Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

On Wed, Aug 21, 2019 at 3:21 PM Töma Gavrichenkov wrote: > On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher > wrote: > > Some additional questions, if you're able to answer them (off-list is > fine if there are things that can't be shared broadly): > > - Was the attack referred to law enforcem

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

Töma, thanks for this interesting update. The best defense against this type of DDoS attacks seems idd to be relaying to sufficiently-large-bandwidth cloud/CDN, and filtering TCP traffic (received not from the relay). Such relaying should be done well - smart attacks may still be possible for `naiv

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

Peace, On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher wrote: > Some additional questions, if you're able to answer them (off-list is fine if > there are things that can't be shared broadly): > - Was the attack referred to law enforcement? It is being referred to now. This would most probab

Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

Thanks for following up, and for publishing two bits of key data: - This was part of a larger attack campaign that included CLDAP amplification - The SYN/ACK amplification resulted in 208Mpps (or more) Some additional questions, if you're able to answer them (off-list is fine if there are thin

Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

Peace, Here's to confirm that the pattern reported before in NANOG was indeed a reflection DDoS attack. On Sunday, it also hit our customer, here's the report: https://www.prnewswire.com/news-releases/root-cause-analysis-and-incident-report-on-the-august-ddos-attack-300905405.html tl;dr: basical

Re: syn flood attacks from NL-based netblocks

The source address in the SYN is spoofed. What if the real owner of the source address wanted to connect to you? Then your penaltybox would block him. An attacker could now use your penaltybox to cause a DoS to the real owner of the IP address. > Date: Sun, 18 Aug 2019 08:48:08 -0700 > From: Mi

Re: syn flood attacks from NL-based netblocks

​​Load balancing is done on Layer 4 or Layer 3 when routing, so your ingress connection will have the same hash as the outgoing connection (unless the source port of the connection changes on the ACK - which it really should not). On Mon, 08/19/2019 06:18 PM, Töma Gavrichenkov wrote: > On Mon

Re: syn flood attacks from NL-based netblocks

On Mon, Aug 19, 2019, 9:24 PM Florian Brandstetter wrote: > ​Load balancing is done on Layer 4 or Layer 3 when routing, so your > ingress connection will have the same hash as the outgoing connection > (unless the source port of the connection changes on the ACK - which it > really should not). >

Re: syn flood attacks from NL-based netblocks

On Mon, Aug 19, 2019, 9:27 PM Valdis Klētnieks wrote: > On Mon, 19 Aug 2019 21:18:49 +0300, Töma Gavrichenkov said: > > > If you're doing load balancing for *outgoing* traffic — and in exactly > the > > same manner as you do with incoming — then maybe. > > On the other hand, your servers should p

Re: syn flood attacks from NL-based netblocks

On Mon, 19 Aug 2019 21:18:49 +0300, T�ma Gavrichenkov said: > If you're doing load balancing for *outgoing* traffic — and in exactly the > same manner as you do with incoming — then maybe. On the other hand, your servers should probably be doing non-loadbalanced outbound on a different IP address

Re: syn flood attacks from NL-based netblocks

On Mon, Aug 19, 2019, 8:57 PM Valdis Klētnieks wrote: > On Mon, 19 Aug 2019 20:44:47 +0300, Töma Gavrichenkov said: > > > Not in a typical DC/ISP environment! With the solution you propose, a > > perfect routing symmetry is a hard requirement, b/c you need to make > > sure a returning SYN/ACK hi

Re: syn flood attacks from NL-based netblocks

On Mon, 19 Aug 2019 20:44:47 +0300, T�ma Gavrichenkov said: > Not in a typical DC/ISP environment! With the solution you propose, a > perfect routing symmetry is a hard requirement, b/c you need to make > sure a returning SYN/ACK hits the very same machine as the initial > SYN. If your load bala

Re: syn flood attacks from NL-based netblocks

On Mon, Aug 19, 2019 at 8:12 PM Damian Menscher wrote: > A factor of 2 is "rounding error" and we probably shouldn't > waste our time on it (eg, by designing solutions to reduce > amplification factors) when we could instead be targeting > the sources of spoofed traffic. Ah, fine. Spoofing is ob

Re: syn flood attacks from NL-based netblocks

On Mon, Aug 19, 2019 at 4:15 AM Töma Gavrichenkov wrote: > Dealing with TCP flags is a different story: > I agree these attacks can be large: the one under discussion probably exceeded 10Mpps (Gbps is the wrong metric for small-packet attacks) I agree they can cause significant outages: this sty

Re: syn flood attacks from NL-based netblocks

Peace, On Mon, Aug 19, 2019 at 7:39 AM Damian Menscher via NANOG wrote: > Most kernels will return 3-5 SYN-ACK packets for an incoming > SYN, so it's not particularly interesting for attackers or defenders. Well, producing 1000 Gbps as opposed to 200 Gbps is still pretty impressive, isn't it? M

Re: syn flood attacks from NL-based netblocks

Peace, On Sun, Aug 18, 2019 at 6:48 PM Mike wrote: > [..] I do have an idea > that may be potentially a good mitigation strategy and for the exact > reason stated above; low load to individual end points may still, in > aggregate, overwhelm an IX or provider, so cutting off the SYN-ACK > traffic

Re: syn flood attacks from NL-based netblocks

On Sun, Aug 18, 2019 at 6:42 AM Amir Herzberg wrote: > The current packets could be part of a research experiment about this > threat, or the instrumentation part of preparing such attack. I would not > rule out research, since it isn't trivial to know if the attack can be > really viable to clog

Re: syn flood attacks from NL-based netblocks

On 8/18/19 6:41 AM, Amir Herzberg wrote: > The number of TCP syn-ack amplifiers is large. It may suffice to allow > clogging a provider or IX, using low load per amplifier, as described. > Such low load is likely to be undetected by most operators, and even > when detected (e.g. by Jim), only few (

Re: syn flood attacks from NL-based netblocks

The number of TCP syn-ack amplifiers is large. It may suffice to allow clogging a provider or IX, using low load per amplifier, as described. Such low load is likely to be undetected by most operators, and even when detected (e.g. by Jim), only few (e.g. Mike) will have sufficient motivation to blo

Re: syn flood attacks from NL-based netblocks

On 8/16/19 3:04 PM, Jim Shankland wrote: > Greetings, > > I'm seeing slow-motion (a few per second, per IP/port pair) syn flood > attacks ostensibly originating from 3 NL-based IP blocks: > 88.208.0.0/18 , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" > because ... syn flood, and BCP 38 not yet f

Re: syn flood attacks from NL-based netblocks

On 8/17/19 3:16 PM, Damian Menscher wrote: On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland > wrote: I'm seeing slow-motion (a few per second, per IP/port pair) syn flood attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18

Re: syn flood attacks from NL-based netblocks

Damian, sure, that's what I meant - it's possible, but only _if_ Jim's machines actually respond with multiple SYN-ACK packets. Which I _think_ Jim probably would have noticed. Or maybe not ? btw, some TCP amplifications can be quite severe, if anyone wants I can send the citation to a nice paper

Re: syn flood attacks from NL-based netblocks

On Sat, Aug 17, 2019 at 3:36 PM Amir Herzberg wrote: > Hmm, I doubt this is the output of TCP amplification since Jim reported it > as SYN spoofing, i.e., SYN packets, not SYN-ACK packets (as for typical TCP > amplification). Unless the given _hosts_ respond with multiple SYN-ACKs in > which case

Re: syn flood attacks from NL-based netblocks

Hmm, I doubt this is the output of TCP amplification since Jim reported it as SYN spoofing, i.e., SYN packets, not SYN-ACK packets (as for typical TCP amplification). Unless the given _hosts_ respond with multiple SYN-ACKs in which case these may be experiments by an attacker to measure if these IP

Re: syn flood attacks from NL-based netblocks

On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland wrote: > I'm seeing slow-motion (a few per second, per IP/port pair) syn flood > attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 > , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" because ... syn flood, > and BCP 38 not yet fu

Re: syn flood attacks from NL-based netblocks

On Sat, Aug 17, 2019, 4:59 AM Jim Shankland wrote: > On 8/16/19 3:50 PM, Emille Blanc wrote: > Thanks for the various responses. The pattern I (and apparently quite a > few others) are seeing differs from an ordinary probe in that it is > repeated a few times per second (if somebody wants to know

Re: syn flood attacks from NL-based netblocks

On 8/16/19 3:50 PM, Emille Blanc wrote: Have been seeing these at $DAYJOB off and on for the past week. First logged events began for on 2019-08-04, at approx 1500hrs PST. Impact for us has been negligible, but some older ASA's were having trouble with the scan volume and their configured log l

RE: syn flood attacks from NL-based netblocks

edied. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jim Shankland Sent: Friday, August 16, 2019 3:05 PM To: nanog@nanog.org Subject: syn flood attacks from NL-based netblocks Greetings, I'm seeing slow-motion (a few per second, per IP/port pair) syn floo

Re: syn flood attacks from NL-based netblocks

The traffic "from" 88.208.0.0/18, 5.11.80.0/21, and 78.140.128.0/18 doesn't match the packet signatures for Masscan, ZMap, or any other well-known scanner. The traffic is likely spoofed. __ *Troy Mursch* @bad_packets On Fri, Aug 16, 2019 at 3:28 PM Jared Smith wrote: > I would think Shodan/Zm

Re: syn flood attacks from NL-based netblocks

I would think Shodan/Zmap/pick your multi-IP-block-scanning-tool would portray similar behavior. Echoing Matt’s “probably shouldn’t worry” sentiment, this could just be someone running an incantation of such tools for research or recreational purposes. Best, Jared On Aug 16, 2019, 18:21 -0400,

Re: syn flood attacks from NL-based netblocks

On Fri, Aug 16, 2019 at 5:05 PM Jim Shankland wrote: > 1. Rate seems too slow to do any actual damage (is anybody really > bothered by a few bad SYN packets per second per service, at this > point?); but > Common technique used by port scanners to evade detection as a DoS attack by fw/ids/etc.

Re: syn flood attacks from NL-based netblocks

On Aug 16, 2019, at 5:04 PM, Jim Shankland mailto:na...@shankland.org>> wrote: Greetings, I'm seeing slow-motion (a few per second, per IP/port pair) syn flood attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" because ..

syn flood attacks from NL-based netblocks

Greetings, I'm seeing slow-motion (a few per second, per IP/port pair) syn flood attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" because ... syn flood, and BCP 38 not yet fully adopted). Why is this syn flood different