Large DDoS, small extortion

Frank Doherty dealing.with.ddos at gmail.com
Fri May 23 06:05:54 UTC 2014


Thanks everyone.  There's been a lot of great on and off list
responses, and we have a much better list of contacts for the next
time this happens.

We are in contact with the FBI now (very impressed, particularly
compared to what I expected), and have access to resources that we
didn't know existed.

Hopefully I'll meet some of you in bellevue next week.


On Wed, May 21, 2014 at 9:51 PM, Beleaguered Admin
<dealing.with.ddos at gmail.com> wrote:
> Apologies for the non-personal email address, but I don't want to give
> our attacker any additional information than I need to.
>
> I'd be happy to send personal contact/ASN information to any nanog
> admins or regular members of nanog if it's useful.
>
> Over the past year or so, we (a decent sized tier 2 with a nationwide
> US backbone) have had several large DDoS attacks from what appear to
> be the same person who is (we presume) going down something like the
> alexa list of top sites, attacking them,
> and asking for small amounts of money to stop.
>
> This has been going on for a long time -- almost every detail is
> exactly the same as what is described here:
>
> http://it.slashdot.org/story/12/11/03/1846252/ask-slashdot-how-to-deal-with-a-ddos-attack
>
> and more recently:
>
> http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/
>
> and:
>
> https://gist.github.com/dhh/9741477
>
> And I believe attacks including vimeo, github, and others.
>
> The attacker is smarter than many random attackers, or at least has
> better tools.  He watches when you mitigate the attack, and shifts his
> attack to something new.  He (or his tools) also watch DNS for the
> thing he's attacking and the attack moves as DNS changes.
>
> We've seen UDP amplification (NTP and DNS mainly), syn flood, syn/ack
> flood, layer 7 cache busting
> (https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801/),
> and others we haven't been able to fully mitigate/identify.
>
> The largest we've seen (which isn't the largest we've read about)
> attacks are over 50Gbit and 10s of millions of pps.
>
> He is in regular communication (via whois info and other collected
> contact data) asking for <$1000 USD sums to stop the attacks.
>
> While we are interested in technical means to mitigate the attacks
> (the syn and syn/acks are brutal, all cores pegged on multicore 10G
> nic servers just dealing with interrupts), what I'd really like to
> find out is how to help fix the problem.
>
> We've tried to engage upstream providers to help trace the attacks,
> but have gotten nowhere (they didn't seem to understand that the syn
> attacks were spoofed, and looking at source IPs didn't matter, we
> wanted to know the ingress points on their network.)
>
> What are the best practices for this?  Are there secret code words
> (http://xkcd.com/806/) we can use to get to someone at our upstreams
> who might know what we're talking about?  Is it worth the time?
>
> Is it worth talking to law enforcement?  Some of these have been >500k
> costs to the customer, but we assume the person doing it isn't in any
> western country, so maybe it doesn't even matter?
>
> Thanks.


More information about the NANOG mailing list