Re: Ransom DDoS attack - need help!
Just an update for those following. We have custom in house software that watches the traffic flows from our edge routers and automatically blackholes any ip getting targeted. The blackhole gets sent upstream which is what we did to maintain the network for our customers during the first attack. We did not suffer any network outage because of the attacks other than our public facing website which honestly is not critical. Since we submitted this thread originally we have gotten two responses from "Armada Collective". One basically a reminder telling us we had 24 hours left to pay. The next came tonight as they were supposed to be hitting us. The second response said they were supposed to be hitting us but decided to give us two more days to get the cash into bitcoin. As of right now we have not replied to them and have no plans to do so. We never had plans to respond or pay them, although telling them whats on my mind sounds appealing. We have contacted the FBI and are working with them providing info. As for protecting our network from future attacks we put all public facing web sites behind Cloudflare and changed the ips from what they were. We left the old ips nulled at our edge and with our providers. We plan to null any ip they decide to hit and and wait it out. As of right now all they have done is take our website offline briefly so not much of a problems as it has not caused our customers issues. Thanks for all the help and info that has been provided and we plan to update this thread as things unfold. I know there are others that have had similar demands (several have reached out off list.) so hopefully the info is useful. -- Thank You, Joe Morgan - Owner Joe's Datacenter, LLC http://joesdatacenter.com 816-726-7615
On 10 Dec 2015, at 13:21, Joe Morgan wrote:
We have custom in house software that watches the traffic flows from our edge routers and automatically blackholes any ip getting targeted.
Suggest you take a look at the presos I posted earlier and look into S/RTBH, flowspec, some limited QoS, and some preemptive ACLs so that you aren't forced into completing the DDoS. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
FWIW the exact same thing (identical initial ransom email) happened to us two weeks ago. The "2 day" message was received on December 3rd. The group claiming responsibility has yet to follow through. The messages came from a various bitmessage.ch addresses. On Wed, Dec 9, 2015 at 10:21 PM, Joe Morgan <joe@joesdatacenter.com> wrote:
Just an update for those following. We have custom in house software that watches the traffic flows from our edge routers and automatically blackholes any ip getting targeted. The blackhole gets sent upstream which is what we did to maintain the network for our customers during the first attack. We did not suffer any network outage because of the attacks other than our public facing website which honestly is not critical. Since we submitted this thread originally we have gotten two responses from "Armada Collective". One basically a reminder telling us we had 24 hours left to pay. The next came tonight as they were supposed to be hitting us. The second response said they were supposed to be hitting us but decided to give us two more days to get the cash into bitcoin. As of right now we have not replied to them and have no plans to do so. We never had plans to respond or pay them, although telling them whats on my mind sounds appealing. We have contacted the FBI and are working with them providing info. As for protecting our network from future attacks we put all public facing web sites behind Cloudflare and changed the ips from what they were. We left the old ips nulled at our edge and with our providers. We plan to null any ip they decide to hit and and wait it out. As of right now all they have done is take our website offline briefly so not much of a problems as it has not caused our customers issues. Thanks for all the help and info that has been provided and we plan to update this thread as things unfold. I know there are others that have had similar demands (several have reached out off list.) so hopefully the info is useful.
-- Thank You, Joe Morgan - Owner Joe's Datacenter, LLC http://joesdatacenter.com 816-726-7615
-- Ian Clark Lead Network Engineer DreamHost m: 818.795.2216
participants (3)
-
Ian Clark
-
Joe Morgan
-
Roland Dobbins