<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.object
{mso-style-name:object;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-CA link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Nice report,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service?<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Was it degraded or total service interruption?<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Jean<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> NANOG <nanog-bounces+jean=ddostest.me@nanog.org> <b>On Behalf Of </b>Mike Hammett<br><b>Sent:</b> February 8, 2021 8:43 AM<br><b>To:</b> NANOG list <nanog@nanog.org><br><b>Subject:</b> Re: Retalitory DDoS<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:13.5pt;font-family:"Courier New";color:black;background:white'>Mike,</span><span style='font-size:13.5pt;font-family:"Courier New";color:black'><br><br><span style='background:white'>I've attached the full information we got from our DDOS protection system below.</span><br><br><span style='background:white'>We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details.</span><br><br><span style='background:white'>Location : Chicago</span><br><span style='background:white'>Event Time : </span><span class=object>2021-02-08</span><span style='background:white'> 04:17:38 CST (-0600)</span><br><span style='background:white'>Destination IP: [Not hard to find, but redacted anyway]</span><br><span style='background:white'>Traffic : 2520 Mbps 382880 pps</span><br><span style='background:white'>Fragmentation : 11%</span><br><span style='background:white'>Top Transport Protocol:</span><br><span style='background:white'>. 99% Protocol # 17 (UDP)</span><br><span style='background:white'>TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0%</span><br><span style='background:white'>Top Source Port:</span><br><span style='background:white'>. 61% Port # 3702</span><br><span style='background:white'>. 38% Port # 0</span><br><span style='background:white'>Top Destination Port:</span><br><span style='background:white'>. 38% Port # 0</span><br><span style='background:white'>. 14% Port # 45934</span><br><span style='background:white'>. 9% Port # 23680</span><br><span style='background:white'>. 8% Port # 35023</span><br><span style='background:white'>. 7% Port # 25966</span><br><span style='background:white'>Top Source IP:</span><br><span style='background:white'>. 0% 112.164.127.17</span><br><span style='background:white'>Number of unique IP: 7110</span><br><span style='background:white'>Total Bytes : </span><a href="callto:1259961437">1259961437</a><br><span style='background:white'>Total Packets : 1531559</span><br><span style='background:white'>Duration : 4s</span><br><span style='background:white'>Report Run Time : 151.3ms</span><br><br><span style='background:white'>The 30 day null route count is: 0</span><br><span style='background:white'>Number of hours to null route : 1</span><br><br><span style='background:white'>Location : Chicago</span><br><span style='background:white'>Event Time : </span><span class=object>2021-02-08</span><span style='background:white'> 04:02:38 CST (-0600)</span><br><span style='background:white'>Destination IP: [Not hard to find, but redacted anyway]</span><br><span style='background:white'>Traffic : 1817 Mbps 275483 pps</span><br><span style='background:white'>Fragmentation : 13%</span><br><span style='background:white'>Top Transport Protocol:</span><br><span style='background:white'>. 99% Protocol # 17 (UDP)</span><br><span style='background:white'>TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0%</span><br><span style='background:white'>Top Source Port:</span><br><span style='background:white'>. 56% Port # 3702</span><br><span style='background:white'>. 43% Port # 0</span><br><span style='background:white'>Top Destination Port:</span><br><span style='background:white'>. 43% Port # 0</span><br><span style='background:white'>. 19% Port # 25966</span><br><span style='background:white'>. 19% Port # 35023</span><br><span style='background:white'>. 17% Port # 23680</span><br><span style='background:white'>Top Source IP:</span><br><span style='background:white'>. 0% 90.49.167.239</span><br><span style='background:white'>Number of unique IP: 3577</span><br><span style='background:white'>Total Bytes : 953894831</span><br><span style='background:white'>Total Packets : 1157017</span><br><span style='background:white'>Duration : 4.199s</span><br><span style='background:white'>Report Run Time : 306.8ms</span><br><br><span style='background:white'>The 30 day null route count is: 0</span><br><span style='background:white'>Number of hours to null route : 1</span><br><br><span style='background:white'> </span><br><span style='background:white'>Liam Doring</span><br><span style='background:white'>Systems Administrator</span></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br><br>-----<br>Mike Hammett<br></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><a href="http://www.ics-il.com/" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif'>Intelligent Computing Solutions</span></a></span><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><a href="https://www.facebook.com/ICSIL" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_1" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_2" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_3" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/ICSIL" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_4" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><a href="http://www.midwest-ix.com/" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif'>Midwest Internet Exchange</span></a></span><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><a href="https://www.facebook.com/mdwestix" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_5" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_6" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/mdwestix" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_7" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><a href="http://www.thebrotherswisp.com/" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif'>The Brothers WISP</span></a></span><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><a href="https://www.facebook.com/thebrotherswisp" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_8" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_9" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></p></div><div class=MsoNormal align=center style='text-align:center'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><hr size=2 width="100%" align=center id=zwchr></span></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black'>From: </span></b><span style='font-size:12.0pt;font-family:"Helvetica",sans-serif;color:black'>"Mike Hammett" <nanog@ics-il.net><br><b>To: </b>"NANOG list" <nanog@nanog.org><br><b>Sent: </b>Monday, February 8, 2021 5:46:26 AM<br><b>Subject: </b>Retalitory DDoS<o:p></o:p></span></p><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black;background:white'>Is there a club for people that have been DDoSed? If so, count me in.</span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></p><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'>This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common?<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'>There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this.<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'>Is it safe to assume that they completely anonymized the email they sent to me?<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'>Is there anyone I should be reporting this to?<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'>I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up.<o:p></o:p></span></p></div></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'>https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br><br>-----<br>Mike Hammett<br></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><a href="http://www.ics-il.com/" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif'>Intelligent Computing Solutions</span></a></span><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><a href="https://www.facebook.com/ICSIL" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_11" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://plus.google.com/+IntelligentComputingSolutionsDeKalb" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_12" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/intelligent-computing-solutions" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_13" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/ICSIL" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_14" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><a href="http://www.midwest-ix.com/" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif'>Midwest Internet Exchange</span></a></span><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><a href="https://www.facebook.com/mdwestix" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_15" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://www.linkedin.com/company/midwest-internet-exchange" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_16" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://twitter.com/mdwestix" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_17" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><a href="http://www.thebrotherswisp.com/" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif'>The Brothers WISP</span></a></span><span style='font-size:13.5pt;font-family:"Times New Roman",serif;color:black'><br></span><a href="https://www.facebook.com/thebrotherswisp" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_18" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><a href="https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg" target="_blank"><span style='font-size:13.5pt;font-family:"Times New Roman",serif;border:solid windowtext 1.0pt;padding:0cm;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_19" src="cid:~WRD0003.jpg" alt="Image removed by sender."></span></a><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></p></div></div></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></p></div></div></body></html>