Ransom DDoS attack - need help!

alvin nanog nanogml at Mail.DDoS-Mitigator.net
Fri Dec 4 02:34:42 UTC 2015


hi lyndon

On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote:
> On Dec 3, 2015, at 5:00 PM, alvin nanog <nanogml at Mail.DDoS-Mitigator.net> wrote:
> > run tcpdump and/or etherreal to capture the DDoS attacks
>
> <face palm> Of course! If we had only thought of this sooner! </face palm>
> :-)

yupperz.. the problem is, capturing is nice, you have all this data ... now what ,,

all that tcpdump jibberish needs to be converted and presented in a format
suitable for the bean counters to allocate $$$ to mitigate and minimize the
effects of the "free n hopefully relatively harmless" DDoS attacks occuring
every second

lets assume required services are properly configured and excluded
        - acl's only for your own dns queries
        - ssh only from specific ip#
        - ntp to/from your isp

lets assume you allow incoming ssh only from w.x.y.z ... all other connections are DoS attacks
  tcpdump -n -l ! host w.x.y.z and port 22

lets assume mail is your mail server .. all traffic NOT on port 25 are DoS attacks
  tcpdump -n -l host mail.example.com and ! port 25

lets assume www is your web server .. all traffic NOT on port 80 are DoS attacks
  tcpdump -n -l host mail.example.com and ! port 80

if you are running all the services ( mail + apache + mysql ) on one servr
the remaining tcp connections are DoS attacks
  tcpdump -n -l host mail.example.com and \( ! port 80 and ! port 80 and ! port 3306 \)

lets assume dns is your dns server .. i consider all tcp traffic from outside as DoS attacks
  tcpdump -n -l tcp host dns.example.com

to see possible udp attacks .. don't forget to exclude your own DNS and NTP queries
  tcpdump -n -l udp

to see possible icmp attacks
  tcpdump -n -l icmp

too many gazillions options makes the world go round n round ...
- where does it end :-) ... it doesn't ...

if you get a screenful of data flying by of stuff you don't recognize,
you're probably under light DDoS attacks

magic pixie dust
alvin
http://DDoS-Mitigator.net/cgi-bin/IPtables-GUI.pl




More information about the NANOG mailing list