Ransom DDoS attack - need help!

William Herrin bill at herrin.us
Thu Dec 3 16:24:23 UTC 2015

On Thu, Dec 3, 2015 at 3:15 AM, halp us <throwaway1958251 at gmail.com> wrote:
> A company that shall remain anonymous has received a ransom DDoS note from
> a very well known group that has been in the news lately. Recently they've
> threatened to carry out a major DDoS attack if they are not paid by a
> deadline which is approaching. They've performed an attack of a smaller
> magnitude to prove that they're serious.


Are you announcing your IP addresses via BGP or does your ISP manage
routing for you?

If BGP, contract with a DDOS mitigator now. During an attack, you
reroute the /24 containing the attacked destination to the mitigator
and let them scrub the bad traffic for you. I have no idea who to
recommend but I believe there was a recent discussion on nanog about
just that subject.

Make sure your ISP provides you with a small block of its addresses so
that you can anchor the tunnel from the DDOS mitigator no matter which
of your announced address blocks is attacked. And test to make sure
your addresses really do reroute to the mitigator at need: your ISP
can do a number of things to foul up your BGP announcement which you
won't notice until you try to reroute.

If not BGP, this is your ISP's problem. Notify them of the threat so
that they can get ready to mitigate it.

As others have said, don't pay the ransom. Even if the current thieves
honor the bargain, it'll become known that you paid. That paints a
great big target on your back for every other thief out there.

Bill Herrin

William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>

More information about the NANOG mailing list