[172042] in North American Network Operators' Group
Re: Large DDoS, small extortion
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu May 22 10:03:51 2014
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAN-S6ZqtwxcjGudh8Q+bW5u=7WEvz5Jn4Tdk-MmQ1u-9QHXhig@mail.gmail.com>
Date: Thu, 22 May 2014 10:03:56 -0400
To: Beleaguered Admin <dealing.with.ddos@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On May 22, 2014, at 12:51 AM, Beleaguered Admin =
<dealing.with.ddos@gmail.com> wrote:
> Apologies for the non-personal email address, but I don't want to give
> our attacker any additional information than I need to.
>=20
> I'd be happy to send personal contact/ASN information to any nanog
> admins or regular members of nanog if it's useful.
>=20
> We've tried to engage upstream providers to help trace the attacks,
> but have gotten nowhere (they didn't seem to understand that the syn
> attacks were spoofed, and looking at source IPs didn't matter, we
> wanted to know the ingress points on their network.)
this sounds like a tooling issue on their part. they should be able to =
pick a specific set of items and trace them back and mitigate some set =
of spoofed packets. Some attackers are advanced and will detect when =
you block their spoofed packets immediately (they have telemetry/data =
like we all do) and move to another attack vector.
> What are the best practices for this? Are there secret code words
> (http://xkcd.com/806/) we can use to get to someone at our upstreams
> who might know what we're talking about? Is it worth the time?
You need to talk to the security team in their NOC. These are usually =
small and sometimes difficult to reach. I know our NOC can find them =
quickly and works with them on customer issues often.
> Is it worth talking to law enforcement? =20
Absolutely. Even if the "lost costs" have been just payroll which =
already exist, this may be related to other activity. I suggest calling =
your local FBI office (assuming you are in the US). They can be quite =
helpful. If you don't get somewhere quickly, let me know and I can try =
to hunt someone in a local field office for you.
> Some of these have been >500k
> costs to the customer, but we assume the person doing it isn't in any
> western country, so maybe it doesn't even matter?
I'll say it does matter, because even if they are in some "unreachable" =
location, these folks sometimes travel to locations where they can be =
picked up. It may not be immediate, but can help build the case.
It is sad, but I can likely guess who your upstreams are, and some are =
more responsive than others. I'm aware of one that puts almost no =
effort into tracking spoofed packets to clamp down on them.
- Jared=
