Yup and while that sounds absolutely crazy in one regard, it’s scary and real in another …..
There was a study (can’t find it at moment) done that was in reference to a 600Gb/s attack through NTP amplification and it showed that only 1-2% of *vulnerable* devices participated in the attack .. “what if” 50% of those devices were participating kind of thing > On Oct 21, 2016, at 5:50 PM, Ken Hohhof <af...@kwisp.com> wrote: > > Well, lots of theories. Another is it’s retaliation against Dyn for publicly > calling out BackConnect for BGP spoofing. One guy posted very > authoritatively on Broadband Reports that the real target was Comcast because > … data caps. > > I’m not sure I buy that WikiLeaks attacked Dyn because of the Ecuador thing. > For one thing, WikiLeaks does leaks, DDoS attacks is more like Anonymous. > But probably you’re saying it’s Russia. Hmmmm, that seems like quite an > escalation, since Assange losing his WiFi in the embassy is hardly going to > stop Wikileaks unless there’s a lot bigger cyber attack on Wikileaks than has > been reported. > > I heard someone on the radio say after Ecuador took away Assange’s Internet > privileges, “be sure to lock your Ecuadors and windows”. > > One thing we can probably all agree on is that it was just a matter of time > before somebody DDoS’d the whole Internet. The capability has probably been > there for awhile and it’s almost surprising it took this long. Nobody seemed > to want to do anything about the DDoS problem when it was just gamer kids > booting each other and DD4BC and little WISPs getting blown off the air > because they couldn’t mitigate 1 Gb+ attacks. I hope someone has been > thinking about what to do when they start blowing the whole Internet off the > air on a daily basis. > > <> > From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On > Behalf Of Tim Reichhart > Sent: Friday, October 21, 2016 4:14 PM > To: af@afmug.com <mailto:af@afmug.com> > Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick > > > > <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC&url=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271&usg=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ> > I say this major ddos attack is sure blow back on what US told Ecuador to Act > Against WikiLeaks Leader. >> >> -----Original Message----- >> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com >> <mailto:thatoneguyst...@gmail.com>> >> To: af@afmug.com <mailto:af@afmug.com> >> Date: 10/21/16 05:06 PM >> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >> >> i think there are only two hackers left, the rest are script kiddies >> half of these mopes calling themselves "hackers" have little education, >> hacking quite often requires a high degree of mathmatics capability, most of >> these l77t "hackers" cant even multiply >> >> >> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org >> <mailto:p...@paulstewart.org>> wrote: >>> Good point … and totally agree that the word "hacking" used to mean >>> something - now it just kinda makes people laugh and not take it seriously >>> at all anymore… >>> >>> >>>> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com >>>> <mailto:af...@kwisp.com>> wrote: >>>> >>>> >>>> I think his point was that a denial of service attack is not hacking. >>>> >>>> I just heard on the radio someone was asking, if I try to use Twitter and >>>> it doesn't work because of this attack, is my computer how hacked? >>>> >>>> Even stuff that rightly gets called hacking is an insult to hackers. Like >>>> if your webcam is on a public IP address and I guess that the password is >>>> 1234, and that gets me root access to install whatever I want, it hardly >>>> seems right to call that hacking. >>>> >>>> But taking down a site by flooding it (or its authoritative DNS servers) >>>> with traffic is not the same as hacking the site. >>>> >>>> <> >>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On >>>> Behalf Of Paul Stewart >>>> Sent: Friday, October 21, 2016 3:34 PM >>>> To: af@afmug.com <mailto:af@afmug.com> >>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >>>> >>>> Agree…. it should be focused on end users better securing themselves …. >>>> >>>>> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm >>>>> <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote: >>>>> >>>>> Im getting irritated by news reports calling this hacking. That term has >>>>> been so obfuscated by dimwits that it has no value >>>>> >>>>> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman >>>>> <j...@imaginenetworksllc.com <mailto:j...@imaginenetworksllc.com>> wrote: >>>>>> It works great for me 90% of the time. The other 10% it refuses to >>>>>> function at all. >>>>>> >>>>>> >>>>>> Josh Luthman >>>>>> Office: 937-552-2340 <http://tel:937-552-2340> >>>>>> Direct: 937-552-2343 <http://tel:937-552-2343> >>>>>> 1100 Wayne St >>>>>> Suite 1337 >>>>>> Troy, OH 45373 >>>>>> >>>>>> >>>>>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org >>>>>> <mailto:p...@paulstewart.org>> wrote: >>>>>>> LOL …. scary shit…. >>>>>>> >>>>>>> Facebook being slow isn't anything new in my experience … they have to >>>>>>> be having a hard time keeping up sometimes …. last I heard they were >>>>>>> adding something around 200-300 new servers a day in each data centre >>>>>>> >>>>>>>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm >>>>>>>> <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote: >>>>>>>> >>>>>>>> forcing people to interact in person... a dangerous prospect in these >>>>>>>> times >>>>>>>> >>>>>>>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart >>>>>>>> <timreichh...@hometowncable.net >>>>>>>> <mailto:timreichh...@hometowncable.net>> wrote: >>>>>>>>> It seems like facebook is also getting slow. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: "Travis Johnson" <t...@ida.net <mailto:t...@ida.net>> >>>>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>>>> Date: 10/21/16 02:37 PM >>>>>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >>>>>>>>>> >>>>>>>>>> This is still going right now... big and small websites and ISP's >>>>>>>>>> are unreachable and unresponsive. :( >>>>>>>>>> >>>>>>>>>> Travis >>>>>>>>>> >>>>>>>>>> On 10/21/2016 12:19 PM, Ken Hohhof wrote: >>>>>>>>>> >>>>>>>>>>> Interesting, according to that, the ISP DNS servers are recruited >>>>>>>>>>> as part of the attack on the victim's authoritative DNS servers, by >>>>>>>>>>> sending queries from within the ISP's network. >>>>>>>>>>> >>>>>>>>>>> No spoofing, no amplification, no misconfigured DNS servers >>>>>>>>>>> required, yet the ISP's DNS servers are used to send the attack >>>>>>>>>>> traffic. All that is needed is a compromised IoT to send the query. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> From: Af [mailto:af-boun...@afmug.com >>>>>>>>>>> <mailto:af-boun...@afmug.com>] On Behalf Of Josh Baird >>>>>>>>>>> Sent: Friday, October 21, 2016 12:42 PM >>>>>>>>>>> >>>>>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Right - crap IoT devices on the Mirai botnet were responsible for >>>>>>>>>>> shoving 620+Gbps of traffic at Akamai to take down Krebs (and over >>>>>>>>>>> 1Tbps to take down OVH). No spoofing involved. >>>>>>>>>>> >>>>>>>>>>> Interesting article on the techniques used by Mirai: >>>>>>>>>>> >>>>>>>>>>> https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937 >>>>>>>>>>> >>>>>>>>>>> <https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com >>>>>>>>>>> <mailto:af...@kwisp.com>> wrote: >>>>>>>>>>>> The amplifier would receive a query from a spoofed IP address, and >>>>>>>>>>>> respond using a legit IP address. So the attacker needs to control >>>>>>>>>>>> some computers that can spoof the victim's IP address, but the >>>>>>>>>>>> actual attack traffic comes from the amplifiers using legit source >>>>>>>>>>>> IPs. >>>>>>>>>>>> >>>>>>>>>>>> In the case of IoT botnets, I'm not sure any spoofing is required. >>>>>>>>>>>> >>>>>>>>>>>> <> >>>>>>>>>>>> From: Af [mailto:af-boun...@afmug.com >>>>>>>>>>>> <mailto:af-boun...@afmug.com>] On Behalf Of Josh Baird >>>>>>>>>>>> Sent: Friday, October 21, 2016 12:21 PM >>>>>>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >>>>>>>>>>>> >>>>>>>>>>>> It's a good start. It attempts to prevent spoofed traffic >>>>>>>>>>>> originating from your network to leave your network (or BCP38). >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman >>>>>>>>>>>> <j...@imaginenetworksllc.com <mailto:j...@imaginenetworksllc.com>> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> It can't be that simple...can it? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Josh Luthman >>>>>>>>>>>>> Office: 937-552-2340 <http://tel:937-552-2340> >>>>>>>>>>>>> Direct: 937-552-2343 <http://tel:937-552-2343> >>>>>>>>>>>>> 1100 Wayne St >>>>>>>>>>>>> Suite 1337 >>>>>>>>>>>>> Troy, OH 45373 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net >>>>>>>>>>>>> <mailto:af...@ics-il.net>> wrote: >>>>>>>>>>>>>> /ip firewall address-list >>>>>>>>>>>>>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My >>>>>>>>>>>>>> IPs" >>>>>>>>>>>>>> add list="Public-IPs" address=x.x.x.x/yy disabled=no >>>>>>>>>>>>>> comment="Downstream customer X IPs" >>>>>>>>>>>>>> >>>>>>>>>>>>>> /ip firewall filter >>>>>>>>>>>>>> add action=drop chain=forward comment="Drop spoofed traffic" >>>>>>>>>>>>>> disabled=no out-interface="To-Upstream" >>>>>>>>>>>>>> dst-address-list=!"Public-IPs" >>>>>>>>>>>>>> >>>>>>>>>>>>>> That was largely composed off of the top of my head and typed on >>>>>>>>>>>>>> my phone, so it may not be completely accurate. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> You should also do it on customer-facing ports not allowing >>>>>>>>>>>>>> anything to come in, but that would be best approached once >>>>>>>>>>>>>> Mikrotik and the per interface setting for unicast reverse path >>>>>>>>>>>>>> filtering. You would then said customer facing interfaces to >>>>>>>>>>>>>> strict and all other interfaces to loose. They accepted the >>>>>>>>>>>>>> feature request, just haven't implemented it yet. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ----- >>>>>>>>>>>>>> Mike Hammett >>>>>>>>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>>>>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>>>>>>>> <https://twitter.com/ICSIL> >>>>>>>>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>>>>>>>>>> <https://www.facebook.com/mdwestix> >>>>>>>>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>>>>>>>>>> <https://twitter.com/mdwestix> >>>>>>>>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>>>>>>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>>>>>>>>>> From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net>> >>>>>>>>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>>>>>>>> Sent: Friday, October 21, 2016 11:21:35 AM >>>>>>>>>>>>>> Subject: [AFMUG] Another large DDoS, Stop Being a Dick >>>>>>>>>>>>>> >>>>>>>>>>>>>> There's another large DDoS going on now. Go to this page to see >>>>>>>>>>>>>> if you can be used for UDP amplification (or other spoofing) >>>>>>>>>>>>>> attacks: >>>>>>>>>>>>>> >>>>>>>>>>>>>> https://www.caida.org/projects/spoofer/ >>>>>>>>>>>>>> <https://www.caida.org/projects/spoofer/> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Go to these pages for more longer term bad behavior monitoring: >>>>>>>>>>>>>> >>>>>>>>>>>>>> https://www.shadowserver.org/wiki/ >>>>>>>>>>>>>> <https://www.shadowserver.org/wiki/> >>>>>>>>>>>>>> https://radar.qrator.net/ <https://radar.qrator.net/> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Maybe we need to start a database of ASNs WISPs are using and >>>>>>>>>>>>>> start naming and shaming them when they have bad actors on their >>>>>>>>>>>>>> network. This is serious, people. Take it seriously. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ----- >>>>>>>>>>>>>> Mike Hammett >>>>>>>>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>>>>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>>>>>>>> <https://twitter.com/ICSIL> >>>>>>>>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>>>>>>>>>> <https://www.facebook.com/mdwestix> >>>>>>>>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>>>>>>>>>> <https://twitter.com/mdwestix> >>>>>>>>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>>>>>>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> If you only see yourself as part of the team but you don't see your >>>>>>>> team as part of yourself you have already failed as part of the team. >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> If you only see yourself as part of the team but you don't see your team >>>>> as part of yourself you have already failed as part of the team. >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >> >> >> >> >> -- >> If you only see yourself as part of the team but you don't see your team as >> part of yourself you have already failed as part of the team.
