Retalitory DDoS

Mike Hammett nanog at ics-il.net
Mon Feb 8 18:00:48 UTC 2021 

It would only be a 1G NIC. 

They did say it was impacting other users in that rack. No clue how hot or what they run to each rack. 




----- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

----- Original Message -----

From: "Jean St-Laurent" <jean at ddostest.me> 
To: "Mike Hammett" <nanog at ics-il.net> 
Cc: "NANOG list" <nanog at nanog.org> 
Sent: Monday, February 8, 2021 11:59:32 AM 
Subject: RE: Retalitory DDoS 



I would not for 2.5 Gbps 

So if you were down for 1 hour with 2.5 Gbps and it’s probably not a black hole. 

There might be something else valuable in this report. 

Maybe 2.5 Gbps is not the damaging factor here unless your server has only 1 Gbps nic, then it could explain. But, I doubt. 

Peace 
Jean 



From: Mike Hammett <nanog at ics-il.net> 
Sent: February 8, 2021 12:56 PM 
To: Jean St-Laurent <jean at ddostest.me> 
Cc: NANOG list <nanog at nanog.org> 
Subject: Re: Retalitory DDoS 


I don't have RTBH, no. It's just a web server. 

Now how my hosting provider handled it, I'm not sure. I don't know if they just dropped me internally, or if they used RTBH with their upstreams and peers. Only being 2.5 gigs, that should be well within their ability to handle internally, but I guess why would you if you didn't have to? 



----- 
Mike Hammett 
Intelligent Computing Solutions 
Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender.
Midwest Internet Exchange 
Image removed by sender.Image removed by sender.Image removed by sender.
The Brothers WISP 
Image removed by sender.Image removed by sender.
----- Original Message -----


From: "Jean St-Laurent" <jean at ddostest.me> 
To: "Mike Hammett" <nanog at ics-il.net> 
Cc: "NANOG list" <nanog at nanog.org> 
Sent: Monday, February 8, 2021 11:53:43 AM 
Subject: RE: Retalitory DDoS 
You got RTBH? 



From: Mike Hammett <nanog at ics-il.net> 
Sent: February 8, 2021 12:50 PM 
To: Jean St-Laurent <jean at ddostest.me> 
Cc: NANOG list <nanog at nanog.org> 
Subject: Re: Retalitory DDoS 


In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. 



----- 
Mike Hammett 
Intelligent Computing Solutions 
Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender.
Midwest Internet Exchange 
Image removed by sender.Image removed by sender.Image removed by sender.
The Brothers WISP 
Image removed by sender.Image removed by sender.



From: "Jean St-Laurent" <jean at ddostest.me> 
To: "Mike Hammett" <nanog at ics-il.net>, "NANOG list" <nanog at nanog.org> 
Sent: Monday, February 8, 2021 11:42:12 AM 
Subject: RE: Retalitory DDoS 
Nice report, 

If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? 

Was it degraded or total service interruption? 

Jean 



From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Mike Hammett 
Sent: February 8, 2021 8:43 AM 
To: NANOG list <nanog at nanog.org> 
Subject: Re: Retalitory DDoS 


Mike, 

I've attached the full information we got from our DDOS protection system below. 

We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. 

Location : Chicago 
Event Time : 2021-02-08 04:17:38 CST (-0600) 
Destination IP: [Not hard to find, but redacted anyway] 
Traffic : 2520 Mbps 382880 pps 
Fragmentation : 11% 
Top Transport Protocol: 
. 99% Protocol # 17 (UDP) 
TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% 
Top Source Port: 
. 61% Port # 3702 
. 38% Port # 0 
Top Destination Port: 
. 38% Port # 0 
. 14% Port # 45934 
. 9% Port # 23680 
. 8% Port # 35023 
. 7% Port # 25966 
Top Source IP: 
. 0% 112.164.127.17 
Number of unique IP: 7110 
Total Bytes : 1259961437 
Total Packets : 1531559 
Duration : 4s 
Report Run Time : 151.3ms 

The 30 day null route count is: 0 
Number of hours to null route : 1 

Location : Chicago 
Event Time : 2021-02-08 04:02:38 CST (-0600) 
Destination IP: [Not hard to find, but redacted anyway] 
Traffic : 1817 Mbps 275483 pps 
Fragmentation : 13% 
Top Transport Protocol: 
. 99% Protocol # 17 (UDP) 
TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% 
Top Source Port: 
. 56% Port # 3702 
. 43% Port # 0 
Top Destination Port: 
. 43% Port # 0 
. 19% Port # 25966 
. 19% Port # 35023 
. 17% Port # 23680 
Top Source IP: 
. 0% 90.49.167.239 
Number of unique IP: 3577 
Total Bytes : 953894831 
Total Packets : 1157017 
Duration : 4.199s 
Report Run Time : 306.8ms 

The 30 day null route count is: 0 
Number of hours to null route : 1 


Liam Doring 
Systems Administrator 



----- 
Mike Hammett 
Intelligent Computing Solutions 
Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender.
Midwest Internet Exchange 
Image removed by sender.Image removed by sender.Image removed by sender.
The Brothers WISP 
Image removed by sender.Image removed by sender.



From: "Mike Hammett" <nanog at ics-il.net> 
To: "NANOG list" <nanog at nanog.org> 
Sent: Monday, February 8, 2021 5:46:26 AM 
Subject: Retalitory DDoS 


Is there a club for people that have been DDoSed? If so, count me in. 



This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? 



There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this. 



Is it safe to assume that they completely anonymized the email they sent to me? 



Is there anyone I should be reporting this to? 



I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up. 




https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0 



----- 
Mike Hammett 
Intelligent Computing Solutions 
Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender.
Midwest Internet Exchange 
Image removed by sender.Image removed by sender.Image removed by sender.
The Brothers WISP 
Image removed by sender.Image removed by sender.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210208/481abafd/attachment.html>

More information about the NANOG mailing list