Large DDoS, small extortion

Damian Menscher damian at google.com
Thu May 22 17:44:40 UTC 2014


Contact law enforcement -- they can combine intel from multiple cases to
hopefully identify the attacker.

Automate your analysis and reporting.  If you send an email to the sources
of abuse you can reduce the attacker's capabilities.  (To set expectations:
only about 10% will take action.)

If you have specific customers that are being targeted, you may want to
suggest they get behind a DDoS mitigation provider that can absorb large
attacks (up to 500Gbps).

Damian


On Wed, May 21, 2014 at 9:51 PM, Beleaguered Admin <
dealing.with.ddos at gmail.com> wrote:

> Apologies for the non-personal email address, but I don't want to give
> our attacker any additional information than I need to.
>
> I'd be happy to send personal contact/ASN information to any nanog
> admins or regular members of nanog if it's useful.
>
> Over the past year or so, we (a decent sized tier 2 with a nationwide
> US backbone) have had several large DDoS attacks from what appear to
> be the same person who is (we presume) going down something like the
> alexa list of top sites, attacking them,
> and asking for small amounts of money to stop.
>
> This has been going on for a long time -- almost every detail is
> exactly the same as what is described here:
>
>
> http://it.slashdot.org/story/12/11/03/1846252/ask-slashdot-how-to-deal-with-a-ddos-attack
>
> and more recently:
>
>
> http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/
>
> and:
>
> https://gist.github.com/dhh/9741477
>
> And I believe attacks including vimeo, github, and others.
>
> The attacker is smarter than many random attackers, or at least has
> better tools.  He watches when you mitigate the attack, and shifts his
> attack to something new.  He (or his tools) also watch DNS for the
> thing he's attacking and the attack moves as DNS changes.
>
> We've seen UDP amplification (NTP and DNS mainly), syn flood, syn/ack
> flood, layer 7 cache busting
> (https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801/
> ),
> and others we haven't been able to fully mitigate/identify.
>
> The largest we've seen (which isn't the largest we've read about)
> attacks are over 50Gbit and 10s of millions of pps.
>
> He is in regular communication (via whois info and other collected
> contact data) asking for <$1000 USD sums to stop the attacks.
>
> While we are interested in technical means to mitigate the attacks
> (the syn and syn/acks are brutal, all cores pegged on multicore 10G
> nic servers just dealing with interrupts), what I'd really like to
> find out is how to help fix the problem.
>
> We've tried to engage upstream providers to help trace the attacks,
> but have gotten nowhere (they didn't seem to understand that the syn
> attacks were spoofed, and looking at source IPs didn't matter, we
> wanted to know the ingress points on their network.)
>
> What are the best practices for this?  Are there secret code words
> (http://xkcd.com/806/) we can use to get to someone at our upstreams
> who might know what we're talking about?  Is it worth the time?
>
> Is it worth talking to law enforcement?  Some of these have been >500k
> costs to the customer, but we assume the person doing it isn't in any
> western country, so maybe it doesn't even matter?
>
> Thanks.
>


More information about the NANOG mailing list