I may be traumatized until November 9.
bp
<part15sbs{at}gmail{dot}com>
On 10/21/2016 11:48 AM, That One Guy /sarcasm wrote:
forcing people to interact in person... a dangerous prospect in these
times
On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart
<timreichh...@hometowncable.net
<mailto:timreichh...@hometowncable.net>> wrote:
It seems like facebook is also getting slow.
------------------------------------------------------------------------
-----Original Message-----
From: "Travis Johnson" <t...@ida.net <mailto:t...@ida.net>>
To: af@afmug.com <mailto:af@afmug.com>
Date: 10/21/16 02:37 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
This is still going right now... big and small websites and
ISP's are unreachable and unresponsive. :(
Travis
On 10/21/2016 12:19 PM, Ken Hohhof wrote:
Interesting, according to that, the ISP DNS servers are
recruited as part of the attack on the victim's authoritative
DNS servers, by sending queries from within the ISP's network.
No spoofing, no amplification, no misconfigured DNS servers
required, yet the ISP's DNS servers are used to send the
attack traffic. All that is needed is a compromised IoT to
send the query.
*From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of* Josh
Baird
*Sent:* Friday, October 21, 2016 12:42 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
Right - crap IoT devices on the Mirai botnet were responsible
for shoving 620+Gbps of traffic at Akamai to take down Krebs
(and over 1Tbps to take down OVH). No spoofing involved.
Interesting article on the techniques used by Mirai:
https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
<https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937>
On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com
<mailto:af...@kwisp.com>> wrote:
The amplifier would receive a query from a spoofed IP
address, and respond using a legit IP address. So the
attacker needs to control some computers that can spoof
the victim's IP address, but the actual attack traffic
comes from the amplifiers using legit source IPs.
In the case of IoT botnets, I'm not sure any spoofing is
required.
*From:* Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of* Josh Baird
*Sent:* Friday, October 21, 2016 12:21 PM
*To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
It's a good start. It attempts to prevent spoofed traffic
originating from your network to leave your network (or
BCP38).
On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman
<j...@imaginenetworksllc.com
<mailto:j...@imaginenetworksllc.com>> wrote:
It can't be that simple...can it?
Josh Luthman
Office: 937-552-2340 <http://tel:937-552-2340>
Direct: 937-552-2343 <http://tel:937-552-2343>
1100 Wayne St
Suite 1337
Troy, OH 45373
On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett
<af...@ics-il.net <mailto:af...@ics-il.net>> wrote:
/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy
disabled=no comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy
disabled=no comment="Downstream customer X IPs"
/ip firewall filter
add action=drop chain=forward comment="Drop
spoofed traffic" disabled=no
out-interface="To-Upstream"
dst-address-list=!"Public-IPs"
That was largely composed off of the top of my
head and typed on my phone, so it may not be
completely accurate.
You should also do it on customer-facing ports
not allowing anything to come in, but that would
be best approached once Mikrotik and the per
interface setting for unicast reverse path
filtering. You would then said customer facing
interfaces to strict and all other interfaces to
loose. They accepted the feature request, just
haven't implemented it yet.
-----
Mike Hammett
Intelligent Computing Solutions
<http://www.ics-il.com/>
<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange
<http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
------------------------------------------------------------------------
*From:* "Mike Hammett" <af...@ics-il.net
<mailto:af...@ics-il.net>>
*To:* af@afmug.com <mailto:af@afmug.com>
*Sent:* Friday, October 21, 2016 11:21:35 AM
*Subject:* [AFMUG] Another large DDoS, Stop Being
a Dick
There's another large DDoS going on now. Go to
this page to see if you can be used for UDP
amplification (or other spoofing) attacks:
https://www.caida.org/projects/spoofer/
<https://www.caida.org/projects/spoofer/>
Go to these pages for more longer term bad
behavior monitoring:
https://www.shadowserver.org/wiki/
<https://www.shadowserver.org/wiki/>
https://radar.qrator.net/
Maybe we need to start a database of ASNs WISPs
are using and start naming and shaming them when
they have bad actors on their network. This is
serious, people. Take it seriously.
-----
Mike Hammett
Intelligent Computing Solutions
<http://www.ics-il.com/>
<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange
<http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
--
If you only see yourself as part of the team but you don't see your
team as part of yourself you have already failed as part of the team.
