Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

Damian Menscher damian at google.com
Tue Aug 27 23:23:19 UTC 2019


On Wed, Aug 21, 2019 at 3:21 PM Töma Gavrichenkov <ximaera at gmail.com> wrote:

> On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher <damian at google.com>
> wrote:
> > Some additional questions, if you're able to answer them (off-list is
> fine if there are things that can't be shared broadly):
> >   - Was the attack referred to law enforcement?
>
> It is being referred to now.  This would most probably get going under
> the jurisdiction of the Netherlands.
>

Deeper analysis and discussion indicates there were several victims: we saw
brief attacks targeting some of our cloud customers with syn-ack peaks
above 125 Mpps; another provider reported seeing 275Mpps sustained.  So
presumably there are a few law enforcement investigations under way, in
various jurisdictions.

>   - Were any transit providers asked to trace the
> > source of the spoofing to either stop the attack
> > or facilitate the law enforcement investigation?
>
> No.... tracing the source was not deemed a high priority task.
>

Fair enough.  I just didn't want to duplicate effort.

The source of the spoofing has been traced.  The responsible hosting
provider has kicked off their problem customer, and is exploring the
necessary filtering to prevent a recurrence.

If anyone sees more of this style of attack please send up a flare so the
community knows to track down the new source.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190827/d46a4336/attachment.html>


More information about the NANOG mailing list