Large DDoS, small extortion

Beleaguered Admin dealing.with.ddos at gmail.com
Thu May 22 04:51:37 UTC 2014


Apologies for the non-personal email address, but I don't want to give
our attacker any additional information than I need to.

I'd be happy to send personal contact/ASN information to any nanog
admins or regular members of nanog if it's useful.

Over the past year or so, we (a decent sized tier 2 with a nationwide
US backbone) have had several large DDoS attacks from what appear to
be the same person who is (we presume) going down something like the
alexa list of top sites, attacking them,
and asking for small amounts of money to stop.

This has been going on for a long time -- almost every detail is
exactly the same as what is described here:

http://it.slashdot.org/story/12/11/03/1846252/ask-slashdot-how-to-deal-with-a-ddos-attack

and more recently:

http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/

and:

https://gist.github.com/dhh/9741477

And I believe attacks including vimeo, github, and others.

The attacker is smarter than many random attackers, or at least has
better tools.  He watches when you mitigate the attack, and shifts his
attack to something new.  He (or his tools) also watch DNS for the
thing he's attacking and the attack moves as DNS changes.

We've seen UDP amplification (NTP and DNS mainly), syn flood, syn/ack
flood, layer 7 cache busting
(https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801/),
and others we haven't been able to fully mitigate/identify.

The largest we've seen (which isn't the largest we've read about)
attacks are over 50Gbit and 10s of millions of pps.

He is in regular communication (via whois info and other collected
contact data) asking for <$1000 USD sums to stop the attacks.

While we are interested in technical means to mitigate the attacks
(the syn and syn/acks are brutal, all cores pegged on multicore 10G
nic servers just dealing with interrupts), what I'd really like to
find out is how to help fix the problem.

We've tried to engage upstream providers to help trace the attacks,
but have gotten nowhere (they didn't seem to understand that the syn
attacks were spoofed, and looking at source IPs didn't matter, we
wanted to know the ingress points on their network.)

What are the best practices for this?  Are there secret code words
(http://xkcd.com/806/) we can use to get to someone at our upstreams
who might know what we're talking about?  Is it worth the time?

Is it worth talking to law enforcement?  Some of these have been >500k
costs to the customer, but we assume the person doing it isn't in any
western country, so maybe it doesn't even matter?

Thanks.


More information about the NANOG mailing list