My company is being DDoS'd by a single IP from a GoDaddy customer. I havent had success with the abuse@godaddy.com email. Was hoping someone that could help might be watching the list and could contact me off-list. //Jason
On 3 Aug 2015, at 6:16, tqr2813d376cjozqap1l@tutanota.com wrote:
DDoS = multiple IPs
DoS = single IP
It seems most people colloquially use DDoS for both, and reserve DoS for magic-packet blocking exploits like the latest BIND CVE, FYI. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
3. Aug 2015 03:54 by rdobbins@arbor.net:
On 3 Aug 2015, at 6:16, > tqr2813d376cjozqap1l@tutanota.com> wrote:
DDoS = multiple IPs
DoS = single IP
It seems most people colloquially use DDoS for both, and reserve DoS for magic-packet blocking exploits like the latest BIND CVE, FYI.
Then they are mistaken, unfortunately.
On 3 Aug 2015, at 10:58, tqr2813d376cjozqap1l@tutanota.com wrote:
Then they are mistaken, unfortunately.
Bring pedantic for its own sake, when there's little possibility of confusion, isn't really constructive. Everyone, including you, knew what he meant. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Mon, 03 Aug 2015 03:58:31 -0000, tqr2813d376cjozqap1l@tutanota.com said:
It seems most people colloquially use DDoS for both, and reserve DoS for magic-packet blocking exploits like the latest BIND CVE, FYI.
Then they are mistaken, unfortunately.
Feel free to try to reclaim the old meaning of the word "hacker" while you're at it. That ship sailed long ago, and so has the DoS/DDoS distinction.
3. Aug 2015 04:20 by Valdis.Kletnieks@vt.edu: On Mon, 03 Aug 2015 03:58:31 -0000, tqr2813d376cjozqap1l@tutanota.com said:
It seems most people colloquially use DDoS for both, and reserve DoS for magic-packet blocking exploits like the latest BIND CVE, FYI. Then they are mistaken, unfortunately.
Feel free to try to reclaim the old meaning of the word "hacker" while you're at it. That ship sailed long ago, and so has the DoS/DDoS distinction.
I suppose you're right. Let the 'wordification' of DDoS continue.. it certainly isn't an acronym anymore.
Children! Regards, Dovid -----Original Message----- From: Valdis.Kletnieks@vt.edu Sender: "NANOG" <nanog-bounces@nanog.org>Date: Mon, 03 Aug 2015 00:20:23 To: <tqr2813d376cjozqap1l@tutanota.com> Cc: <nanog@nanog.org> Subject: Re: GoDaddy : DDoS :: Contact On Mon, 03 Aug 2015 03:58:31 -0000, tqr2813d376cjozqap1l@tutanota.com said:
It seems most people colloquially use DDoS for both, and reserve DoS for magic-packet blocking exploits like the latest BIND CVE, FYI.
Then they are mistaken, unfortunately.
Feel free to try to reclaim the old meaning of the word "hacker" while you're at it. That ship sailed long ago, and so has the DoS/DDoS distinction.
DDoS = multiple IPs
DoS = single IP
It seems most people colloquially use DDoS for both, and reserve DoS for magic-packet blocking exploits like the latest BIND CVE, FYI.
Given how easy it still is to put a fake source address in an IP packet, it seems optimistic to assume that just because the packets all have the same return address, they're actually coming from the same place. R's, John
On 3 Aug 2015, at 12:10, John Levine wrote:
Given how easy it still is to put a fake source address in an IP packet, it seems optimistic to assume that just because the packets all have the same return address, they're actually coming from the same place.
Concur 100% - we see that from time to time, multiple sources spoofing the same source IP. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
John, What would be the point of spoofing the source IPs to be identical? You're just making the attack trivial to block. Plus you could never do any kind of TCP session attack, since you can't complete a handshake. I would have to call this sort of attack a LAAADDoS (Lame Attempt At A DDoS). :) -mel beckman On Aug 2, 2015, at 10:11 PM, John Levine <johnl@iecc.com> wrote:
DDoS = multiple IPs
DoS = single IP
It seems most people colloquially use DDoS for both, and reserve DoS for magic-packet blocking exploits like the latest BIND CVE, FYI.
Given how easy it still is to put a fake source address in an IP packet, it seems optimistic to assume that just because the packets all have the same return address, they're actually coming from the same place.
R's, John
On 3 Aug 2015, at 19:40, Mel Beckman wrote:
What would be the point of spoofing the source IPs to be identical? You're just making the attack trivial to block.
Attackers do strange things all the time. Most endpoint organizations don't have any way to detect/classify DDoS traffic, so they've no idea how to block it. Plus, it can asymmetrically strain load-balanced server instances, links, et. al. Most DDoS attacks don't involve TCP and 3-way handshakes. That isn't to say they aren't common, but one oughtn't to assume that having the ability to do so is a prerequisite for an attacker. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Hi,
What would be the point of spoofing the source IPs to be identical? You're just making the attack trivial to block. Plus you could never do any kind of TCP session attack, since you can't complete a handshake. I would have to call this sort of attack a LAAADDoS (Lame Attempt At A DDoS). :)
perhaps spoofing an IP that cannot be blocked as its one that needs to be allowed for the site IT to operate? some cloud service IP or such.... ? alan
On 08/03/2015 05:40 AM, Mel Beckman wrote:
What would be the point of spoofing the source IPs to be identical? You're just making the attack trivial to block. Plus you could never do any kind of TCP session attack, since you can't complete a handshake. I would have to call this sort of attack a LAAADDoS (Lame Attempt At A DDoS).:)
Reflection attack as a secondary goal against the spoofed source IP? Primary goal would be a SYN flood of many servers.
But SYN floods are easily detected and deflected by all modern firewalls. If a handshake doesn’t complete within a certain time interval, the SYN is discarded. Many DDOS attacks are full-fledged TCP sessions. The zombies are used to simulate legitimate users, and because they’re coming from thousands of legitimate IP addresses sending what looks like completely normal traffic (e.g. HTTP queries) they are difficult to distinguish from real clients systems. There are of course unicast DDOS attacks prosecuted over UDP or ICMP. The majority I’ve seen, however, are TCP. In any event, I think it’s not useful to misuse the term DDoS, and that it refers to any attack where the source addresses are distributed across the Internet, making them difficult to identify and therefore block. -mel
On Aug 3, 2015, at 6:00 AM, Stephen Satchell <list@satchell.net> wrote:
On 08/03/2015 05:40 AM, Mel Beckman wrote:
What would be the point of spoofing the source IPs to be identical? You're just making the attack trivial to block. Plus you could never do any kind of TCP session attack, since you can't complete a handshake. I would have to call this sort of attack a LAAADDoS (Lame Attempt At A DDoS).:)
Reflection attack as a secondary goal against the spoofed source IP? Primary goal would be a SYN flood of many servers.
On 3 Aug 2015, at 20:35, Mel Beckman wrote:
But SYN floods are easily detected and deflected by all modern firewalls. If a handshake doesn’t complete within a certain time interval, the SYN is discarded.
This is incorrect. I've seen a 20gb/sec stateful firewall taken down by a 3mb/sec spoofed SYN-flood due to DDoS exhaustion. I've seen a 10gb/sec load-balancer taken down by 60s of 6kpps of HOIC: <https://app.box.com/s/a3oqqlgwe15j8svojvzl>
The majority I’ve seen, however, are TCP.
<https://en.wikipedia.org/wiki/Hasty_generalization>
In any event, I think it’s not useful to misuse the term DDoS, and that it refers to any attack where the source addresses are distributed across the Internet, making them difficult to identify and therefore block.
Again, that ship sailed long ago. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 08/03/2015 07:04 AM, Roland Dobbins wrote:
On 3 Aug 2015, at 21:00, Roland Dobbins wrote:
due to DDoS exhaustion
That should read '[TCP] state exhaustion', apologies.
And any half-awake server operator would have turned on SYNCOOKIES a long time ago.
On 3 Aug 2015, at 21:19, Stephen Satchell wrote:
And any half-awake server operator would have turned on SYNCOOKIES a long time ago.
I hate to tell you this, but a) SYN-cookies aren't a perfect response, as servers don't have infinite resources, and b) stateful firewalls go down *all the time* under DDoS attacks. It might be a good idea to search the list archives for more on this phenomenon. There's also information available in the Arbor WISRs; I think the first time we explicitly asked in the survey about stateful devices going down under DDoS was in 2010: [Warning: free registration required, but you can opt-out of email as part of the registration process] <http://www.arbornetworks.com/resources/infrastructure-security-report> ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Not to be difficult, but how can it be a DDoS attack if it’s coming from a single IP? Normally you would just block this IP at your borders or ask your upstreams to do so before it consumes your bandwidth. You still want to get GoDaddy to address the problem, of course, but you should do that via their abuse@godaddy.com<mailto:abuse@godaddy.com> contact, or their abuse page at https://supportcenter.godaddy.com/AbuseReport/Index (submit via the “malware” button). -mel On Aug 2, 2015, at 12:59 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> wrote: My company is being DDoS'd by a single IP from a GoDaddy customer. I havent had success with the abuse@godaddy.com<mailto:abuse@godaddy.com> email. Was hoping someone that could help might be watching the list and could contact me off-list. //Jason
Just block it -- Jason Hellenthal JJH48-ARIN On Aug 2, 2015, at 14:59, Jason LeBlanc <jason.leblanc@infusionsoft.com> wrote: My company is being DDoS'd by a single IP from a GoDaddy customer. I havent had success with the abuse@godaddy.com email. Was hoping someone that could help might be watching the list and could contact me off-list. //Jason
participants (10)
-
A.L.M.Buxey@lboro.ac.uk -
Dovid Bender -
Jason Hellenthal -
Jason LeBlanc -
John Levine -
Mel Beckman -
Roland Dobbins -
Stephen Satchell -
tqr2813d376cjozqap1l@tutanota.com -
Valdis.Kletnieks@vt.edu