Re: DDoS attack with blackmail

nd also support staff that will see the DDoS bounce like >> mosquitoes on the windshield of your car at 90 Mph. >> >> >> >> Start learning now and start improving your DDoS. This won’t go away >> anytime soon. >> >> >> >> Jean >> >&

Re: DDoS attack with blackmail

w and start improving your DDoS. This won’t go away > anytime soon. > > > > Jean > > > > > > *From:* jim deleskie > *Sent:* May 24, 2021 12:38 PM > *To:* Jean St-Laurent > *Cc:* NANOG Operators' Group > *Subject:* Re: DDoS attack with blackmail >

RE: DDoS attack with blackmail

Sent: May 24, 2021 12:38 PM To: Jean St-Laurent Cc: NANOG Operators' Group Subject: Re: DDoS attack with blackmail While I have no design to engage in over email argument over how much latency people can actually tolerate, I will simply state that most people have a very poor understa

Re: DDoS attack with blackmail

;>> >>> >>> >>> The art of war taught me everything there is to know about DDoS attacks >>> even if it was written some 2500 years ago. >>> >>> >>> >>> I suspect that the attack that impacted Baldur’s assets was a very easy

Re: DDoS attack with blackmail

t that the attack that impacted Baldur’s assets was a very easy >> DDoS to detect and block, but can’t confirm. >> >> >> >> @Baldur: do you care to share some metrics? >> >> >> >> Jean >> >> >> >> *From:* NANOG *On Behalf Of

Re: DDoS attack with blackmail

are some metrics? > > > > Jean > > > > *From:* NANOG *On Behalf Of *Jean > St-Laurent via NANOG > *Sent:* May 21, 2021 10:52 AM > *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur > Norddahl' > *Cc:* 'NANOG Operators'

Re: DDoS attack with blackmail

DDoS Attack Preparation Workbook https://www.senki.org/ddos-attack-preparation-workbook/ > On May 20, 2021, at 12:26 PM, Baldur Norddahl > wrote: > > Hello > > We got attacked by a group that calls th

RE: DDoS attack with blackmail

. @Baldur: do you care to share some metrics? Jean From: NANOG On Behalf Of Jean St-Laurent via NANOG Sent: May 21, 2021 10:52 AM To: 'Lady Benjamin Cannon of Glencoe, ASCE' ; 'Baldur Norddahl' Cc: 'NANOG Operators' Group' Subject: RE: DDoS attack with blackma

RE: DDoS attack with blackmail

I also recommend book Art of War from Sun Tzu. All the answers to your questions are in that book. Jean From: NANOG On Behalf Of Lady Benjamin Cannon of Glencoe, ASCE Sent: May 20, 2021 7:18 PM To: Baldur Norddahl Cc: NANOG Operators' Group Subject: Re: DDoS attack with blac

Re: DDoS attack with blackmail

20 years ago I wrote an automatic teardrop attack. If your IP spammed us 5 times, then a script would run, knocking the remote host off the internet entirely. Later I modified it to launch 1000 teardrop attacks/second… Today, contact the FBI. And get a mitigation service above your borders i

Re: DDoS attack with blackmail

On Thu, May 20, 2021 at 12:28 PM Baldur Norddahl wrote: > We got attacked by a group that calls themselves "Fancy Lazarus". They want > payment in BC to not attack us again. The attack was a volume attack to our > DNS and URL fetch from our webserver. > > I am interested in any experience in fig

Re: DDoS attack with blackmail

I would encourage you to contact the FBI. Another ISP told me a fairly positive story after being in the same situation. --TimH On Thu, 20 May 2021 21:26:50 +0200 Baldur Norddahl wrote: > Hello > > We got attacked by a group that calls themselves "Fancy Lazarus". They want > payment in BC to

Re: DDoS attack with blackmail

Not this Lazarus group, I hope: https://www.bbc.co.uk/programmes/w13xtvg9 Really good podcast, BTW.. Brandon On Thu, May 20, 2021 at 12:28 PM Baldur Norddahl wrote: > Hello > > We got attacked by a group that calls themselves "Fancy Lazarus". They > want payment in BC to not attack us again.

Re: DDoS attack

Peace, On Mon, Dec 9, 2019 at 11:35 PM Florian Brandstetter via NANOG wrote: > if that was to be amplification, the source addresses > would not be within Google or CloudFlare ranges > (especially not CloudFlare, as they are not running > a vulnerable recursor Well, vulnerable — arguably of cour

RE: [EXTERNAL] RE: DDoS attack

ld ; 'Paul Amaral' ; ahmed.dala...@hrins.net; Nanog@nanog.org Subject: RE: [EXTERNAL] RE: DDoS attack You can get the bogon prefixes from Cymru and defend your network using them in combination with rpf The key with the attacks dos or ddos is to have proper telemetry (streaming telemetry n

RE: [EXTERNAL] RE: DDoS attack

. Based on the thread below I don't see any evidence of an attack only speculations. nikos -Original Message- From: NANOG On Behalf Of Aaron Gould Sent: Tuesday, December 10, 2019 5:05 PM To: 'Paul Amaral' ; ahmed.dala...@hrins.net; Nanog@nanog.org Subject: [EXTERNAL]

Re: DDoS attack

On Tue, 10 Dec 2019 at 19:08, Aaron Gould wrote: > - policers of well-known *good* ports/protocols (like ntp, dns, etc) to some > realistic level You might want to downpref these to a scavanger class, instead of police. Since ultimately policing makes it just easier to ddos the service, which i

RE: DDoS attack

Years ago, we looked at netflow data and precursors to attacks, and found that UDP 3074 Xbox Live was showing up just prior to the attacks...and through other research we concluded that gamers are a big cause of large ddos attacks apparently they go after each other in retaliation I've craf

RE: DDoS attack

Normally these attacks are spoofed IPs, usually amplification attacks based on UDP using DNS/LDAP etc. This is something that is common and usually is towards schools, financial institutions. This an easy attack to orchestrate by anyone, most of these attacks can be launch via stresser service

Re: DDoS attack

    BCP38     After all this time and knowledge why people still think ip> are legit evidence in DDoS instances... - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http:/

Re: DDoS attack

On 9/Dec/19 22:32, Florian Brandstetter via NANOG wrote: > > In any regard, <1 Gbps is pretty piss poor for an amplification attack > too. Must be nice :-)... Mark.

Re: DDoS attack

see also: https://en.wikipedia.org/wiki/Smurf_attack On Mon, Dec 9, 2019 at 12:09 PM ahmed.dala...@hrins.net < ahmed.dala...@hrins.net> wrote: > Dear All, > > My network is being flooded with UDP packets, Denial of Service attack, > soucing from Cloud flare and Google IP Addresses, with 200-300

Re: DDoS attack

Hi, > On 12/9/19 3:32 PM, Florian Brandstetter via NANOG wrote: > "how much do I care?" part of the abuse team's line-up. If people cared, they would have anti-spoofing filters in place. Most on this list will agree that amplification attacks can be mitigated or at least severely reduced by an

Re: DDoS attack

On 12/9/19 3:32 PM, Florian Brandstetter via NANOG wrote: > In any regard, <1 Gbps is pretty piss poor for an amplification attack too. But, as others have pointed out, plenty to knock a single subscriber, shared access link (DOCSIS, wireless, or even well loaded GPON), or even a small regional

Re: DDoS attack

Peace, On Tue, Dec 10, 2019, 12:08 AM Mike Lewinski wrote: > My working theory is that with the Dec 3rd release of Halo Reach for PC, > there are gamers attempting to lag, but not knock off, their opponents. > This would be one reason to target adjacent unused addresses. > +1 Either this, or so

Re: DDoS attack

ds, > >> > >> Michael Sherlock > >> Mobile: +44 75070 92392 > >> > >> Sent from my iPhone > >> > >> On Dec 9, 2019, at 8:36 PM, "ahmed.dala...@hrins.net" > >> wrote: > >> > >>  > >> > >>

Re: DDoS attack

> In any regard, <1 Gbps is pretty piss poor for an amplification attack too. We've observed a customer receiving relative low volume attacks in the last week (so low they didn't trigger our alarms). My working theory is that with the Dec 3rd release of Halo Reach for PC, there are gamers attem

Re: DDoS attack

network they don't mean anything to me. > > Regards, > > Michael Sherlock > Mobile: +44 75070 92392 > > Sent from my iPhone > > On Dec 9, 2019, at 8:36 PM, "ahmed.dala...@hrins.net" > wrote: > >  > > Begin forwarded message: > > From: Chri

Re: DDoS attack

> My network is being flooded with UDP packets, Denial of Service > attack, soucing from Cloud flare and Google IP Addresses but, until nancy drew walks the attack back upstream step by step, you really do not know it's coming from clodflare or gobble. > the destination in my network are IP prefi

Re: DDoS attack

Hello, you're forgetting if that was to be amplification, the source addresses would not be within Google or CloudFlare ranges (especially not CloudFlare, as they are not running a vulnerable recursor, and merely authoritative nameservers), the only possibility would be Google as in Google Clou

Re: DDoS attack

I'm going to take a guess that ahmed is: AS | BGP IPv4 Prefix | AS Name 198735 | 185.51.220.0/22 | HRINS-AS, IQ 198735 | 185.51.220.0/24 | HRINS-AS, IQ 198735 | 185.51.221.0/24 | HRINS-AS, IQ 198735 | 185.51.222.0/24 | HRINS-AS, IQ 198735 | 185.51.223.0/24 | HRIN

Re: DDoS attack

On which UDP port? On 2019-12-09 15:07, ahmed.dala...@hrins.net wrote: Dear All, My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is c

Re: DDoS attack

nt: Monday, December 9, 2019 2:15:39 PM Subject: Re: DDoS attack Hello, which attack protocol are seeing? I suspect you're seeing DNS based amplification or similar, in which case you can't really pinpoint the attack source... 800Mbps is not a whole lot of traffic - does it cause an

Re: DDoS attack

For short term relief, you might consider asking your upstream provider to block the unused IPs in your network that are being attacked. It may not get everything, but it could drop the volume considerably. Just be sure that the provider blocks them silently, without sending “no route to host” I

Re: DDoS attack

This is lame. They should be able to view NAT translation tables or better yet have some method of watching flows. Tim On 12/9/19 12:11 PM, Christopher Morrow wrote: > I'd note that: "what prefixes?" isn't answered here... like: "what is > the thing on your network which is being attacked?" > >

Re: DDoS attack

Hello, which attack protocol are seeing? I suspect you're seeing DNS based amplification or similar, in which case you can't really pinpoint the attack source... 800Mbps is not a whole lot of traffic - does it cause any disruptions to you? If the prefixes are not in use, I would suggest the

Re: DDoS attack

I'd note that: "what prefixes?" isn't answered here... like: "what is the thing on your network which is being attacked?" On Mon, Dec 9, 2019 at 3:08 PM ahmed.dala...@hrins.net wrote: > > Dear All, > > My network is being flooded with UDP packets, Denial of Service attack, > soucing from Cloud f

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

On 2/14/2014 9:07 PM, Paul Ferguson wrote: > Indeed -- I'm not in the business of bit-shipping these days, so I > can't endorse or advocate any particular method of blocking spoofed IP > packets in your gear. If you're dead-end, a basic ACL that permits ONLY your prefixes on egress, and blocks you

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/14/2014 4:09 PM, Joe Provo wrote: > On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote: > [snip] >> Taken to the logical extreme, the "right thing" to do is to deny >> any spoofed traffic from abusing these services altogether. NTP

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/14/2014 3:00 PM, Larry Sheldon wrote: > On 2/14/2014 12:42 PM, Paul Ferguson wrote: >> Taken to the logical extreme, the "right thing" to do is to deny >> any spoofed traffic from abusing these services altogether. > > Since the 1990s I have a

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

On Fri, Feb 14, 2014 at 10:42:55AM -0800, Paul Ferguson wrote: [snip] > Taken to the logical extreme, the "right thing" to do is to deny any > spoofed traffic from abusing these services altogether. NTP is not the > only one; there is also SNMP, DNS, etc. ...and then we're back to "implement BCP3

Re: ddos attack blog

On 2/14/14, 3:00 PM, Hal Murray wrote: > >> I was being a bit extreme, I don't expect UDP to be blocked and there are >> valid uses for NTP and it needs to pass. Can you imagine the trading >> servers not having access to NTP? > > Sure. > > They could setup internal NTP servers listening to GP

Re: ddos attack blog

> I was being a bit extreme, I don't expect UDP to be blocked and there are > valid uses for NTP and it needs to pass. Can you imagine the trading > servers not having access to NTP? Sure. They could setup internal NTP servers listening to GPS. Would it be as good overall as using external s

Re: Permitting spoofed traffic [Was: Re: ddos attack blog]

On 2/14/2014 12:42 PM, Paul Ferguson wrote: Taken to the logical extreme, the "right thing" to do is to deny any spoofed traffic from abusing these services altogether. Since the 1990s I have argued (ineffectively, it turns out) a case that says that sentence can be edited down to good advanta

Re: ddos attack blog

On 02/13/2014 06:01 PM, Jared Mauch wrote: On Feb 13, 2014, at 1:47 PM, John wrote: UDP won't be blocked. There are some vendors that have their own hidden protocol inside UDP packets to control and communicate with their devices. Thinking on it again, maybe blocking UDP isn't all that bad.

Permitting spoofed traffic [Was: Re: ddos attack blog]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/14/2014 10:22 AM, Wayne E Bouchard wrote: > On Thu, Feb 13, 2014 at 08:01:27PM -0500, Jared Mauch wrote: >> I would actually like to ask for those folks to un-block NTP so >> there is proper data on the number of hosts for those researching >>

Re: ddos attack blog

On Thu, Feb 13, 2014 at 08:01:27PM -0500, Jared Mauch wrote: > I would actually like to ask for those folks to un-block NTP so there is > proper data on the number of hosts for those researching this. The right > thing to do is reconfigure them. I've seen a good trend line in NTP servers > bei

Re: ddos attack blog

On Friday, February 14, 2014 03:01:27 AM Jared Mauch wrote: > I would actually like to ask for those folks to un-block > NTP so there is proper data on the number of hosts for > those researching this. The right thing to do is > reconfigure them. I've seen a good trend line in NTP > servers bein

Re: ddos attack blog

On Feb 13, 2014, at 1:47 PM, John wrote: > On 02/13/2014 10:06 AM, Cb B wrote: >> Good write up, includes name and shame for AT&T Wireless, IIJ, OVH, >> DTAG and others >> >> http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack >> >> Standard plug for htt

Re: ddos attack blog

On 02/13/2014 10:06 AM, Cb B wrote: Good write up, includes name and shame for AT&T Wireless, IIJ, OVH, DTAG and others http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack Standard plug for http://openntpproject.org/ and http://openresolverproject.org/ an

Re: ddos attack blog

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/13/2014 9:06 AM, Cb B wrote: > Good write up, includes name and shame for AT&T Wireless, IIJ, > OVH, DTAG and others > > http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack > > Standard plug for http://

Re: ddos attack blog

On Feb 13, 2014, at 12:06 PM, Cb B wrote: > Good write up, includes name and shame for AT&T Wireless, IIJ, OVH, > DTAG and others > > http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack > > Standard plug for http://openntpproject.org/ and > http://openre

RE: DDOS attack via as702 87.118.210.122

See my sig.. Did you try calling your local customer support team? While we do have a 24x7 team that handles DoS attacks, we don't have a 24x7 team that reads every post to nanog ;-) The local support offices have a process to contact us, you should be able to get assistance reasonably quick.

Re: DDOS attack via as702 87.118.210.122

On Tue, Oct 26, 2010 at 9:12 AM, Jack Carrozzo wrote: > Well, I whois'd 702, got no match, said "hm, I see 701 all over the place, > lemmy take a look" and found: There is a match... I think "WHOIS as702" is erroneous WHOIS query syntax, typing "asX" not being the way to search for an A

Re: DDOS attack via as702 87.118.210.122

whois on 702(Verizon) http://www.robtex.com/as/as702.html goodluck. On Tue, Oct 26, 2010 at 5:51 AM, Serg Shubenkov wrote: > > Hello, list. > > Please send me off-list abuse contact for as702. > > -- > Serg Shubenkov, MAcomnet, Internet Dept., Head of Inet Department > phone: +7 495 7969392/907

RE: DDOS attack via as702 87.118.210.122

manual work like a bit of ripe/cidr-report and used network tools for a whois you would get the answer. Cheers Steven -Original Message- From: Cutler James R [mailto:james.cut...@consultant.com] Sent: 26 October 2010 14:54 To: na...@merit.edu Subject: Re: DDOS attack via as702

Re: DDOS attack via as702 87.118.210.122

Well, I whois'd 702, got no match, said "hm, I see 701 all over the place, lemmy take a look" and found: ASNumber: 701 - 705 ASName: UUNET etc. Sorry, it was left as an exercise to the reader - didn't mean to be flippant. -Jack CArrozzo On Tue, Oct 26, 2010 at 10:07 AM, Adrian Cha

Re: DDOS attack via as702 87.118.210.122

Whois really isn't that hard Maybe reading: ASNumber: 701 - 705 is though.. t...@shitbox:/var/log$ whois a 702 -h whois.arin.net # # The following results may also be obtained via: # http://whois.arin.net/rest/asns;q=702?showDetails=true # ASNumber: 701 - 705 ASName: UUNET ASHan

Re: DDOS attack via as702 87.118.210.122

On Tue, Oct 26, 2010, Cutler James R wrote: > Jack, > > I agree that whois is hard. Please explain how you knew to query AS701 when > Serg asked about AS702. Brainfart. I understand why people confuse 701 with 702. $ whois -h whois.ripe.net AS702 % Information related to 'AS702' aut-num:

Re: DDOS attack via as702 87.118.210.122

Jack, I agree that whois is hard. Please explain how you knew to query AS701 when Serg asked about AS702. computer:~ me$ whois as702 No match for "AS702". >>> Last update of whois database: Tue, 26 Oct 2010 13:47:47 UTC <<< Regards. Cutler On Oct 26, 2010, at 9:22 AM, Jack Carrozzo

Re: DDOS attack via as702 87.118.210.122

Whois is hard, let's go shopping: ja...@anna ~ $ whois as701 # # The following results may also be obtained via: # http://whois.arin.net/rest/asns;q=as701?showDetails=true # ASNumber: 701 - 705 ASName: UUNET ASHandle: AS701 RegDate:1990-08-03 Updated:2008-07-2

Re: DDoS Attack in Progress.

On Sat, Oct 11, 2008 at 7:52 PM, Steve Church <[EMAIL PROTECTED]> wrote: > Mr. Lopez is contributing to the welfare of the net as a whole by addressing > the cause, rather than applying a bandage locally to lessen the symptom. I > sincerely hope your dismissive advice is not characteristic of Spa

Re: DDoS Attack in Progress.

Steve Church wrote: > Beavis aka John Lopez: > I, for one, am glad you're interested in stopping the abuse at its source. > Thank you. > > Steve Linford: > >> why not ACL the source at your router or at whatever device is being >> > (packeted). > Mr. Lopez is contributing to the welfare of

Re: DDoS Attack in Progress.

On 11 Oct 2008, at 16:22, Steve Church wrote: Beavis aka John Lopez: I, for one, am glad you're interested in stopping the abuse at its source. Thank you. Steve Linford: why not ACL the source at your router or at whatever device is being (packeted). Mr. Lopez is contributing to the welfar

Re: DDoS Attack in Progress.

On Sat, 2008-10-11 at 08:05 +, Steve Linford wrote: > On 10 Oct 2008, at 20:46, Beavis wrote: > > > Hi All, > > > > DoS attack in progress, any upstream info for these guys? their > > phone number doesn't respond. > > > > inetnum: 88.247.0.0 - 88.247.79.255 > > netname: TurkT

Re: DDoS Attack in Progress.

Beavis aka John Lopez: I, for one, am glad you're interested in stopping the abuse at its source. Thank you. Steve Linford: > why not ACL the source at your router or at whatever device is being (packeted). Mr. Lopez is contributing to the welfare of the net as a whole by addressing the cause, rat

Re: DDoS Attack in Progress.

Sorry for the anonymity part Steve This is the only one email i got that is added to the NANOG List. John Lopez NOC Manager Constructora Pura Vida (506)243-018-35 Ext. 2901 On Sat, Oct 11, 2008 at 2:05 AM, Steve Linford <[EMAIL PROTECTED]> wrote: > On 10 Oct 2008, at 20:46, Beavis wrote: > >

Re: DDoS Attack in Progress.

On 10 Oct 2008, at 20:46, Beavis wrote: Hi All, DoS attack in progress, any upstream info for these guys? their phone number doesn't respond. inetnum: 88.247.0.0 - 88.247.79.255 netname: TurkTelekom descr: TT ADSL-alcatel static_ulus country: tr The Spamha

Re: DDoS Attack in Progress.

Try, NOC ITMC/NOC +902125209898 [EMAIL PROTECTED] Mehmet From: Paul Ferguson <[EMAIL PROTECTED]> Date: Fri, 10 Oct 2008 11:55:41 -0700 To: Beavis <[EMAIL PROTECTED]> Cc: NANOG list Subject: Re: DDoS Attack in Progress. -BEGIN PGP SIGNED MESSAGE- Has

Re: DDoS Attack in Progress.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not surprising -- TurkTelekom has long been known to be a hotbed of malicious activity, a known hoster for Russian/Ukrainian cyber criminals, and perhaps one of the most botnetted ISPs on the planet: http://itw.trendmicro-europe.com/index.php?id=64