One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels. It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible. Any pointers on what to do next? Thanks, Pete
On Wed, 26 Nov 2008, Pete Templin wrote:
It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible.
From ripe whois database:
role: Technical Contact for ProXad address: Free SAS / ProXad address: 8, rue de la Ville L'Eveque address: 75008 Paris phone: +33 1 73 50 20 00 fax-no: +33 1 73 92 25 69 remarks: trouble: Information: http://www.proxad.net/ remarks: trouble: Spam/Abuse requests: mailto:abuse@proxad.net admin-c: RA999-RIPE tech-c: FG4214-RIPE nic-hdl: TCP8-RIPE mnt-by: PROXAD-MNT source: RIPE # Filtered abuse-mailbox: abuse@proxad.net Do you really call this "little if any information publically visible"? -- Mikael Abrahamsson email: swmike@swm.pp.se
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pete Templin wrote:
One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels.
It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible.
Any pointers on what to do next?
If it's all coming from that single IP 88.191.63.28, just request that your upstream block it. Usually if you explain the situation to them they'll oblige. Otherwise you'll want to look at mitigation gear (Toplayer, Cisco, etc) there are loads out there or you can look into a DDoS mitigation service. The Contacts I can see for that ASN are role: Technical Contact for ProXad address: Free SAS / ProXad address: 8, rue de la Ville L'Eveque address: 75008 Paris phone: +33 1 73 50 20 00 fax-no: +33 1 73 92 25 69 remarks: trouble: Information: http://www.proxad.net/ remarks: trouble: Spam/Abuse requests: mailto:abuse@proxad.net admin-c: RA999-RIPE tech-c: FG4214-RIPE nic-hdl: TCP8-RIPE mnt-by: PROXAD-MNT source: RIPE # Filtered abuse-mailbox: abuse@proxad.net Hope that helps! - --J -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktKf8ACgkQETh+0NgvOtF+IgCdFE4TD885Ot9d97b+Dhenmrn8 oVYAniR3qua8mG3D7escGxv+td458jUK =BwvQ -----END PGP SIGNATURE-----
Hello, On Wed, 26 Nov 2008 05:37:59 -0500 Pete Templin <petelists@templin.org> wrote:
One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels.
It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible.
12322 is Free, a DSL (and now FTTH) provider in France. They also have a dedicated server hosting service. 88.191.63.28 is one of these dedicated server that is hosted in one of their DC : traceroute to 88.191.63.28 (88.191.63.28), 30 hops max, 60 byte packets ... 7 10ge-1-50.bzn-swr5.dedibox.fr (88.191.2.37) 353.946 ms 334.180 ms 336.400 ms 8 sd-11899.dedibox.fr (88.191.63.28) 338.403 ms 374.956 ms 376.837 ms I thought these were supposed to be connected at 100MBps, but if you see more than that, then it is possible that they are now connected thru a GBps port. You can try to contact the dedibox NOC, and Free : noc@free.fr can be a nice place to start... Paul
Any pointers on what to do next?
Thanks,
Pete
-- Paul Rolland E-Mail : rol(at)witbe.net CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 F-92057 Paris La Defense RIPE : PR12-RIPE Please no HTML, I'm not a browser - Pas d'HTML, je ne suis pas un navigateur "Some people dream of success... while others wake up and work hard at it" All I need to have a good time, Is a reefer, a woman and a bottle of wine. With those three things I don't need no sunshine, A reefer, a woman and a bottle of wine. All I want is to never grow old, I want to wash in a bathtub of gold. I want 97 kilos already rolled, I want to wash in a bathtub of gold. I want to light my cigars with 10 dollar bills, I like to have a cattle ranch in Beverly Hills. I want a bottle of Red Eye that's always filled, I like to have a cattle ranch in Beverly Hills. -- Country Joe and the Fish, "Zachariah"
One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels.
Null routing the source isn't going to stop the inbound packets from reaching the target of the attack. All that's going to do is blackhole packets back to the attacker from anyone hopping through the router carrying the null route. - Darrell
Null routing the source isn't going to stop <snip>
Except when doing source based blackholing, see http://tools.ietf.org/html/draft-kumari-blackhole-urpf-02 section #4 Dave.
Hi, Please look for proxad.fr <-- Free Free is an ADSL provider based in France and proxad is a hosting company (please give a look at the "dig -x" below) dig -x 88.191.63.28 ; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 131 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;28.63.191.88.in-addr.arpa. IN PTR ;; ANSWER SECTION: 28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr. ;; AUTHORITY SECTION: 63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr. 63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr. ;; Query time: 390 msec ;; SERVER: 200.80.96.100#53(200.80.96.100) ;; WHEN: Wed Nov 26 08:46:38 2008 ;; MSG SIZE rcvd: 114 ========================== dig -x 88.191.63.28 +trace ; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28 +trace ;; global options: printcmd . 17574 IN NS d.root-servers.net. . 17574 IN NS e.root-servers.net. . 17574 IN NS f.root-servers.net. . 17574 IN NS g.root-servers.net. . 17574 IN NS h.root-servers.net. . 17574 IN NS i.root-servers.net. . 17574 IN NS j.root-servers.net. . 17574 IN NS k.root-servers.net. . 17574 IN NS l.root-servers.net. . 17574 IN NS m.root-servers.net. . 17574 IN NS a.root-servers.net. . 17574 IN NS b.root-servers.net. . 17574 IN NS c.root-servers.net. ;; Received 488 bytes from 200.80.96.100#53(200.80.96.100) in 31 ms 88.in-addr.arpa. 86400 IN NS ns.lacnic.net. 88.in-addr.arpa. 86400 IN NS ns3.nic.fr. 88.in-addr.arpa. 86400 IN NS sec1.apnic.net. 88.in-addr.arpa. 86400 IN NS sec3.apnic.net. 88.in-addr.arpa. 86400 IN NS sunic.sunet.se. 88.in-addr.arpa. 86400 IN NS ns-pri.ripe.net. 88.in-addr.arpa. 86400 IN NS tinnie.arin.net. ;; Received 218 bytes from 199.7.83.42#53(l.root-servers.net) in 78 ms 191.88.in-addr.arpa. 172800 IN NS ns.ripe.net. 191.88.in-addr.arpa. 172800 IN NS ns0.proxad.net. 191.88.in-addr.arpa. 172800 IN NS ns1.proxad.net. ;; Received 111 bytes from 193.0.0.195#53(ns-pri.ripe.net) in 187 ms 63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr. 63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr. ;; Received 123 bytes from 212.27.32.2#53(ns0.proxad.net) in 187 ms 28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr. 191.88.in-addr.arpa. 7200 IN NS dns1.dedibox.fr. 191.88.in-addr.arpa. 7200 IN NS dns2.dedibox.fr. ;; Received 146 bytes from 88.191.254.6#53(dns1.dedibox.fr) in 187 ms -Max 2008/11/26 Pete Templin <petelists@templin.org>:
One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels.
It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible.
Any pointers on what to do next?
Thanks,
Pete
participants (7)
-
Darrell Hyde
-
David Freedman
-
Jay Coley
-
Max Larson Henry
-
Mikael Abrahamsson
-
Paul Rolland
-
Pete Templin