Well, lots of theories. Another is it’s retaliation against Dyn for publicly calling out BackConnect for BGP spoofing. One guy posted very authoritatively on Broadband Reports that the real target was Comcast because … data caps.
I’m not sure I buy that WikiLeaks attacked Dyn because of the Ecuador thing. For one thing, WikiLeaks does leaks, DDoS attacks is more like Anonymous. But probably you’re saying it’s Russia. Hmmmm, that seems like quite an escalation, since Assange losing his WiFi in the embassy is hardly going to stop Wikileaks unless there’s a lot bigger cyber attack on Wikileaks than has been reported. I heard someone on the radio say after Ecuador took away Assange’s Internet privileges, “be sure to lock your Ecuadors and windows”. One thing we can probably all agree on is that it was just a matter of time before somebody DDoS’d the whole Internet. The capability has probably been there for awhile and it’s almost surprising it took this long. Nobody seemed to want to do anything about the DDoS problem when it was just gamer kids booting each other and DD4BC and little WISPs getting blown off the air because they couldn’t mitigate 1 Gb+ attacks. I hope someone has been thinking about what to do when they start blowing the whole Internet off the air on a daily basis. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tim Reichhart Sent: Friday, October 21, 2016 4:14 PM To: af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC&url=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271&usg=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ> I say this major ddos attack is sure blow back on what US told Ecuador to Act Against WikiLeaks Leader. _____ -----Original Message----- From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com> > To: af@afmug.com <mailto:af@afmug.com> Date: 10/21/16 05:06 PM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick i think there are only two hackers left, the rest are script kiddies half of these mopes calling themselves "hackers" have little education, hacking quite often requires a high degree of mathmatics capability, most of these l77t "hackers" cant even multiply On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org <mailto:p...@paulstewart.org> > wrote: Good point … and totally agree that the word "hacking" used to mean something - now it just kinda makes people laugh and not take it seriously at all anymore… On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com <mailto:af...@kwisp.com> > wrote: I think his point was that a denial of service attack is not hacking. I just heard on the radio someone was asking, if I try to use Twitter and it doesn't work because of this attack, is my computer how hacked? Even stuff that rightly gets called hacking is an insult to hackers. Like if your webcam is on a public IP address and I guess that the password is 1234, and that gets me root access to install whatever I want, it hardly seems right to call that hacking. But taking down a site by flooding it (or its authoritative DNS servers) with traffic is not the same as hacking the site. From: Af [ <mailto:af-boun...@afmug.com> mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart Sent: Friday, October 21, 2016 3:34 PM To: <mailto:af@afmug.com> af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick Agree…. it should be focused on end users better securing themselves …. On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm < <mailto:thatoneguyst...@gmail.com> thatoneguyst...@gmail.com> wrote: Im getting irritated by news reports calling this hacking. That term has been so obfuscated by dimwits that it has no value On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman < <mailto:j...@imaginenetworksllc.com> j...@imaginenetworksllc.com> wrote: It works great for me 90% of the time. The other 10% it refuses to function at all. Josh Luthman Office: <http://tel:937-552-2340> 937-552-2340 Direct: <http://tel:937-552-2343> 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart < <mailto:p...@paulstewart.org> p...@paulstewart.org> wrote: LOL …. scary shit…. Facebook being slow isn't anything new in my experience … they have to be having a hard time keeping up sometimes …. last I heard they were adding something around 200-300 new servers a day in each data centre On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm < <mailto:thatoneguyst...@gmail.com> thatoneguyst...@gmail.com> wrote: forcing people to interact in person... a dangerous prospect in these times On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart < <mailto:timreichh...@hometowncable.net> timreichh...@hometowncable.net> wrote: It seems like facebook is also getting slow. _____ -----Original Message----- From: "Travis Johnson" < <mailto:t...@ida.net> t...@ida.net> To: <mailto:af@afmug.com> af@afmug.com Date: 10/21/16 02:37 PM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick This is still going right now... big and small websites and ISP's are unreachable and unresponsive. :( Travis On 10/21/2016 12:19 PM, Ken Hohhof wrote: Interesting, according to that, the ISP DNS servers are recruited as part of the attack on the victim's authoritative DNS servers, by sending queries from within the ISP's network. No spoofing, no amplification, no misconfigured DNS servers required, yet the ISP's DNS servers are used to send the attack traffic. All that is needed is a compromised IoT to send the query. From: Af [ <mailto:af-boun...@afmug.com> mailto:af-boun...@afmug.com] On Behalf Of Josh Baird Sent: Friday, October 21, 2016 12:42 PM To: <mailto:af@afmug.com> af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick Right - crap IoT devices on the Mirai botnet were responsible for shoving 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down OVH). No spoofing involved. Interesting article on the techniques used by Mirai: <https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937> https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937 On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof < <mailto:af...@kwisp.com> af...@kwisp.com> wrote: The amplifier would receive a query from a spoofed IP address, and respond using a legit IP address. So the attacker needs to control some computers that can spoof the victim's IP address, but the actual attack traffic comes from the amplifiers using legit source IPs. In the case of IoT botnets, I'm not sure any spoofing is required. From: Af [mailto: <mailto:af-boun...@afmug.com> af-boun...@afmug.com] On Behalf Of Josh Baird Sent: Friday, October 21, 2016 12:21 PM To: <mailto:af@afmug.com> af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick It's a good start. It attempts to prevent spoofed traffic originating from your network to leave your network (or BCP38). On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman < <mailto:j...@imaginenetworksllc.com> j...@imaginenetworksllc.com> wrote: It can't be that simple...can it? Josh Luthman Office: <http://tel:937-552-2340> 937-552-2340 Direct: <http://tel:937-552-2343> 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett < <mailto:af...@ics-il.net> af...@ics-il.net> wrote: /ip firewall address-list add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream customer X IPs" /ip firewall filter add action=drop chain=forward comment="Drop spoofed traffic" disabled=no out-interface="To-Upstream" dst-address-list=!"Public-IPs" That was largely composed off of the top of my head and typed on my phone, so it may not be completely accurate. You should also do it on customer-facing ports not allowing anything to come in, but that would be best approached once Mikrotik and the per interface setting for unicast reverse path filtering. You would then said customer facing interfaces to strict and all other interfaces to loose. They accepted the feature request, just haven't implemented it yet. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "Mike Hammett" < <mailto:af...@ics-il.net> af...@ics-il.net> To: <mailto:af@afmug.com> af@afmug.com Sent: Friday, October 21, 2016 11:21:35 AM Subject: [AFMUG] Another large DDoS, Stop Being a Dick There's another large DDoS going on now. Go to this page to see if you can be used for UDP amplification (or other spoofing) attacks: <https://www.caida.org/projects/spoofer/> https://www.caida.org/projects/spoofer/ Go to these pages for more longer term bad behavior monitoring: <https://www.shadowserver.org/wiki/> https://www.shadowserver.org/wiki/ <https://radar.qrator.net/> https://radar.qrator.net/ Maybe we need to start a database of ASNs WISPs are using and start naming and shaming them when they have bad actors on their network. This is serious, people. Take it seriously. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
