Mailing List Archive

Re: Reflection DDoS last week
Hi,

Same happened in Lebanon(country). Similar pattern: carpet bombing for
multiple prefixes of specific ASN.
I suspect it is a new trend in DDoS-for-hire, and ISP who did not
install data scrubbing appliances will feel severe pain from such
attacks, since they use SYN + ACK from legit servers.


On 2019-08-21 22:44, Töma Gavrichenkov wrote:
> Peace,
>
> Here's to confirm that the pattern reported before in NANOG was indeed
> a reflection DDoS attack. On Sunday, it also hit our customer, here's
> the report:
>
> https://www.prnewswire.com/news-releases/root-cause-analysis-and-incident-report-on-the-august-ddos-attack-300905405.html
>
> tl;dr: basically that was a rather massive reflected SYN/ACK carpet
> bombing against several datacenter prefixes (no particular target was
> identified).
>
> --
> Töma
>
> On Sat, Aug 17, 2019, 1:06 AM Jim Shankland <nanog@shankland.org>
> wrote:
>
>> Greetings,
>>
>> I'm seeing slow-motion (a few per second, per IP/port pair) syn
>> flood
>> attacks ostensibly originating from 3 NL-based IP blocks:
>> 88.208.0.0/18 [1]
>> , 5.11.80.0/21 [2], and 78.140.128.0/18 [3] ("ostensibly" because
>> ... syn flood,
>> and BCP 38 not yet fully adopted).
>>
>> Why is this syn flood different from all other syn floods? Well ...
>>
>> 1. Rate seems too slow to do any actual damage (is anybody really
>> bothered by a few bad SYN packets per second per service, at this
>> point?); but
>>
>> 2. IPs/port combinations with actual open services are being
>> targeted
>> (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs
>>
>> with those services running), implying somebody checked for open
>> services first;
>>
>> 3. I'm seeing this in at least 2 locations, to addresses in
>> different,
>> completely unrelated ASes, implying it may be pretty widespread.
>>
>> Is anybody else seeing the same thing? Any thoughts on what's going
>> on?
>> Or should I just be ignoring this and getting on with the weekend?
>>
>> Jim
>
>
> Links:
> ------
> [1] http://88.208.0.0/18
> [2] http://5.11.80.0/21
> [3] http://78.140.128.0/18
Re: Reflection DDoS last week [ In reply to ]
On 2019-08-28 02:23, Damian Menscher via NANOG wrote:
> On Wed, Aug 21, 2019 at 3:21 PM Töma Gavrichenkov <ximaera@gmail.com>
> wrote:
>
>> On Thu, Aug 22, 2019 at 12:17 AM Damian Menscher <damian@google.com>
>> wrote:
>>> Some additional questions, if you're able to answer them (off-list
>> is fine if there are things that can't be shared broadly):
>>> - Was the attack referred to law enforcement?
>>
>> It is being referred to now. This would most probably get going
>> under
>> the jurisdiction of the Netherlands.
>
> Deeper analysis and discussion indicates there were several victims:
> we saw brief attacks targeting some of our cloud customers with
> syn-ack peaks above 125 Mpps; another provider reported seeing 275Mpps
> sustained. So presumably there are a few law enforcement
> investigations under way, in various jurisdictions.
>
>>> - Were any transit providers asked to trace the
>>> source of the spoofing to either stop the attack
>>> or facilitate the law enforcement investigation?
>>
>> No.... tracing the source was not deemed a high priority task.
>
> Fair enough. I just didn't want to duplicate effort.
>
> The source of the spoofing has been traced. The responsible hosting
> provider has kicked off their problem customer, and is exploring the
> necessary filtering to prevent a recurrence.
>
> If anyone sees more of this style of attack please send up a flare so
> the community knows to track down the new source.
>
> Damian

One of my clients suffered from such attacks.
And you know what the secondary harm is? Typical false flag issue.
Even if you have decent DDoS protection setup, it is highly likely that
involuntary reflectors administrators will not puzzle what to do with
this, they will simply block your subnet/ASN.
For example attacker spoof hosting operator subnets, did SYN flood to
all credit card processing gateways, and sure legit hosting gets
SYN+ACK.
And this hosting after suffering to block this SYN+ACK reflection will
find an unpleasant thing - not a single credit card processing gateway
is available from his subnets.
Good example is EAGames, Rockstar, fs.com of those, who just set static
ACL