UDP Amplification DDoS - Help!
Hello, Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful. A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case. We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block. I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier. Thanks in advance for any insight. Mitch
Oodles of devices downstream of the 1G? Does the 1G terminate into a router or firewall? Sounds like there is a compromised host downstream of the 1G that is reporting back it's source IP and that is why changing the IP doesn't help. If you look at the PAT table, any oddities? Good luck! -Mike
On Feb 8, 2016, at 15:14, Mitch Dyer <mdyer@development-group.net> wrote:
Hello,
Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful.
A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case.
We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block.
I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.
Thanks in advance for any insight.
Mitch
On 9 Feb 2016, at 9:50, mike.lyon@gmail.com wrote:
Sounds like there is a compromised host downstream of the 1G that is reporting back it's source IP and that is why changing the IP doesn't help.
It's much more likely that the attacker is just following the DNS changes. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Not quite sure what kind of info / confirmation you are looking for... There are lots of articles (do a google search) on this topic as well as mitigation ... e.g. http://blog.nexusguard.com/ssdp-ddos-attacks/ & https://tools.ietf.org/html/bcp38 Regards Faisal Imtiaz Snappy Internet & Telecom ----- Original Message -----
From: "Mitch Dyer" <mdyer@development-group.net> To: "nanog list" <nanog@nanog.org> Sent: Monday, February 8, 2016 6:14:06 PM Subject: UDP Amplification DDoS - Help!
Hello,
Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful.
A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case.
We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block.
I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.
Thanks in advance for any insight.
Mitch
use a CDN provider or AWS ELBs or something to absorb the attacks? On Mon, Feb 8, 2016 at 9:55 PM, Faisal Imtiaz <faisal@snappytelecom.net> wrote:
Not quite sure what kind of info / confirmation you are looking for...
There are lots of articles (do a google search) on this topic as well as mitigation ...
e.g.
http://blog.nexusguard.com/ssdp-ddos-attacks/
& https://tools.ietf.org/html/bcp38
Regards
Faisal Imtiaz Snappy Internet & Telecom
----- Original Message -----
From: "Mitch Dyer" <mdyer@development-group.net> To: "nanog list" <nanog@nanog.org> Sent: Monday, February 8, 2016 6:14:06 PM Subject: UDP Amplification DDoS - Help!
Hello,
Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful.
A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case.
We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block.
I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.
Thanks in advance for any insight.
Mitch
On 9 Feb 2016, at 6:14, Mitch Dyer wrote:
I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.
Take a look at this .pdf preso: <https://app.box.com/s/r7an1moswtc7ce58f8gg> Who's the upstream? Is it the sole upstream You may well not be speaking to the right folks there, the ones who can provide assistance. Also note that there are multiple overlay MSSPs who can potentially help, as well, apart from the immediate upstream. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Hi Mitch. My colleagues in the US dealt with something like this and I have dealt with something similar to this in Australia. Does your customer happen to be a school district? In our cases it turned out to be students buying Ddos as a service and targeting the address which comes up when they go to www.whatismyip.com<http://www.whatismyip.com>. So the attack would constantly change and follow the network when there was an IP block put in place at the upstream. In my opinion, there are a few options to this: 1)The best solution is to use a comprehensive cloud based Ddos mitigation solution. 2) Use a cgnat to dynamically map to different external addresses and change them dynamically when there is a Ddos, while putting he used addresses in a black hole. 3) Another could be to use an external proxy service where you proxy your outbound requests to. So they will eventually become the target. However this moves the problem elsewhere and still exposes you to Ddos if they know your Cpe address. 4) In combination with this, you can perform incident response check your logs, turn on authentication, so you know when users are browsing for whatismyip and Ddos attack services. Sent from my iPhone James Tin APJ Principle Enterprise Security Architect Akamai Technologies +61 466 961 555 Level 7, 76 Berry St, North Sydney Australia 2060 On 9 Feb 2016, at 13:27, Mitch Dyer <mdyer@development-group.net<mailto:mdyer@development-group.net>> wrote: Hello, Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful. A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case. We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block. I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier. Thanks in advance for any insight. Mitch
You haven't indicated what the actual inbound attack volume is. If it's something your network core can handle, you can block the attack fingerprint upstream so it does not reach the 1Gb link. If it's UDP amplification chances are you can create a firewall rule. -PK
1. Move the website to DDoS-resistant reverse proxy like Cloudflare or Incapsula, using its current IP address; won't make much of a difference as attacker will go back to attacking the last known IP address. 2. Change the site IP address and only update it at the reverse proxy provider, not at any DNS record whatsoever. This should do the trick unless attacker starts a full-range CIDR block attack, at which point your next escalation path is GRE-based DDoS providers like, but not limited to, Black Lotus. Rubens On Mon, Feb 8, 2016 at 9:14 PM, Mitch Dyer <mdyer@development-group.net> wrote:
Hello,
Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful.
A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case.
We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block.
I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.
Thanks in advance for any insight.
Mitch
You could use multiple PAT addresses to find the source of information for the attacker and to reduce the impact by filtering/QOS. TCP connections PAT IP1 (block UDP before going to the 1G line) UDP connections PAT IP2 webservers connecting to api hosts - PAT IP3 webservers remaining connections - PAT IP4 Karsten 2016-02-09 0:14 GMT+01:00 Mitch Dyer <mdyer@development-group.net>:
Hello,
Hoping someone can point me in the right direction here, even just confirming my suspicions would be incredibly helpful.
A little bit of background: I have a customer I'm working with that is downstream of a 1Gb link that is experiencing multiple DDoS attacks on a daily basis. Through several captures I've seen what appear to be a mixture of SSDP and DNS amplification attacks (though not at the same time). The attack itself seems to target the PAT address associated with a specific site, if we change the PAT address for the site, the attack targets the new address at the next occurance. We've tried setting up captures and logging inside the network to determine if the SSDP/DNS request originate within the network but that does not appear to be the case.
We've reached out for some assistance from the upstream carrier but they've only been able to enforce a 24-hour block.
I'm hoping someone with some experience on this topic would be able to shed some light on a better way to attack this or would be willing to confirm that we are simply SOL without prolonged assistance from the upstream carrier.
Thanks in advance for any insight.
Mitch
participants (9)
-
Andrew Kirch
-
Faisal Imtiaz
-
Karsten Elfenbein
-
mike.lyon@gmail.com
-
Mitch Dyer
-
Peter Kranz
-
Roland Dobbins
-
Rubens Kuhl
-
Tin, James