Talk to your upstream provider. They may already have mitigation in place (e.g. Arbor devices). If not, then if you know much about this anticipated attack (and you seem to have some details) they can certainly implement ACLs and other moderating tools. Regardless, contact the FBI or similar LEA and get them involved: extortion and threats for now, and if they follow through then you have civil and very possibly criminal proceedings to look forward to. I also highly recommend you contact EFF. Start at eff.org --patrick darden -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of halp us Sent: Thursday, December 03, 2015 2:15 AM To: nanog@nanog.org Subject: [EXTERNAL]Ransom DDoS attack - need help! All, I've been a NANOG member for many years but I'm emailing from an anonymous account to reduce the chance of the attackers finding me. A company that shall remain anonymous has received a ransom DDoS note from a very well known group that has been in the news lately. Recently they've threatened to carry out a major DDoS attack if they are not paid by a deadline which is approaching. They've performed an attack of a smaller magnitude to prove that they're serious. Based on certain details that I can't reveal here, we believe the magnitude of the upcoming attack may be in the several hundred Gbps. I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email. Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it! Thanks