<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-CA link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Some industries can’t afford that extra delay by DDoS mitigation vendors.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>The video game industry is one of them and there might be others that can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>As a side note, my former employer in video game was bidding for these vendors offering DDoS protection. While bidding, we were hit with abnormal patterns. As soon as we chose one vendors those very tricky DDoS patterns stopped.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>I am not saying they are working on both side, but still the coincidence was interesting. In the end, we never used them because they were not able to perfectly block the threat without impacting all the others projects.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>I think these mitigators are nice to have as a very last resort. I believe what is more important for Network Operators is: to be aware of this, to be able to detect it, mitigate it and/or minimize the impact. It’s like magic, where did that rabbit go?<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>The art of war taught me everything there is to know about DDoS attacks even if it was written some 2500 years ago.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>I suspect that the attack that impacted Baldur’s assets was a very easy DDoS to detect and block, but can’t confirm.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>@Baldur: do you care to share some metrics?<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Jean<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> NANOG <nanog-bounces+jean=ddostest.me@nanog.org> <b>On Behalf Of </b>Jean St-Laurent via NANOG<br><b>Sent:</b> May 21, 2021 10:52 AM<br><b>To:</b> 'Lady Benjamin Cannon of Glencoe, ASCE' <lb@6by7.net>; 'Baldur Norddahl' <baldur.norddahl@gmail.com><br><b>Cc:</b> 'NANOG Operators' Group' <nanog@nanog.org><br><b>Subject:</b> RE: DDoS attack with blackmail<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>I also recommend book Art of War from Sun Tzu.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>All the answers to your questions are in that book.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Jean<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> NANOG <<a href="mailto:nanog-bounces+jean=ddostest.me@nanog.org">nanog-bounces+jean=ddostest.me@nanog.org</a>> <b>On Behalf Of </b>Lady Benjamin Cannon of Glencoe, ASCE<br><b>Sent:</b> May 20, 2021 7:18 PM<br><b>To:</b> Baldur Norddahl <<a href="mailto:baldur.norddahl@gmail.com">baldur.norddahl@gmail.com</a>><br><b>Cc:</b> NANOG Operators' Group <<a href="mailto:nanog@nanog.org">nanog@nanog.org</a>><br><b>Subject:</b> Re: DDoS attack with blackmail<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>20 years ago I wrote an automatic teardrop attack. If your IP spammed us 5 times, then a script would run, knocking the remote host off the internet entirely.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Later I modified it to launch 1000 teardrop attacks/second…<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Today, contact the FBI.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>And get a mitigation service above your borders if you can.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><div><div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'>—L.B.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'>Ms. Lady Benjamin PD Cannon of Glencoe, ASCE<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'>6x7 Networks & 6x7 Telecom, LLC <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'>CEO <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><a href="mailto:lb@6by7.net">lb@6by7.net</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'>"The only fully end-to-end encrypted global telecommunications company in the world.”<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'>FCC License KJ6FJJ<o:p></o:p></span></p></div></div></div><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black'><br></span><img border=0 width=32 height=32 style='width:.3333in;height:.3333in' id="_x0000_i1026" src="cid:245ADEA1-477E-4B5A-989E-9177BDB798AE"><img border=0 width=32 height=32 style='width:.3333in;height:.3333in' id="_x0000_i1025" src="cid:B186E2C6-EE26-4B99-A6BD-F71BFE6B78F4"><o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On May 20, 2021, at 12:26 PM, Baldur Norddahl <<a href="mailto:baldur.norddahl@gmail.com">baldur.norddahl@gmail.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Hello<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We got attacked by a group that calls themselves "Fancy Lazarus". They want payment in BC to not attack us again. The attack was a volume attack to our DNS and URL fetch from our webserver.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am interested in any experience in fighting back against these guys.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Baldur<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>