Reflection DDoS last week
Denys Fedoryshchenko
nuclearcat at nuclearcat.com
Sat Aug 24 19:01:34 UTC 2019
Hi,
Same happened in Lebanon(country). Similar pattern: carpet bombing for
multiple prefixes of specific ASN.
I suspect it is a new trend in DDoS-for-hire, and ISP who did not
install data scrubbing appliances will feel severe pain from such
attacks, since they use SYN + ACK from legit servers.
On 2019-08-21 22:44, Töma Gavrichenkov wrote:
> Peace,
>
> Here's to confirm that the pattern reported before in NANOG was indeed
> a reflection DDoS attack. On Sunday, it also hit our customer, here's
> the report:
>
> https://www.prnewswire.com/news-releases/root-cause-analysis-and-incident-report-on-the-august-ddos-attack-300905405.html
>
> tl;dr: basically that was a rather massive reflected SYN/ACK carpet
> bombing against several datacenter prefixes (no particular target was
> identified).
>
> --
> Töma
>
> On Sat, Aug 17, 2019, 1:06 AM Jim Shankland <nanog at shankland.org>
> wrote:
>
>> Greetings,
>>
>> I'm seeing slow-motion (a few per second, per IP/port pair) syn
>> flood
>> attacks ostensibly originating from 3 NL-based IP blocks:
>> 88.208.0.0/18 [1]
>> , 5.11.80.0/21 [2], and 78.140.128.0/18 [3] ("ostensibly" because
>> ... syn flood,
>> and BCP 38 not yet fully adopted).
>>
>> Why is this syn flood different from all other syn floods? Well ...
>>
>> 1. Rate seems too slow to do any actual damage (is anybody really
>> bothered by a few bad SYN packets per second per service, at this
>> point?); but
>>
>> 2. IPs/port combinations with actual open services are being
>> targeted
>> (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs
>>
>> with those services running), implying somebody checked for open
>> services first;
>>
>> 3. I'm seeing this in at least 2 locations, to addresses in
>> different,
>> completely unrelated ASes, implying it may be pretty widespread.
>>
>> Is anybody else seeing the same thing? Any thoughts on what's going
>> on?
>> Or should I just be ignoring this and getting on with the weekend?
>>
>> Jim
>
>
> Links:
> ------
> [1] http://88.208.0.0/18
> [2] http://5.11.80.0/21
> [3] http://78.140.128.0/18
More information about the NANOG
mailing list