Large DDoS, small extortion

Jared Mauch jared at
Thu May 22 14:03:56 UTC 2014

On May 22, 2014, at 12:51 AM, Beleaguered Admin <dealing.with.ddos at> wrote:

> Apologies for the non-personal email address, but I don't want to give
> our attacker any additional information than I need to.
> I'd be happy to send personal contact/ASN information to any nanog
> admins or regular members of nanog if it's useful.
> We've tried to engage upstream providers to help trace the attacks,
> but have gotten nowhere (they didn't seem to understand that the syn
> attacks were spoofed, and looking at source IPs didn't matter, we
> wanted to know the ingress points on their network.)

this sounds like a tooling issue on their part.  they should be able to pick a specific set of items and trace them back and mitigate some set of spoofed packets.  Some attackers are advanced and will detect when you block their spoofed packets immediately (they have telemetry/data like we all do) and move to another attack vector.

> What are the best practices for this?  Are there secret code words
> ( we can use to get to someone at our upstreams
> who might know what we're talking about?  Is it worth the time?

You need to talk to the security team in their NOC.  These are usually small and sometimes difficult to reach.  I know our NOC can find them quickly and works with them on customer issues often.

> Is it worth talking to law enforcement?  

Absolutely.  Even if the "lost costs" have been just payroll which already exist, this may be related to other activity.  I suggest calling your local FBI office (assuming you are in the US).  They can be quite helpful.  If you don't get somewhere quickly, let me know and I can try to hunt someone in a local field office for you.

> Some of these have been >500k
> costs to the customer, but we assume the person doing it isn't in any
> western country, so maybe it doesn't even matter?

I'll say it does matter, because even if they are in some "unreachable" location, these folks sometimes travel to locations where they can be picked up.  It may not be immediate, but can help build the case.

It is sad, but I can likely guess who your upstreams are, and some are more responsive than others.  I'm aware of one that puts almost no effort into tracking spoofed packets to clamp down on them.

- Jared

More information about the NANOG mailing list