuse on your network. Please send me details off-list -- I think you may be an unusual case with the recent transfer of the IP-space. I'm especially curious who you acquired it from since they may have been using it for abuse, then sold it when it was

Re: Stop IPv6 Google traffic

Sorry to hear your legitimate users are impacted by captchas when trying to use Google web search. This can happen when you have significant amounts of abuse coming from your network. If switching to IPv4 means having more users share IPs, it could make the problem worse. Instead, let's try to q

Re: google search threshold

On Fri, Feb 26, 2016 at 3:01 PM, Philip Lavine via NANOG wrote: > Does anybody know what the threshold for google searches is before you get > the captcha?I am trying to decide if I need to break up the overload NAT > to a pool. > There isn't a threshold -- if you send automated searches from a

Re: Thank you, Comcast.

e ones over seas where the traffic is coming > from won't care. > > Regards, > > Dovid > > -----Original Message- > From: Damian Menscher via NANOG > Sender: "NANOG" Date: Fri, 26 Feb 2016 08:02:52 > To: Jared Mauch; Jason Livingood< > jaso

Re: Thank you, Comcast.

On Fri, Feb 26, 2016 at 6:28 AM, Jared Mauch wrote: > As a community we need to determine if this background radiation and these > responses are proper. I think it's a good response since vendors can't do > uRPF at line rate and the major purchasers of BCM switches don't ask for it > and aren't d

Re: Google Contact

On Tue, Jan 26, 2016 at 12:08 PM, James Downs wrote: > > > On Jan 26, 2016, at 09:40, Adam Loveless > wrote: > > > > Any Google engineers that can contact me off list? Seems our address > space > > has been blacklisted by Google and we have to enter captchas for them > now. > Blacklisting IP spa

Re: Another Big day for IPv6 - 10% native penetration

On Mon, Jan 4, 2016 at 3:55 PM, Owen DeLong wrote: > domain.name results are 82 (16.4%) up from 69 (13.8%). > www.domain.name results are 101 (20.2%) up from > 81 (16.2%) As a professional pessimist, I can't help but note that of the 111 sites responding over IPv6 (I'm

Re: Another Big day for IPv6 - 10% native penetration

On Mon, Jan 4, 2016 at 1:21 PM, wrote: > On Mon, 04 Jan 2016 11:59:40 -0800, Owen DeLong said: > > > These numbers might be slightly pessimistic because 3XX series responses > are > > not counted as good. > > They may be a *lot* more than slightly pessimistic - consider the case of > any site tha

Re: de-peering for security sake

On Sat, Dec 26, 2015 at 10:06 PM, Matthew Petach wrote: > Thanks for the reminder to look at it from multiple perspectives. > The key attribute missing from the discussion so far is that the factors be *different*, from the set of: - something you know (password / PIN) - something you have (

Re: Google Captcha on web searches

On Tue, Nov 10, 2015 at 2:43 PM, Chris Murray wrote: > The "popular open dns services" you refer to appear to be Proxy/VPN > services that also provide DNS to get around region blocking. These > services proxy and/or NAT users behind a single IP address to make it > look like you are coming from

Re: How to force rapid ipv6 adoption

On Thu, Oct 1, 2015 at 8:54 PM, Hugo Slabbert wrote: > On Thu 2015-Oct-01 18:28:52 -0700, Damian Menscher via NANOG < > nanog@nanog.org> wrote: > >> On Thu, Oct 1, 2015 at 4:26 PM, Matthew Newton >> wrote: >> >> On Thu, Oct 01, 2015 at 10:42:57PM +,

Re: How to force rapid ipv6 adoption

On Thu, Oct 1, 2015 at 4:26 PM, Matthew Newton wrote: > On Thu, Oct 01, 2015 at 10:42:57PM +, Todd Underwood wrote: > > it's just a new addressing protocol that happens to not work with the > rest > > of the internet. it's unfortunate that we made that mistake, but i guess > > we're stuck wi

Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica

On Tue, Aug 4, 2015 at 9:39 AM, Mark Andrews wrote: > In message <9c2aca5a-755d-4fcf-8491-745a1f911...@puck.nether.net>, Jared > Mauch writes: > > I recommend using DNSDIST to balance traffic at a protocol level as you > can h= > > ave implementation diversity on the backside.=20 > > > > I can se

Re: DDOS Simulation

Two more options: - http://www.redwolfsecurity.com/#!ddos_testing/cqd6 (not vouching for them, just raising awareness of the options) - Spin up a bunch of VMs at various cloud providers and launch your own attacks against yourself. Note that you should only do this with the permission of the c

Re: REMINDER: LEAP SECOND

On Wed, Jun 24, 2015 at 9:48 PM, Stefan Schlesinger wrote: > > On 25 Jun 2015, at 03:14, Damian Menscher via NANOG > wrote: > > > > > http://googleblog.blogspot.com/2011/09/time-technology-and-leaping-seconds.html > > comes dangerously close to your modest pro

Re: REMINDER: LEAP SECOND

On Mon, Jun 22, 2015 at 7:17 AM, shawn wilson wrote: > > > So, what we should do is make clocks move. 9 slower half of the year > (and then speed back up) so that we're really in line with earth's > rotational time. I mean we've got the computers to do it (I think most RTC > only go down to t

Re: OPM Data Breach - Whitehouse Petition - Help Wanted

On Thu, Jun 18, 2015 at 7:50 PM, Stephen Satchell wrote: > On 06/18/2015 10:15 AM, Nick B wrote: > >> I wish I had some simple solution, but I don't, it's going to require >> years, probably decades, of hard work by a motivated and skilled team. >> Also, a stable of unicorns. >> > > Not to mentio

Re: Is it safe to use 240.0.0.0/4

Not used in the sense you imagine, but I designed a hack where we hash IPv6 addresses into 224/3 (class D and E space) so backends that don't support IPv6 can still be provided a pseudo-IP. This accelerated support of IPv6 across all Google services without needing to wait for each individual back