Host.us DDOS attack
Anyone have any additonal info on a DDOS attack hitting host.us? Woke up to no email this morning and the following from their web site: *Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1 provider. Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
Well, Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)? And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements: https://twitter.com/xotehpoodle/status/756850023896322048 That could be explored. On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service: http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco... And I quote: "One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99." ( Paypal payments btw ) There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested. PS: I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have. For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/03/16 09:41, Robert Webb wrote:
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1 provider. Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring. Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city. I was interested as to if this might be a botnet or some type of reflection attack. Robert On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
Apologies to all as the hostname in my subject is incorrect. It should be hostus.us... On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb <rwfireguru@gmail.com> wrote:
Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring.
Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city.
I was interested as to if this might be a botnet or some type of reflection attack.
Robert
On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
Back on topic about HostUS, I've been following a thread on LowEndTalk where seemingly Alexander's been updating ( https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) - seems like Atlanta and LA are still down ATM based on latest reports - nearly 10 hours now. Tks. Regards, Neo Soon Keat 2016-08-03 22:28 GMT+08:00 Robert Webb <rwfireguru@gmail.com>:
Apologies to all as the hostname in my subject is incorrect.
It should be hostus.us...
On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb <rwfireguru@gmail.com> wrote:
Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring.
Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city.
I was interested as to if this might be a botnet or some type of reflection attack.
Robert
On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 08/03/16 09:41, Robert Webb wrote:
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web
site:
*Following an extortion attempt, HostUS is currently experiencing
large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
sustained provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
Thanks for that link. My host is sitting in Atlanta and I believe that Atlanta hosts their main infrastructure. I am seeing around a 12 or 13 hour outage at this point. Robert On Wed, Aug 3, 2016 at 11:08 AM, Soon Keat Neo <neo@soonke.at> wrote:
Back on topic about HostUS, I've been following a thread on LowEndTalk where seemingly Alexander's been updating ( https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) - seems like Atlanta and LA are still down ATM based on latest reports - nearly 10 hours now.
Tks.
Regards, Neo Soon Keat
2016-08-03 22:28 GMT+08:00 Robert Webb <rwfireguru@gmail.com>:
Apologies to all as the hostname in my subject is incorrect.
It should be hostus.us...
On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb <rwfireguru@gmail.com> wrote:
Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring.
Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city.
I was interested as to if this might be a botnet or some type of reflection attack.
Robert
On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real
bad
actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first
recorded in the botnet's control panel was of $1, while payments for
payment the
same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
it's good that there aren't any easy solutions to this sort of problem... wait... that's wrong, there are. On Wed, Aug 3, 2016 at 12:04 PM, Robert Webb <rwfireguru@gmail.com> wrote:
Thanks for that link. My host is sitting in Atlanta and I believe that Atlanta hosts their main infrastructure.
I am seeing around a 12 or 13 hour outage at this point.
Robert
On Wed, Aug 3, 2016 at 11:08 AM, Soon Keat Neo <neo@soonke.at> wrote:
Back on topic about HostUS, I've been following a thread on LowEndTalk where seemingly Alexander's been updating ( https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998)
seems like Atlanta and LA are still down ATM based on latest reports - nearly 10 hours now.
Tks.
Regards, Neo Soon Keat
2016-08-03 22:28 GMT+08:00 Robert Webb <rwfireguru@gmail.com>:
Apologies to all as the hostname in my subject is incorrect.
It should be hostus.us...
On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb <rwfireguru@gmail.com> wrote:
Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring.
Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city.
I was interested as to if this might be a botnet or some type of reflection attack.
Robert
On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may
be
more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first
recorded in the botnet's control panel was of $1, while payments for
payment the
same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
>From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
One of my VPS with them is in Atlanta, and while the IPv4 address is unresponsive, the IPv6 address is working without issue. On 08/03/2016 11:08 AM, Soon Keat Neo wrote:
Back on topic about HostUS, I've been following a thread on LowEndTalk where seemingly Alexander's been updating ( https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) - seems like Atlanta and LA are still down ATM based on latest reports - nearly 10 hours now.
Tks.
Regards, Neo Soon Keat
2016-08-03 22:28 GMT+08:00 Robert Webb <rwfireguru@gmail.com>:
Apologies to all as the hostname in my subject is incorrect.
It should be hostus.us...
On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb <rwfireguru@gmail.com> wrote:
Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring.
Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city.
I was interested as to if this might be a botnet or some type of reflection attack.
Robert
On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 08/03/16 09:41, Robert Webb wrote:
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web
site:
*Following an extortion attempt, HostUS is currently experiencing
large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
sustained provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
-- Phil Gardner PGP Key ID 0xFECC890C OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
Looks like ATL01 is down again hard. Although, as someone else mentioned earlier, IPv6 seems to be just fine. Robert On Wed, Aug 3, 2016 at 12:40 PM, Phil Gardner <phil.gardnerjr@gmail.com> wrote:
One of my VPS with them is in Atlanta, and while the IPv4 address is unresponsive, the IPv6 address is working without issue.
Back on topic about HostUS, I've been following a thread on LowEndTalk where seemingly Alexander's been updating ( https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998)
seems like Atlanta and LA are still down ATM based on latest reports - nearly 10 hours now.
Tks.
Regards, Neo Soon Keat
2016-08-03 22:28 GMT+08:00 Robert Webb <rwfireguru@gmail.com>:
Apologies to all as the hostname in my subject is incorrect.
It should be hostus.us...
On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb <rwfireguru@gmail.com> wrote:
Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring.
Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city.
I was interested as to if this might be a botnet or some type of reflection attack.
Robert
On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may
be
more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first
recorded in the botnet's control panel was of $1, while payments for
On 08/03/2016 11:08 AM, Soon Keat Neo wrote: - payment the
same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
>From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
-- Phil Gardner PGP Key ID 0xFECC890C OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
"it's good that there aren't any easy solutions to this sort of problem..." On Thu, Aug 4, 2016 at 12:03 PM, Robert Webb <rwfireguru@gmail.com> wrote:
Looks like ATL01 is down again hard.
Although, as someone else mentioned earlier, IPv6 seems to be just fine.
Robert
On Wed, Aug 3, 2016 at 12:40 PM, Phil Gardner <phil.gardnerjr@gmail.com> wrote:
One of my VPS with them is in Atlanta, and while the IPv4 address is unresponsive, the IPv6 address is working without issue.
Back on topic about HostUS, I've been following a thread on LowEndTalk where seemingly Alexander's been updating ( https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998 )
seems like Atlanta and LA are still down ATM based on latest reports - nearly 10 hours now.
Tks.
Regards, Neo Soon Keat
2016-08-03 22:28 GMT+08:00 Robert Webb <rwfireguru@gmail.com>:
Apologies to all as the hostname in my subject is incorrect.
It should be hostus.us...
On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb <rwfireguru@gmail.com> wrote:
Not sure if it is related to the PokemonGO or not. This started around 23:00 EDT last night per my monitoring.
Seems like a pretty big attack at 300Gbps and to also temporarily take a down a Tier 1 POP in a major city.
I was interested as to if this might be a botnet or some type of reflection attack.
Robert
On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may
be
more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
And I quote:
"One thing LeakedSource staff spotted was that the first
recorded in the botnet's control panel was of $1, while payments for
On 08/03/2016 11:08 AM, Soon Keat Neo wrote: - postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml payment the
same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 08/03/16 09:41, Robert Webb wrote: > Anyone have any additonal info on a DDOS attack hitting host.us? > > Woke up to no email this morning and the following from their web site: > > > > *Following an extortion attempt, HostUS is currently experiencing sustained > large-scale DDOS attacks against a number of locations. The attacks were > measured in one location at 300Gbps. In another location the attacks > temporarily knocked out the entire metropolitan POP for a Tier-1 provider. > Please be patient. We will return soon. Your understanding is appreciated. > * > > > >From my monitoring system, looks like my VPS went unavailable around 23:00 > EDT last night. > > Robert >
-- Phil Gardner PGP Key ID 0xFECC890C OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
On Wednesday, August 3, 2016, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
Bcp38 is not the issue. It is only the trigger, and as long as one network in Elbonia allows spoofs, that one network can marshall 100s of gbs of ddos power. Years of telling people to do bcp38 has not worked. The issue is for you and your neighbor to turn off your reflecting udp amplifiers (open dns relay, ssdp, ntp, chargen) and generously block obvious ddos traffic. A healthy udp policer is also smart. I suggest taking a baseline of your normal peak udp traffic, and build a policer that drops all udp that is 10x the baseline for bw and pps. Bcp38 is good, but it is not the solution we need to tactically stop attacks. This is not pretty. But it works at keeping your network up. CB -----
Alain Hebert ahebert@pubnix.net <javascript:;> PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
Well, I'm sorry. That sound like the CloudFlare argument: You cannot fix the DDoSs at the source because Elbonia can do it. The only solution is to pay for protection. Between you and me, if only Elbonia are left DDoSing at 100Gbps, we simply de-peer the commercial subnets from that country (leaving the govt subnets up obviously) and see for them to deal with their trash ISPs once for all. ( That's how we used to do it early on when the IIRC flooding started ). Or we keep getting DDoSed for the next 100+ years. PS: Yes, the fictional country from the Dilbert syndicated cartoons. On a humorous note: The DDoS protection lobby is our NRA. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/03/16 10:36, Ca By wrote:
On Wednesday, August 3, 2016, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
Bcp38 is not the issue. It is only the trigger, and as long as one network in Elbonia allows spoofs, that one network can marshall 100s of gbs of ddos power. Years of telling people to do bcp38 has not worked.
The issue is for you and your neighbor to turn off your reflecting udp amplifiers (open dns relay, ssdp, ntp, chargen) and generously block obvious ddos traffic. A healthy udp policer is also smart. I suggest taking a baseline of your normal peak udp traffic, and build a policer that drops all udp that is 10x the baseline for bw and pps.
Bcp38 is good, but it is not the solution we need to tactically stop attacks.
This is not pretty. But it works at keeping your network up.
CB
-----
Alain Hebert ahebert@pubnix.net <javascript:;> PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
On Wednesday, August 3, 2016, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
I'm sorry.
That sound like the CloudFlare argument: You cannot fix the DDoSs at the source because Elbonia can do it. The only solution is to pay for protection.
No. I hate the idea of paying for protection from a cloud or appliance. Elbonia just has the trigger. The loaded gun is the ddos reflector in comcast, cox, vz, and everyone else.
Between you and me, if only Elbonia are left DDoSing at 100Gbps, we simply de-peer the commercial subnets from that country (leaving the govt subnets up obviously) and see for them to deal with their trash ISPs once for all. ( That's how we used to do it early on when the IIRC flooding started ).
There are known problematic networks. I have not seen any of them or their facilitating upstreams depeered. I can name 4 networks that source 75% of my attack attack traffic. Comcast was one due to their ssdp reflection, they stopped that now. But still lots of dns attacks from them. Or we keep getting DDoSed for the next 100+ years.
On that track.
PS: Yes, the fictional country from the Dilbert syndicated cartoons.
Swap in your favorite real world country / network that has very real abuse source reputation.
On a humorous note:
The DDoS protection lobby is our NRA.
----- Alain Hebert ahebert@pubnix.net <javascript:;> PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On Wednesday, August 3, 2016, Alain Hebert <ahebert@pubnix.net <javascript:;>> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
Bcp38 is not the issue. It is only the trigger, and as long as one network in Elbonia allows spoofs, that one network can marshall 100s of gbs of ddos power. Years of telling people to do bcp38 has not worked.
The issue is for you and your neighbor to turn off your reflecting udp amplifiers (open dns relay, ssdp, ntp, chargen) and generously block obvious ddos traffic. A healthy udp policer is also smart. I suggest taking a baseline of your normal peak udp traffic, and build a policer
On 08/03/16 10:36, Ca By wrote: that
drops all udp that is 10x the baseline for bw and pps.
Bcp38 is good, but it is not the solution we need to tactically stop attacks.
This is not pretty. But it works at keeping your network up.
CB
-----
Alain Hebert ahebert@pubnix.net <javascript:;> <javascript:;> PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
As discussed a few months ago (maybe Christmas time?), Comcast is actively suspending accounts involved in DNS amplification. Certainly on a network like theirs, it's an internal issue as well. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Ca By" <cb.list6@gmail.com> To: ahebert@pubnix.net Cc: nanog@nanog.org Sent: Wednesday, August 3, 2016 10:05:04 AM Subject: Re: Host.us DDOS attack -and- related conversations On Wednesday, August 3, 2016, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
I'm sorry.
That sound like the CloudFlare argument: You cannot fix the DDoSs at the source because Elbonia can do it. The only solution is to pay for protection.
No. I hate the idea of paying for protection from a cloud or appliance. Elbonia just has the trigger. The loaded gun is the ddos reflector in comcast, cox, vz, and everyone else.
Between you and me, if only Elbonia are left DDoSing at 100Gbps, we simply de-peer the commercial subnets from that country (leaving the govt subnets up obviously) and see for them to deal with their trash ISPs once for all. ( That's how we used to do it early on when the IIRC flooding started ).
There are known problematic networks. I have not seen any of them or their facilitating upstreams depeered. I can name 4 networks that source 75% of my attack attack traffic. Comcast was one due to their ssdp reflection, they stopped that now. But still lots of dns attacks from them. Or we keep getting DDoSed for the next 100+ years.
On that track.
PS: Yes, the fictional country from the Dilbert syndicated cartoons.
Swap in your favorite real world country / network that has very real abuse source reputation.
On a humorous note:
The DDoS protection lobby is our NRA.
----- Alain Hebert ahebert@pubnix.net <javascript:;> PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On Wednesday, August 3, 2016, Alain Hebert <ahebert@pubnix.net <javascript:;>> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
Bcp38 is not the issue. It is only the trigger, and as long as one network in Elbonia allows spoofs, that one network can marshall 100s of gbs of ddos power. Years of telling people to do bcp38 has not worked.
The issue is for you and your neighbor to turn off your reflecting udp amplifiers (open dns relay, ssdp, ntp, chargen) and generously block obvious ddos traffic. A healthy udp policer is also smart. I suggest taking a baseline of your normal peak udp traffic, and build a policer
On 08/03/16 10:36, Ca By wrote: that
drops all udp that is 10x the baseline for bw and pps.
Bcp38 is good, but it is not the solution we need to tactically stop attacks.
This is not pretty. But it works at keeping your network up.
CB
-----
Alain Hebert ahebert@pubnix.net <javascript:;> <javascript:;> PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
On Wed, 03 Aug 2016 10:53:22 -0400, Alain Hebert said:
Between you and me, if only Elbonia are left DDoSing at 100Gbps, we simply de-peer the commercial subnets from that country (leaving the govt subnets up obviously)
Explain why, for those of us who don't see it as obvious.
Doing BCP38 or blocking\shutting off known amplification vectors both require effort and both accomplish the same thing. Of course doing both is best. :-) One provider in "Elbonia" getting through is far more damaging to that provider in Elbonia than the rest of the world, if they were the only ones left. Do many last mile providers implement BCP38 at their CE? Seems like it's better to stop it at the CE than the PE. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Ca By" <cb.list6@gmail.com> To: ahebert@pubnix.net Cc: nanog@nanog.org Sent: Wednesday, August 3, 2016 9:36:09 AM Subject: Re: Host.us DDOS attack -and- related conversations On Wednesday, August 3, 2016, Alain Hebert <ahebert@pubnix.net> wrote:
Well,
Could it be related to the last 2 days DDoS of PokemonGO (which failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare person that defended their position earlier this week, but there may be more hints (unverified) against your statements:
https://twitter.com/xotehpoodle/status/756850023896322048
That could be explored.
On top of which there is hints (unverified) on which is the real bad actor behind that new DDoS service:
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodleco...
And I quote:
"One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1, while payments for the same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for the people responsible from a legal standpoint. And hopefully the proper authorities are interested.
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
Bcp38 is not the issue. It is only the trigger, and as long as one network in Elbonia allows spoofs, that one network can marshall 100s of gbs of ddos power. Years of telling people to do bcp38 has not worked. The issue is for you and your neighbor to turn off your reflecting udp amplifiers (open dns relay, ssdp, ntp, chargen) and generously block obvious ddos traffic. A healthy udp policer is also smart. I suggest taking a baseline of your normal peak udp traffic, and build a policer that drops all udp that is 10x the baseline for bw and pps. Bcp38 is good, but it is not the solution we need to tactically stop attacks. This is not pretty. But it works at keeping your network up. CB -----
Alain Hebert ahebert@pubnix.net <javascript:;> PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained large-scale DDOS attacks against a number of locations. The attacks were measured in one location at 300Gbps. In another location the attacks temporarily knocked out the entire metropolitan POP for a Tier-1
On 08/03/16 09:41, Robert Webb wrote: provider.
Please be patient. We will return soon. Your understanding is appreciated. *
From my monitoring system, looks like my VPS went unavailable around 23:00 EDT last night.
Robert
On 3 August 2016 at 15:16, Alain Hebert <ahebert@pubnix.net> wrote:
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
At the risk of starting a "NANOG war" [1], BCP isn't a magic wand. If I find a zero day in the nasty customised kernels that OVH run on their clients boxes, I only need 300 compromised hosts to send 300Gbps of traffic without spoofing the IP or using amplification attacks [2]. I can rent a server with a 10Gbps connection for 1 hour for a few quid/dollars. I could generate hundreds of Gbps of traffic for about £1000 from legitimate IPs, paid for with stolen card details. How will BCP save you then? Can everyone stop praising it like it was a some magic bullet? James. [1] A pathetic and futile one, so different from the rest. [2] Subsitute OVH for any half decent provider that isn't really oversubscribed.
On Wed, Aug 3, 2016 at 10:40 AM, James Bensley <jwbensley@gmail.com> wrote:
How will BCP save you then? Can everyone stop praising it like it was a some magic bullet?
aren't you making a 'perfect is the enemy of good' argument here? 'seatbelts don't solve all car crash deaths, so let's just go mad-max!'
On Wednesday, August 3, 2016, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Wed, Aug 3, 2016 at 10:40 AM, James Bensley <jwbensley@gmail.com <javascript:;>> wrote:
How will BCP save you then? Can everyone stop praising it like it was a some magic bullet?
aren't you making a 'perfect is the enemy of good' argument here?
'seatbelts don't solve all car crash deaths, so let's just go mad-max!'
The point is, i have my seat belt on. I am doing the right thing. my car still gets smashed becuase mad max is on the road. I now have a broken back. And you are telling me to make sure to wear a seat belt. Did that. Did not stop mad max from ruining my day. Please provide more and better advice on avoiding injury. Step one. Collectively work to deflate mad max's tires (stop the udp reflectors that max uses)
Well, I didn't want to pollute nanog list with my BCP38 (or other solutions) ranting, but come on: [1] How can insuring source IP's, coming out your network, are part of your advertised subnets pathetic and futile? Don't you think if the source ip are traceable back to OVH actually, it would be easy for OVH to see and deal with it, instead of noises with random source IP coming from the bunch of un-patched residential routers in Latin America's (for example)? And we're back on track with "do nothing but pay for protection" as the only solution. Gotta love Humans. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 08/03/16 10:40, James Bensley wrote:
On 3 August 2016 at 15:16, Alain Hebert <ahebert@pubnix.net> wrote:
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
At the risk of starting a "NANOG war" [1], BCP isn't a magic wand.
If I find a zero day in the nasty customised kernels that OVH run on their clients boxes, I only need 300 compromised hosts to send 300Gbps of traffic without spoofing the IP or using amplification attacks [2].
I can rent a server with a 10Gbps connection for 1 hour for a few quid/dollars. I could generate hundreds of Gbps of traffic for about £1000 from legitimate IPs, paid for with stolen card details. How will BCP save you then? Can everyone stop praising it like it was a some magic bullet?
James.
[1] A pathetic and futile one, so different from the rest.
[2] Subsitute OVH for any half decent provider that isn't really oversubscribed.
Stopping one vector that makes up the largest of DDoSes certainly isn't a bad thing. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "James Bensley" <jwbensley@gmail.com> To: nanog@nanog.org Sent: Wednesday, August 3, 2016 9:40:17 AM Subject: Re: Host.us DDOS attack -and- related conversations On 3 August 2016 at 15:16, Alain Hebert <ahebert@pubnix.net> wrote:
PS:
I will like to take this time to underline the lack of participation from a vast majority of ISPs into BCP38 and the like. We need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against it, you are a beacon of hope in what is a ridiculous situation that has been happening for more than 15 years.
At the risk of starting a "NANOG war" [1], BCP isn't a magic wand. If I find a zero day in the nasty customised kernels that OVH run on their clients boxes, I only need 300 compromised hosts to send 300Gbps of traffic without spoofing the IP or using amplification attacks [2]. I can rent a server with a 10Gbps connection for 1 hour for a few quid/dollars. I could generate hundreds of Gbps of traffic for about £1000 from legitimate IPs, paid for with stolen card details. How will BCP save you then? Can everyone stop praising it like it was a some magic bullet? James. [1] A pathetic and futile one, so different from the rest. [2] Subsitute OVH for any half decent provider that isn't really oversubscribed.
Interestingly my VM (LA) with them has been effectively down for half a day as far as IPv4 is concerned. IPv6 traffic seems unaffected. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Robert Webb Sent: Thursday, 4 August 2016 1:42 AM To: NANOG list <nanog@nanog.org> Subject: Host.us DDOS attack Anyone have any additonal info on a DDOS attack hitting host.us? Woke up to no email this morning and the following from their web site:
Further to that, and I would suggest it should be part of the overall discussion here. It appears the IPv4 IP block my VM is in is not currently advertised on the world route table. I assume hostus.us's transit provider has dropped their ipv4 BGP to save themselves. This is really the ultimate reward for the extortionists as they don't even need to sustain the DDOS to attack their target. While I see the transit providers point of view, it’s a pretty shitty situation for their customer, and their customers/customers. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Tony Wicks Sent: Thursday, 4 August 2016 9:10 AM To: 'NANOG list' <nanog@nanog.org> Subject: RE: Host.us DDOS attack Interestingly my VM (LA) with them has been effectively down for half a day as far as IPv4 is concerned. IPv6 traffic seems unaffected.
Strange that they cannot send a BGP blackhole upstream to keep everyone else online within their advertised route. On 8/3/16 5:27 PM, Tony Wicks wrote:
Further to that, and I would suggest it should be part of the overall discussion here. It appears the IPv4 IP block my VM is in is not currently advertised on the world route table. I assume hostus.us's transit provider has dropped their ipv4 BGP to save themselves. This is really the ultimate reward for the extortionists as they don't even need to sustain the DDOS to attack their target. While I see the transit providers point of view, it’s a pretty shitty situation for their customer, and their customers/customers.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Tony Wicks Sent: Thursday, 4 August 2016 9:10 AM To: 'NANOG list' <nanog@nanog.org> Subject: RE: Host.us DDOS attack
Interestingly my VM (LA) with them has been effectively down for half a day as far as IPv4 is concerned. IPv6 traffic seems unaffected.
participants (11)
-
Alain Hebert
-
Ca By
-
Christopher Morrow
-
James Bensley
-
Jason Canady
-
Mike Hammett
-
Phil Gardner
-
Robert Webb
-
Soon Keat Neo
-
Tony Wicks
-
Valdis.Kletnieks@vt.edu