Reflection DDoS last week

• Previous message (by thread): Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)
• Next message (by thread): FCC Takes Action Against WISPs That Interfered with FCC Weather Radar
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Same happened in Lebanon(country). Similar pattern: carpet bombing for 
multiple prefixes of specific ASN.
I suspect it is a new trend in DDoS-for-hire, and ISP who did not 
install data scrubbing appliances will feel severe pain from such 
attacks, since they use SYN + ACK from legit servers.


On 2019-08-21 22:44, Töma Gavrichenkov wrote:
> Peace,
> 
> Here's to confirm that the pattern reported before in NANOG was indeed
> a reflection DDoS attack. On Sunday, it also hit our customer, here's
> the report:
> 
> https://www.prnewswire.com/news-releases/root-cause-analysis-and-incident-report-on-the-august-ddos-attack-300905405.html
> 
> tl;dr: basically that was a rather massive reflected SYN/ACK carpet
> bombing against several datacenter prefixes (no particular target was
> identified).
> 
> --
> Töma
> 
> On Sat, Aug 17, 2019, 1:06 AM Jim Shankland <nanog at shankland.org>
> wrote:
> 
>> Greetings,
>> 
>> I'm seeing slow-motion (a few per second, per IP/port pair) syn
>> flood
>> attacks ostensibly originating from 3 NL-based IP blocks:
>> 88.208.0.0/18 [1]
>> , 5.11.80.0/21 [2], and 78.140.128.0/18 [3] ("ostensibly" because
>> ... syn flood,
>> and BCP 38 not yet fully adopted).
>> 
>> Why is this syn flood different from all other syn floods? Well ...
>> 
>> 1. Rate seems too slow to do any actual damage (is anybody really
>> bothered by a few bad SYN packets per second per service, at this
>> point?); but
>> 
>> 2. IPs/port combinations with actual open services are being
>> targeted
>> (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs
>> 
>> with those services running), implying somebody checked for open
>> services first;
>> 
>> 3. I'm seeing this in at least 2 locations, to addresses in
>> different,
>> completely unrelated ASes, implying it may be pretty widespread.
>> 
>> Is anybody else seeing the same thing? Any thoughts on what's going
>> on?
>> Or should I just be ignoring this and getting on with the weekend?
>> 
>> Jim
> 
> 
> Links:
> ------
> [1] http://88.208.0.0/18
> [2] http://5.11.80.0/21
> [3] http://78.140.128.0/18

• Previous message (by thread): Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)
• Next message (by thread): FCC Takes Action Against WISPs That Interfered with FCC Weather Radar
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]