Thanks Mel. You are not being difficult, I meant DoS. The network I inherited doesn’t have BGP yet so I have asked our upstream to blackhole it and I emailed abuse neither have happened yet. I do block it but that’s after it hits our side. //Jason From: Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> Date: Sunday, August 2, 2015 at 4:20 PM To: Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: GoDaddy : DDoS :: Contact Not to be difficult, but how can it be a DDoS attack if it’s coming from a single IP? Normally you would just block this IP at your borders or ask your upstreams to do so before it consumes your bandwidth. You still want to get GoDaddy to address the problem, of course, but you should do that via their abuse@godaddy.com<mailto:abuse@godaddy.com> contact, or their abuse page at https://supportcenter.godaddy.com/AbuseReport/Index (submit via the “malware” button). -mel On Aug 2, 2015, at 12:59 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> wrote: My company is being DDoS'd by a single IP from a GoDaddy customer. I havent had success with the abuse@godaddy.com<mailto:abuse@godaddy.com> email. Was hoping someone that could help might be watching the list and could contact me off-list. //Jason
Blackholing isn't what you want. That will still permit his source IP into your network, and only blackhole replies from your network, so the attack will still consume bandwidth. What you should request is a source IP ACL blocking that address at your upstream' border. BGP is no help in these situations, unless you use a BGP-based DDoS protection service. -mel beckman On Aug 2, 2015, at 5:17 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> wrote: Thanks Mel. You are not being difficult, I meant DoS. The network I inherited doesn't have BGP yet so I have asked our upstream to blackhole it and I emailed abuse neither have happened yet. I do block it but that's after it hits our side. //Jason From: Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> Date: Sunday, August 2, 2015 at 4:20 PM To: Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: GoDaddy : DDoS :: Contact Not to be difficult, but how can it be a DDoS attack if it's coming from a single IP? Normally you would just block this IP at your borders or ask your upstreams to do so before it consumes your bandwidth. You still want to get GoDaddy to address the problem, of course, but you should do that via their abuse@godaddy.com<mailto:abuse@godaddy.com> contact, or their abuse page at https://supportcenter.godaddy.com/AbuseReport/Index (submit via the "malware" button). -mel On Aug 2, 2015, at 12:59 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> wrote: My company is being DDoS'd by a single IP from a GoDaddy customer. I havent had success with the abuse@godaddy.com<mailto:abuse@godaddy.com> email. Was hoping someone that could help might be watching the list and could contact me off-list. //Jason
Source based black holing would work in this case providing it was done at GoDaddy's edge. On 3 Aug 2015 01:58, "Mel Beckman" <mel@beckman.org> wrote:
Blackholing isn't what you want. That will still permit his source IP into your network, and only blackhole replies from your network, so the attack will still consume bandwidth. What you should request is a source IP ACL blocking that address at your upstream' border.
BGP is no help in these situations, unless you use a BGP-based DDoS protection service.
-mel beckman
On Aug 2, 2015, at 5:17 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com <mailto:jason.leblanc@infusionsoft.com>> wrote:
Thanks Mel. You are not being difficult, I meant DoS. The network I inherited doesn't have BGP yet so I have asked our upstream to blackhole it and I emailed abuse neither have happened yet. I do block it but that's after it hits our side.
//Jason
From: Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> Date: Sunday, August 2, 2015 at 4:20 PM To: Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto: jason.leblanc@infusionsoft.com>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: GoDaddy : DDoS :: Contact
Not to be difficult, but how can it be a DDoS attack if it's coming from a single IP? Normally you would just block this IP at your borders or ask your upstreams to do so before it consumes your bandwidth. You still want to get GoDaddy to address the problem, of course, but you should do that via their abuse@godaddy.com<mailto:abuse@godaddy.com> contact, or their abuse page at https://supportcenter.godaddy.com/AbuseReport/Index (submit via the "malware" button).
-mel
On Aug 2, 2015, at 12:59 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com <mailto:jason.leblanc@infusionsoft.com>> wrote:
My company is being DDoS'd by a single IP from a GoDaddy customer.
I havent had success with the abuse@godaddy.com<mailto:abuse@godaddy.com> email. Was hoping someone that could help might be watching the list and could contact me off-list.
//Jason
I don’t see how. Blackholing works on destination address — it’s a route to null0. The source address isn’t considered and thus the traffic will still leave GoDaddy. GoDaddy could, I suppose, implement a policy route based on source address, but that’s really no different than an ACL. And it’s not a blackhole. Anyway, since it's the GoDaddy edge your talking about, GoDaddy can simply disconnect the customer. -mel On Aug 3, 2015, at 6:20 AM, Alistair Mackenzie <magicsata@gmail.com<mailto:magicsata@gmail.com>> wrote: Source based black holing would work in this case providing it was done at GoDaddy's edge. On 3 Aug 2015 01:58, "Mel Beckman" <mel@beckman.org<mailto:mel@beckman.org>> wrote: Blackholing isn't what you want. That will still permit his source IP into your network, and only blackhole replies from your network, so the attack will still consume bandwidth. What you should request is a source IP ACL blocking that address at your upstream' border. BGP is no help in these situations, unless you use a BGP-based DDoS protection service. -mel beckman On Aug 2, 2015, at 5:17 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com><mailto:jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>>> wrote: Thanks Mel. You are not being difficult, I meant DoS. The network I inherited doesn't have BGP yet so I have asked our upstream to blackhole it and I emailed abuse neither have happened yet. I do block it but that's after it hits our side. //Jason From: Mel Beckman <mel@beckman.org<mailto:mel@beckman.org><mailto:mel@beckman.org<mailto:mel@beckman.org>>> Date: Sunday, August 2, 2015 at 4:20 PM To: Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com><mailto:jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>> Subject: Re: GoDaddy : DDoS :: Contact Not to be difficult, but how can it be a DDoS attack if it's coming from a single IP? Normally you would just block this IP at your borders or ask your upstreams to do so before it consumes your bandwidth. You still want to get GoDaddy to address the problem, of course, but you should do that via their abuse@godaddy.com<mailto:abuse@godaddy.com><mailto:abuse@godaddy.com<mailto:abuse@godaddy.com>> contact, or their abuse page at https://supportcenter.godaddy.com/AbuseReport/Index (submit via the "malware" button). -mel On Aug 2, 2015, at 12:59 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com><mailto:jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>>> wrote: My company is being DDoS'd by a single IP from a GoDaddy customer. I havent had success with the abuse@godaddy.com<mailto:abuse@godaddy.com><mailto:abuse@godaddy.com<mailto:abuse@godaddy.com>> email. Was hoping someone that could help might be watching the list and could contact me off-list. //Jason
On 3 Aug 2015, at 20:28, Mel Beckman wrote:
Blackholing works on destination address — it’s a route to null0.
<https://tools.ietf.org/html/rfc5635> ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
There are two problems with Source-Based Remote Triggered Black Hole (S/RTBH): 1. From the RFC itself, you by definition sacrifice the victims address: 3.1. ...While this does "complete" the attack in that the target address(es) are made unreachable, collateral damage is minimized. It may also be possible to move the host or service on the target IP address(es) to another address and keep the service up, for example, by updating associated DNS resource records. 2. No ISP I know of supports it (e.g., via BGP communities) -mel
On Aug 3, 2015, at 6:31 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 3 Aug 2015, at 20:28, Mel Beckman wrote:
Blackholing works on destination address — it’s a route to null0.
<https://tools.ietf.org/html/rfc5635>
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 3 Aug 2015, at 20:46, Mel Beckman wrote:
1. From the RFC itself, you by definition sacrifice the victims address:
3.1. ...While this does "complete" the attack in that the target address(es) are made unreachable, collateral damage is minimized. It may also be possible to move the host or service on the target IP address(es) to another address and keep the service up, for example, by updating associated DNS resource records.
This is incorrect. I've used S/RTBH for the last 15 years or so to mitigate attacks. One absolutely does *not* 'sacrifice the victim's IP address'. The section you're quoting is describing D/RTBH, by way of explaining its deficiencies. It would probably be a good idea to read the RFC in its entirety. S/RTBH is described in Section 4 - e.g., the very next section.
2. No ISP I know of supports it (e.g., via BGP communities)
As noted in my previous message in this thread, one applies this on one's own transit-/peering-edge router. While it won't prevent said link from being saturated, it keeps traffic from the blackholed source off one's own core, and off the targeted IP(s), which is of operational utility. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 3 Aug 2015, at 7:56, Mel Beckman wrote:
BGP is no help in these situations, unless you use a BGP-based DDoS protection service.
Anyone can set up S/RTBH on their transit-/peering-edge routers, even if they aren't using BGP for routing. Likewise flowspec, on routers which support it. If attack volume is high, it still may flood the link, but keeping the traffic off one's own core and off the actual target(s) of the attack are still very worthwhile. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Thanks Mel. The ISP got back to me and has asked me to build a Juniper block list ACL for them so I am doing that now. //Jason From: Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> Date: Sunday, August 2, 2015 at 5:56 PM To: Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: GoDaddy : DoS :: Contact Blackholing isn't what you want. That will still permit his source IP into your network, and only blackhole replies from your network, so the attack will still consume bandwidth. What you should request is a source IP ACL blocking that address at your upstream' border. BGP is no help in these situations, unless you use a BGP-based DDoS protection service. -mel beckman On Aug 2, 2015, at 5:17 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> wrote: Thanks Mel. You are not being difficult, I meant DoS. The network I inherited doesn’t have BGP yet so I have asked our upstream to blackhole it and I emailed abuse neither have happened yet. I do block it but that’s after it hits our side. //Jason From: Mel Beckman <mel@beckman.org<mailto:mel@beckman.org>> Date: Sunday, August 2, 2015 at 4:20 PM To: Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> Cc: NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: GoDaddy : DDoS :: Contact Not to be difficult, but how can it be a DDoS attack if it’s coming from a single IP? Normally you would just block this IP at your borders or ask your upstreams to do so before it consumes your bandwidth. You still want to get GoDaddy to address the problem, of course, but you should do that via their abuse@godaddy.com<mailto:abuse@godaddy.com> contact, or their abuse page at https://supportcenter.godaddy.com/AbuseReport/Index (submit via the “malware” button). -mel On Aug 2, 2015, at 12:59 PM, Jason LeBlanc <jason.leblanc@infusionsoft.com<mailto:jason.leblanc@infusionsoft.com>> wrote: My company is being DDoS'd by a single IP from a GoDaddy customer. I havent had success with the abuse@godaddy.com<mailto:abuse@godaddy.com> email. Was hoping someone that could help might be watching the list and could contact me off-list. //Jason
participants (4)
-
Alistair Mackenzie
-
Jason LeBlanc
-
Mel Beckman
-
Roland Dobbins