Doing BCP38 or blocking\shutting off known amplification vectors both require effort and both accomplish the same thing. Of course doing both is best. :-) One provider in "Elbonia" getting through is far more damaging to that provider in Elbonia than the rest of the world, if they were the only ones left. Do many last mile providers implement BCP38 at their CE? Seems like it's better to stop it at the CE than the PE. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Ca By" <cb.list6@gmail.com> To: ahebert@pubnix.net Cc: nanog@nanog.org Sent: Wednesday, August 3, 2016 9:36:09 AM Subject: Re: Host.us DDOS attack -and- related conversations On Wednesday, August 3, 2016, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
Bcp38 is not the issue. It is only the trigger, and as long as one network in Elbonia allows spoofs, that one network can marshall 100s of gbs of ddos power. Years of telling people to do bcp38 has not worked. The issue is for you and your neighbor to turn off your reflecting udp amplifiers (open dns relay, ssdp, ntp, chargen) and generously block obvious ddos traffic. A healthy udp policer is also smart. I suggest taking a baseline of your normal peak udp traffic, and build a policer that drops all udp that is 10x the baseline for bw and pps. Bcp38 is good, but it is not the solution we need to tactically stop attacks. This is not pretty. But it works at keeping your network up. CB -----
Alain Hebert ahebert@pubnix.net <javascript:;> PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert