[186188] in North American Network Operators' Group
Re: Ransom DDoS attack - need help!
daemon@ATHENA.MIT.EDU (Lyndon Nerenberg)
Thu Dec 3 15:03:01 2015
X-Original-To: nanog@nanog.org
Date: Thu, 3 Dec 2015 11:59:23 -0800 (PST)
From: Lyndon Nerenberg <lyndon@orthanc.ca>
To: nanog@nanog.org
In-Reply-To: <20151203151433.GE4332@shell01.saturnus.netnerdz.se>
Errors-To: nanog-bounces@nanog.org
> Afaik, the DDoS is "only" a UDP based one (or much of the attack), you should be able to mitigate
> some to much of the damage caused by filled pipes by blocking incomming UDP trafic at your ISP level.
This is the Armada Collective, based on the description. We just went
through a round with them. The hardest they were able to hit us peaked at
a little under 80 Gbits/second. Primarily DNS and NTP amplification
attacks. They also hit our web servers with a little over 80 million
requests over a one hour period, and played some games with TCP to try to
mess with the protocol stacks on the servers and network gear.
Cloudflare took care of the web attacks. For DDoS, something like
Incapsula will take care of the layer 3 stuff. Not cheap, but very
effective.
--lyndon
