<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000'>It would only be a 1G NIC.<br><br>They did say it was impacting other users in that rack. No clue how hot or what they run to each rack.<br><br><div><span name="x"></span><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline !important;float:none">-----</span><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline !important;float:none">Mike Hammett</span><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://www.ics-il.com/" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer">Intelligent Computing Solutions</a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://www.facebook.com/ICSIL" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/fbicon.png" style="border:0pt none"></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/googleicon.png" style="border:0pt none"></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/linkedinicon.png" style="border:0pt none"></a><a href="https://twitter.com/ICSIL" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/twittericon.png" style="border:0pt none"></a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://www.midwest-ix.com/" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer">Midwest Internet Exchange</a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://www.facebook.com/mdwestix" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/fbicon.png" style="border:0pt none"></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/linkedinicon.png" style="border:0pt none"></a><a href="https://twitter.com/mdwestix" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/twittericon.png" style="border:0pt none"></a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://www.thebrotherswisp.com/" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer">The Brothers WISP</a><br style="color:rgb( 0 , 0 , 0 );font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="https://www.facebook.com/thebrotherswisp" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/fbicon.png" style="border:0pt none"></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" style="font-family:'times new roman';font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="nofollow noopener noreferrer"><img src="http://www.ics-il.com/images/youtubeicon.png" style="border:0pt none"></a><span name="x"></span><br></div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Jean St-Laurent" <jean@ddostest.me><br><b>To: </b>"Mike Hammett" <nanog@ics-il.net><br><b>Cc: </b>"NANOG list" <nanog@nanog.org><br><b>Sent: </b>Monday, February 8, 2021 11:59:32 AM<br><b>Subject: </b>RE: Retalitory DDoS<br><br><style><!--

@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}

p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
span.object
        {mso-style-name:object;}
span.EmailStyle21
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><div class="WordSection1"><p class="MsoNormal"><span style="mso-fareast-language:EN-US">I would not for 2.5 Gbps</span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US">So if you were down for 1 hour with 2.5 Gbps and it’s probably not a black hole.</span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US">There might be something else valuable in this report. </span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US">Maybe 2.5 Gbps is not the damaging factor here unless your server has only 1 Gbps nic, then it could explain. But, I doubt.</span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US">Peace</span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US">Jean</span></p><p class="MsoNormal"><span style="mso-fareast-language:EN-US"> </span></p><div><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Mike Hammett <nanog@ics-il.net> <br><b>Sent:</b> February 8, 2021 12:56 PM<br><b>To:</b> Jean St-Laurent <jean@ddostest.me><br><b>Cc:</b> NANOG list <nanog@nanog.org><br><b>Subject:</b> Re: Retalitory DDoS</span></p></div></div><p class="MsoNormal"> </p><div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I don't have RTBH, no. It's just a web server.<br><br>Now how my hosting provider handled it, I'm not sure. I don't know if they just dropped me internally, or if they used RTBH with their upstreams and peers. Only being 2.5 gigs, that should be well within their ability to handle internally, but I guess why would you if you didn't have to?</span></p><div><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br><br>-----<br>Mike Hammett<br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.ics-il.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">Intelligent Computing Solutions</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/ICSIL" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_48" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_49" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_50" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/ICSIL" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_51" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.midwest-ix.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">Midwest Internet Exchange</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/mdwestix" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_52" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_53" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/mdwestix" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_54" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.thebrotherswisp.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">The Brothers WISP</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/thebrotherswisp" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_55" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_56" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"></span></p></div><div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><hr size="2" width="100%" align="center" id="zwchr"></span></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black">From: </span></b><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black">"Jean St-Laurent" <jean@ddostest.me><br><b>To: </b>"Mike Hammett" <nanog@ics-il.net><br><b>Cc: </b>"NANOG list" <nanog@nanog.org><br><b>Sent: </b>Monday, February 8, 2021 11:53:43 AM<br><b>Subject: </b>RE: Retalitory DDoS</span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US">You got RTBH?</span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US"> </span><span style="color:black"></span></p><div><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="color:black">From:</span></b><span lang="EN-US" style="color:black"> Mike Hammett <nanog@ics-il.net> <br><b>Sent:</b> February 8, 2021 12:50 PM<br><b>To:</b> Jean St-Laurent <jean@ddostest.me><br><b>Cc:</b> NANOG list <nanog@nanog.org><br><b>Subject:</b> Re: Retalitory DDoS</span><span style="color:black"></span></p></div></div><p class="MsoNormal"><span style="color:black"> </span></p><div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened.</span><span style="color:black"></span></p><div><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br><br>-----<br>Mike Hammett<br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.ics-il.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">Intelligent Computing Solutions</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/ICSIL" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_47" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_46" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_45" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/ICSIL" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_44" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.midwest-ix.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">Midwest Internet Exchange</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/mdwestix" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_43" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_42" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/mdwestix" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_41" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.thebrotherswisp.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">The Brothers WISP</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/thebrotherswisp" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_40" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_39" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="color:black"></span></p></div><div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><hr size="2" width="100%" align="center"></span></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black">From: </span></b><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black">"Jean St-Laurent" <jean@ddostest.me><br><b>To: </b>"Mike Hammett" <nanog@ics-il.net>, "NANOG list" <nanog@nanog.org><br><b>Sent: </b>Monday, February 8, 2021 11:42:12 AM<br><b>Subject: </b>RE: Retalitory DDoS</span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US">Nice report,</span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US"> </span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US">If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service?</span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US"> </span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US">Was it degraded or total service interruption?</span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US"> </span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US">Jean</span><span style="color:black"></span></p><p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-US"> </span><span style="color:black"></span></p><div><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="color:black">From:</span></b><span lang="EN-US" style="color:black"> NANOG <nanog-bounces+jean=ddostest.me@nanog.org> <b>On Behalf Of </b>Mike Hammett<br><b>Sent:</b> February 8, 2021 8:43 AM<br><b>To:</b> NANOG list <nanog@nanog.org><br><b>Subject:</b> Re: Retalitory DDoS</span><span style="color:black"></span></p></div></div><p class="MsoNormal"><span style="color:black"> </span></p><div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:13.5pt;font-family:"Courier New";color:black;background:white">Mike,</span><span style="font-size:13.5pt;font-family:"Courier New";color:black"><br><br><span style="background:white">I've attached the full information we got from our DDOS protection system below.</span><br><br><span style="background:white">We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details.</span><br><br><span style="background:white">Location : Chicago</span><br><span style="background:white">Event Time : </span><span class="object">2021-02-08</span><span style="background:white"> 04:17:38 CST (-0600)</span><br><span style="background:white">Destination IP: [Not hard to find, but redacted anyway]</span><br><span style="background:white">Traffic : 2520 Mbps 382880 pps</span><br><span style="background:white">Fragmentation : 11%</span><br><span style="background:white">Top Transport Protocol:</span><br><span style="background:white">. 99% Protocol # 17 (UDP)</span><br><span style="background:white">TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0%</span><br><span style="background:white">Top Source Port:</span><br><span style="background:white">. 61% Port # 3702</span><br><span style="background:white">. 38% Port # 0</span><br><span style="background:white">Top Destination Port:</span><br><span style="background:white">. 38% Port # 0</span><br><span style="background:white">. 14% Port # 45934</span><br><span style="background:white">. 9% Port # 23680</span><br><span style="background:white">. 8% Port # 35023</span><br><span style="background:white">. 7% Port # 25966</span><br><span style="background:white">Top Source IP:</span><br><span style="background:white">. 0% 112.164.127.17</span><br><span style="background:white">Number of unique IP: 7110</span><br><span style="background:white">Total Bytes : </span><a href="callto:1259961437" target="_blank">1259961437</a><br><span style="background:white">Total Packets : 1531559</span><br><span style="background:white">Duration : 4s</span><br><span style="background:white">Report Run Time : 151.3ms</span><br><br><span style="background:white">The 30 day null route count is: 0</span><br><span style="background:white">Number of hours to null route : 1</span><br><br><span style="background:white">Location : Chicago</span><br><span style="background:white">Event Time : </span><span class="object">2021-02-08</span><span style="background:white"> 04:02:38 CST (-0600)</span><br><span style="background:white">Destination IP: [Not hard to find, but redacted anyway]</span><br><span style="background:white">Traffic : 1817 Mbps 275483 pps</span><br><span style="background:white">Fragmentation : 13%</span><br><span style="background:white">Top Transport Protocol:</span><br><span style="background:white">. 99% Protocol # 17 (UDP)</span><br><span style="background:white">TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0%</span><br><span style="background:white">Top Source Port:</span><br><span style="background:white">. 56% Port # 3702</span><br><span style="background:white">. 43% Port # 0</span><br><span style="background:white">Top Destination Port:</span><br><span style="background:white">. 43% Port # 0</span><br><span style="background:white">. 19% Port # 25966</span><br><span style="background:white">. 19% Port # 35023</span><br><span style="background:white">. 17% Port # 23680</span><br><span style="background:white">Top Source IP:</span><br><span style="background:white">. 0% 90.49.167.239</span><br><span style="background:white">Number of unique IP: 3577</span><br><span style="background:white">Total Bytes : 953894831</span><br><span style="background:white">Total Packets : 1157017</span><br><span style="background:white">Duration : 4.199s</span><br><span style="background:white">Report Run Time : 306.8ms</span><br><br><span style="background:white">The 30 day null route count is: 0</span><br><span style="background:white">Number of hours to null route : 1</span><br><br><span style="background:white"> </span><br><span style="background:white">Liam Doring</span><br><span style="background:white">Systems Administrator</span></span><span style="color:black"></span></p><div><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br><br>-----<br>Mike Hammett<br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.ics-il.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">Intelligent Computing Solutions</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/ICSIL" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_1" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_2" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_3" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/ICSIL" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_4" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.midwest-ix.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">Midwest Internet Exchange</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/mdwestix" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_5" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_6" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/mdwestix" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_7" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.thebrotherswisp.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">The Brothers WISP</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/thebrotherswisp" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_8" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_9" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="color:black"></span></p></div><div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><hr size="2" width="100%" align="center"></span></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black">From: </span></b><span style="font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black">"Mike Hammett" <nanog@ics-il.net><br><b>To: </b>"NANOG list" <nanog@nanog.org><br><b>Sent: </b>Monday, February 8, 2021 5:46:26 AM<br><b>Subject: </b>Retalitory DDoS</span><span style="color:black"></span></p><div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black;background:white">Is there a club for people that have been DDoSed? If so, count me in.</span><span style="color:black"></span></p><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common?</span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this.</span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Is it safe to assume that they completely anonymized the email they sent to me?</span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">Is there anyone I should be reporting this to?</span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up.</span><span style="color:black"></span></p></div></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black">https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0</span><span style="color:black"></span></p><div><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br><br>-----<br>Mike Hammett<br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.ics-il.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">Intelligent Computing Solutions</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/ICSIL" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_11" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_12" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_13" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/ICSIL" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_14" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.midwest-ix.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">Midwest Internet Exchange</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/mdwestix" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_15" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_16" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/mdwestix" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_17" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"><a href="http://www.thebrotherswisp.com/" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif">The Brothers WISP</span></a></span><span style="font-size:13.5pt;font-family:"Times New Roman",serif;color:black"><br></span><a href="https://www.facebook.com/thebrotherswisp" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_18" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" target="_blank"><span style="font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="Picture_x0020_19" src="cid:~WRD0005.jpg" alt="Image removed by sender."></span></a><span style="color:black"></span></p></div></div></div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div></div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span><span style="color:black"></span></p></div></div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:black"> </span></p></div></div></div><br></div></body></html>