Large DDoS, small extortion

Frank Doherty dealing.with.ddos at
Fri May 23 06:05:54 UTC 2014

Thanks everyone.  There's been a lot of great on and off list
responses, and we have a much better list of contacts for the next
time this happens.

We are in contact with the FBI now (very impressed, particularly
compared to what I expected), and have access to resources that we
didn't know existed.

Hopefully I'll meet some of you in bellevue next week.

On Wed, May 21, 2014 at 9:51 PM, Beleaguered Admin
<dealing.with.ddos at> wrote:
> Apologies for the non-personal email address, but I don't want to give
> our attacker any additional information than I need to.
> I'd be happy to send personal contact/ASN information to any nanog
> admins or regular members of nanog if it's useful.
> Over the past year or so, we (a decent sized tier 2 with a nationwide
> US backbone) have had several large DDoS attacks from what appear to
> be the same person who is (we presume) going down something like the
> alexa list of top sites, attacking them,
> and asking for small amounts of money to stop.
> This has been going on for a long time -- almost every detail is
> exactly the same as what is described here:
> and more recently:
> and:
> And I believe attacks including vimeo, github, and others.
> The attacker is smarter than many random attackers, or at least has
> better tools.  He watches when you mitigate the attack, and shifts his
> attack to something new.  He (or his tools) also watch DNS for the
> thing he's attacking and the attack moves as DNS changes.
> We've seen UDP amplification (NTP and DNS mainly), syn flood, syn/ack
> flood, layer 7 cache busting
> (,
> and others we haven't been able to fully mitigate/identify.
> The largest we've seen (which isn't the largest we've read about)
> attacks are over 50Gbit and 10s of millions of pps.
> He is in regular communication (via whois info and other collected
> contact data) asking for <$1000 USD sums to stop the attacks.
> While we are interested in technical means to mitigate the attacks
> (the syn and syn/acks are brutal, all cores pegged on multicore 10G
> nic servers just dealing with interrupts), what I'd really like to
> find out is how to help fix the problem.
> We've tried to engage upstream providers to help trace the attacks,
> but have gotten nowhere (they didn't seem to understand that the syn
> attacks were spoofed, and looking at source IPs didn't matter, we
> wanted to know the ingress points on their network.)
> What are the best practices for this?  Are there secret code words
> ( we can use to get to someone at our upstreams
> who might know what we're talking about?  Is it worth the time?
> Is it worth talking to law enforcement?  Some of these have been >500k
> costs to the customer, but we assume the person doing it isn't in any
> western country, so maybe it doesn't even matter?
> Thanks.

More information about the NANOG mailing list