It doesn’t help that DynECT sets the TTL so low. I was trying to check SOA records for twitter.com earlier but couldn’t, now I see that TTL is set to 60 seconds.
I know they want the ability to dynamically change their DNS records almost on the fly. But if it were set to let’s say 1 hour, all the caching nameservers on the Internet would have just used cached information for an hour, during which time if the authoritative servers were intermittently available they might even have refreshed the information. So knowing that DynECT is the sole authoritative DNS for many major sites which set their TTL extremely short, that makes Dyn a good target to take down whole swaths of the Internet. I wonder if that TTL really needs to be 1 minute. I guess it’s a balancing act, if their primary datacenter gets nuked, they want to be able to switch DNS records instantaneously and point at the backup datacenter. But by essentially forcing every query to the authoritative servers, they make those a single point of failure. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tim Reichhart Sent: Friday, October 21, 2016 4:35 PM To: af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick https://twitter.com/wikileaks/status/789574436219449345 Wikileaks is asking its supporters to stop taking websites down so its for sure its blow back against US. Please dont say its not we all know how wikileaks is that powerful. _____ -----Original Message----- From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> > To: af@afmug.com <mailto:af@afmug.com> Date: 10/21/16 05:26 PM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick What? ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "Tim Reichhart" <timreichh...@hometowncable.net <mailto:timreichh...@hometowncable.net> > To: af@afmug.com <mailto:af@afmug.com> Sent: Friday, October 21, 2016 4:14:15 PM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC&url=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271&usg=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ> I say this major ddos attack is sure blow back on what US told Ecuador to Act Against WikiLeaks Leader. _____ -----Original Message----- From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com> > To: af@afmug.com <mailto:af@afmug.com> Date: 10/21/16 05:06 PM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick i think there are only two hackers left, the rest are script kiddies half of these mopes calling themselves "hackers" have little education, hacking quite often requires a high degree of mathmatics capability, most of these l77t "hackers" cant even multiply On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org <mailto:p...@paulstewart.org> > wrote: Good point … and totally agree that the word "hacking" used to mean something - now it just kinda makes people laugh and not take it seriously at all anymore… On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com <mailto:af...@kwisp.com> > wrote: I think his point was that a denial of service attack is not hacking. I just heard on the radio someone was asking, if I try to use Twitter and it doesn't work because of this attack, is my computer how hacked? Even stuff that rightly gets called hacking is an insult to hackers. Like if your webcam is on a public IP address and I guess that the password is 1234, and that gets me root access to install whatever I want, it hardly seems right to call that hacking. But taking down a site by flooding it (or its authoritative DNS servers) with traffic is not the same as hacking the site. From: Af [ <mailto:af-boun...@afmug.com> mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart Sent: Friday, October 21, 2016 3:34 PM To: <mailto:af@afmug.com> af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick Agree…. it should be focused on end users better securing themselves …. On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm < <mailto:thatoneguyst...@gmail.com> thatoneguyst...@gmail.com> wrote: Im getting irritated by news reports calling this hacking. That term has been so obfuscated by dimwits that it has no value On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman < <mailto:j...@imaginenetworksllc.com> j...@imaginenetworksllc.com> wrote: It works great for me 90% of the time. The other 10% it refuses to function at all. Josh Luthman Office: <http://tel:937-552-2340> 937-552-2340 Direct: <http://tel:937-552-2343> 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart < <mailto:p...@paulstewart.org> p...@paulstewart.org> wrote: LOL …. scary shit…. Facebook being slow isn't anything new in my experience … they have to be having a hard time keeping up sometimes …. last I heard they were adding something around 200-300 new servers a day in each data centre On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm < <mailto:thatoneguyst...@gmail.com> thatoneguyst...@gmail.com> wrote: forcing people to interact in person... a dangerous prospect in these times On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart < <mailto:timreichh...@hometowncable.net> timreichh...@hometowncable.net> wrote: It seems like facebook is also getting slow. _____ -----Original Message----- From: "Travis Johnson" < <mailto:t...@ida.net> t...@ida.net> To: <mailto:af@afmug.com> af@afmug.com Date: 10/21/16 02:37 PM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick This is still going right now... big and small websites and ISP's are unreachable and unresponsive. :( Travis On 10/21/2016 12:19 PM, Ken Hohhof wrote: Interesting, according to that, the ISP DNS servers are recruited as part of the attack on the victim's authoritative DNS servers, by sending queries from within the ISP's network. No spoofing, no amplification, no misconfigured DNS servers required, yet the ISP's DNS servers are used to send the attack traffic. All that is needed is a compromised IoT to send the query. From: Af [ <mailto:af-boun...@afmug.com> mailto:af-boun...@afmug.com] On Behalf Of Josh Baird Sent: Friday, October 21, 2016 12:42 PM To: <mailto:af@afmug.com> af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick Right - crap IoT devices on the Mirai botnet were responsible for shoving 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down OVH). No spoofing involved. Interesting article on the techniques used by Mirai: <https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937> https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937 On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof < <mailto:af...@kwisp.com> af...@kwisp.com> wrote: The amplifier would receive a query from a spoofed IP address, and respond using a legit IP address. So the attacker needs to control some computers that can spoof the victim's IP address, but the actual attack traffic comes from the amplifiers using legit source IPs. In the case of IoT botnets, I'm not sure any spoofing is required. From: Af [mailto: <mailto:af-boun...@afmug.com> af-boun...@afmug.com] On Behalf Of Josh Baird Sent: Friday, October 21, 2016 12:21 PM To: <mailto:af@afmug.com> af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick It's a good start. It attempts to prevent spoofed traffic originating from your network to leave your network (or BCP38). On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman < <mailto:j...@imaginenetworksllc.com> j...@imaginenetworksllc.com> wrote: It can't be that simple...can it? Josh Luthman Office: <http://tel:937-552-2340> 937-552-2340 Direct: <http://tel:937-552-2343> 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett < <mailto:af...@ics-il.net> af...@ics-il.net> wrote: /ip firewall address-list add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream customer X IPs" /ip firewall filter add action=drop chain=forward comment="Drop spoofed traffic" disabled=no out-interface="To-Upstream" dst-address-list=!"Public-IPs" That was largely composed off of the top of my head and typed on my phone, so it may not be completely accurate. You should also do it on customer-facing ports not allowing anything to come in, but that would be best approached once Mikrotik and the per interface setting for unicast reverse path filtering. You would then said customer facing interfaces to strict and all other interfaces to loose. They accepted the feature request, just haven't implemented it yet. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "Mike Hammett" < <mailto:af...@ics-il.net> af...@ics-il.net> To: <mailto:af@afmug.com> af@afmug.com Sent: Friday, October 21, 2016 11:21:35 AM Subject: [AFMUG] Another large DDoS, Stop Being a Dick There's another large DDoS going on now. Go to this page to see if you can be used for UDP amplification (or other spoofing) attacks: <https://www.caida.org/projects/spoofer/> https://www.caida.org/projects/spoofer/ Go to these pages for more longer term bad behavior monitoring: <https://www.shadowserver.org/wiki/> https://www.shadowserver.org/wiki/ <https://radar.qrator.net/> https://radar.qrator.net/ Maybe we need to start a database of ASNs WISPs are using and start naming and shaming them when they have bad actors on their network. This is serious, people. Take it seriously. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
