Ransom DDoS attack - need help!

John Kristoff jtk at cymru.com
Thu Dec 3 16:23:14 UTC 2015

On Thu, 3 Dec 2015 03:15:04 -0500
halp us <throwaway1958251 at gmail.com> wrote:

> I would really appreciate help in a few areas (primarily with certain
> provider contacts/intros) so we can execute our strategy (which I
> can't reveal here for obvious reasons). If you email me off-list with
> a name/email that you've previously used on-list, I will reply from
> my real email.


Sorry for your troubles.  I'm happy to try to put you in touch with
people we know or specific providers that may be particularly important
for you, given the path attack traffic may follow to you.  Generally,
however, you need to be working with your upstream providers or peers.
Those are your best friends that are best able to mitigate traffic from
reaching you or to help trace back where it is coming from.

We also operate a free community service called UTRS, which is
essentially just a community remote triggered black hole (RTBH)
service.  Depending on the attack and where it is coming from, it may
be of some help.  It is another tool in the tool box that is relatively
easy to get going.  Technical details and sign up form here:


In case an attack does come, you must be able to provide some profile
of the attack traffic for others to help.  A sample of the attack
traffic (e.g. a pcap, flow data, logs), including any characteristics
that might help others help you mitigate is important.  This includes
source network, IP address(es) (but they may be spoofed), protocol,
port, packet size, payload, etc... anything that may uniquely identify
the traffic.  Keep track of the time an attack starts and let people
know what time zone you're working in, or convert to UTC (preferred).

> Alternatively, if you can post your experiences on-list with large
> scale high profile ransom DDoS attacks, I'd really appreciate it!

You should consider engaging your local federal law enforcement
office.  Don't expect miracles, but at least have that ball rolling.
They will probably tell you not to pay, and generally you shouldn't.
Keep a good evidence trail.  Be vigilant, but don't panic.


More information about the NANOG mailing list