On Thu, 3 Dec 2015 03:15:04 -0500 halp us <throwaway1958251@gmail.com> wrote:
I would really appreciate help in a few areas (primarily with certain provider contacts/intros) so we can execute our strategy (which I can't reveal here for obvious reasons). If you email me off-list with a name/email that you've previously used on-list, I will reply from my real email.
Hello, Sorry for your troubles. I'm happy to try to put you in touch with people we know or specific providers that may be particularly important for you, given the path attack traffic may follow to you. Generally, however, you need to be working with your upstream providers or peers. Those are your best friends that are best able to mitigate traffic from reaching you or to help trace back where it is coming from. We also operate a free community service called UTRS, which is essentially just a community remote triggered black hole (RTBH) service. Depending on the attack and where it is coming from, it may be of some help. It is another tool in the tool box that is relatively easy to get going. Technical details and sign up form here: <https://www.cymru.com/jtk/misc/utrs.html> <http://www.team-cymru.org/UTRS/> In case an attack does come, you must be able to provide some profile of the attack traffic for others to help. A sample of the attack traffic (e.g. a pcap, flow data, logs), including any characteristics that might help others help you mitigate is important. This includes source network, IP address(es) (but they may be spoofed), protocol, port, packet size, payload, etc... anything that may uniquely identify the traffic. Keep track of the time an attack starts and let people know what time zone you're working in, or convert to UTC (preferred).
Alternatively, if you can post your experiences on-list with large scale high profile ransom DDoS attacks, I'd really appreciate it!
You should consider engaging your local federal law enforcement office. Don't expect miracles, but at least have that ball rolling. They will probably tell you not to pay, and generally you shouldn't. Keep a good evidence trail. Be vigilant, but don't panic. John