forcing people to interact in person... a dangerous prospect in these times
On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart < timreichh...@hometowncable.net> wrote: > It seems like facebook is also getting slow. > > ------------------------------ > -----Original Message----- > From: "Travis Johnson" <t...@ida.net> > To: af@afmug.com > Date: 10/21/16 02:37 PM > Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick > > This is still going right now... big and small websites and ISP's are > unreachable and unresponsive. :( > > Travis > > > On 10/21/2016 12:19 PM, Ken Hohhof wrote: > > > > > Interesting, according to that, the ISP DNS servers are recruited as part > of the attack on the victim's authoritative DNS servers, by sending queries > from within the ISP's network. > > > > No spoofing, no amplification, no misconfigured DNS servers required, yet > the ISP's DNS servers are used to send the attack traffic. All that is > needed is a compromised IoT to send the query. > > > > > > *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On > Behalf Of* Josh Baird > *Sent:* Friday, October 21, 2016 12:42 PM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick > > > > Right - crap IoT devices on the Mirai botnet were responsible for shoving > 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take > down OVH). No spoofing involved. > > > > Interesting article on the techniques used by Mirai: > > > > https://f5.com/about-us/news/articles/mirai-the-iot-bot- > that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937 > > > > > On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote: > > The amplifier would receive a query from a spoofed IP address, and respond > using a legit IP address. So the attacker needs to control some computers > that can spoof the victim's IP address, but the actual attack traffic comes > from the amplifiers using legit source IPs. > > > > In the case of IoT botnets, I'm not sure any spoofing is required. > > > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of* Josh Baird > *Sent:* Friday, October 21, 2016 12:21 PM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick > > > > It's a good start. It attempts to prevent spoofed traffic originating from > your network to leave your network (or BCP38). > > > > On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com> > wrote: > > It can't be that simple...can it? > > > > > Josh Luthman > Office: 937-552-2340 <http://tel:937-552-2340> > Direct: 937-552-2343 <http://tel:937-552-2343> > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > > > > On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net> wrote: > > /ip firewall address-list > add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" > add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream > customer X IPs" > > /ip firewall filter > add action=drop chain=forward comment="Drop spoofed traffic" disabled=no > out-interface="To-Upstream" dst-address-list=!"Public-IPs" > > That was largely composed off of the top of my head and typed on my phone, > so it may not be completely accurate. > > > You should also do it on customer-facing ports not allowing anything to > come in, but that would be best approached once Mikrotik and the per > interface setting for unicast reverse path filtering. You would then said > customer facing interfaces to strict and all other interfaces to loose. > They accepted the feature request, just haven't implemented it yet. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > > *From:* "Mike Hammett" <af...@ics-il.net> > *To:* af@afmug.com > *Sent:* Friday, October 21, 2016 11:21:35 AM > *Subject:* [AFMUG] Another large DDoS, Stop Being a Dick > > There's another large DDoS going on now. Go to this page to see if you can > be used for UDP amplification (or other spoofing) attacks: > > https://www.caida.org/projects/spoofer/ > > Go to these pages for more longer term bad behavior monitoring: > > https://www.shadowserver.org/wiki/ > https://radar.qrator.net/ > > > Maybe we need to start a database of ASNs WISPs are using and start naming > and shaming them when they have bad actors on their network. This is > serious, people. Take it seriously. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.