subject:"\[AFMUG\] Another large DDoS, Stop Being a Dick"

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-23 Thread Ken Hohhof

News reports say New World Hackers are taking credit for the attack on Dyn, 
supposedly with help from Anonymous in 3rd wave.

 

http://www.cbsnews.com/news/new-world-hackers-claims-responsibility-internet-disruption-cyberattack/

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza
Sent: Saturday, October 22, 2016 11:59 AM
To: Animal Farm <af@afmug.com>
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

I actually worked with ATT tech support to open up some ports for NVR... They 
were pretty good and client has app on phone with alerts on door sensors 
connected to cameras.   Different subnet from his network... Hope it doesn't 
get hacked... 

 

On Oct 22, 2016 10:33 AM, "Mike Hammett" <af...@ics-il.net 
<mailto:af...@ics-il.net> > wrote:

The IP address on your upstream interface needs to be able to respond to 
respond to ICMP and other requests.


10.0.0.0/30 <http://10.0.0.0/30>  Network
10.0.0.1/30 <http://10.0.0.1/30>  Their Router
10.0.0.2/30 <http://10.0.0.2/30>  Your Router
10.0.0.3/30 <http://10.0.0.3/30>  Broadcast


10.0.0.2 needs to be able to respond to things and the firewall should be 
blocking it if not otherwise allowed.



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 





  _  


From: "Kurt Fankhauser" <lists.wavel...@gmail.com 
<mailto:lists.wavel...@gmail.com> >
To: af@afmug.com <mailto:af@afmug.com> 
Sent: Saturday, October 22, 2016 11:24:40 AM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Mike,

 

Thank you for sharing this Mikrotik Firewall rule! I was at the WISPPlooza 
session on internet security and first heard of this spoofing problem and about 
how you should drop this traffic. I implemented the rule and logged it before I 
flat out dropped it and just in 60 seconds I was seeing thousands of packets 
showing up in my Mikrotik Log. Apparently I was being used as a spoof relay. I 
also noticed a slight decrease in overall traffic going out to my upstream 
provider. I can not believe how easy it was to implement this rule with 
Mikrotik. One thing I did not do was add my upstreams /30 BGP address to the 
allow list. Why should I do that? My BGP is still working without it.

 

On Sat, Oct 22, 2016 at 10:14 AM, Mike Hammett <af...@ics-il.net 
<mailto:af...@ics-il.net> > wrote:

Here's a tested config that works with standard IP Firewall. Once I get a 
chance, I'll make and test a version that uses raw.

/ip firewall address-list
add address=x.x.x.x/yy comment="My IPs" list=Public_Networks
add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks
add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" 
list=Public_Networks

/ip firewall filter
add action=drop chain=forward comment="Block Spoofed Traffic" 
out-interface=[upstream interface] src-address-list=!Public_Networks





-
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/> 
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
Midwest Internet Exchange <http://www.midwest-ix.com/> 
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
The Brothers WISP <http://www.thebrotherswisp.com/> 
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 





  _  


From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> >
To: af@afmug.com <mailto:af@afmug.com> 
Sent: Friday, October 21, 2016 12:17:13 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs"

/ip firewall filter
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs"

That was largely comp

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Jaime Solorza

I actually worked with ATT tech support to open up some ports for NVR...
They were pretty good and client has app on phone with alerts on door
sensors connected to cameras.   Different subnet from his network... Hope
it doesn't get hacked...

On Oct 22, 2016 10:33 AM, "Mike Hammett" <af...@ics-il.net> wrote:

> The IP address on your upstream interface needs to be able to respond to
> respond to ICMP and other requests.
>
>
> 10.0.0.0/30 Network
> 10.0.0.1/30 Their Router
> 10.0.0.2/30 Your Router
> 10.0.0.3/30 Broadcast
>
>
> 10.0.0.2 needs to be able to respond to things and the firewall should be
> blocking it if not otherwise allowed.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ----------
> *From: *"Kurt Fankhauser" <lists.wavel...@gmail.com>
> *To: *af@afmug.com
> *Sent: *Saturday, October 22, 2016 11:24:40 AM
> *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> Mike,
>
> Thank you for sharing this Mikrotik Firewall rule! I was at the WISPPlooza
> session on internet security and first heard of this spoofing problem and
> about how you should drop this traffic. I implemented the rule and logged
> it before I flat out dropped it and just in 60 seconds I was seeing
> thousands of packets showing up in my Mikrotik Log. Apparently I was being
> used as a spoof relay. I also noticed a slight decrease in overall traffic
> going out to my upstream provider. I can not believe how easy it was to
> implement this rule with Mikrotik. One thing I did not do was add my
> upstreams /30 BGP address to the allow list. Why should I do that? My BGP
> is still working without it.
>
> On Sat, Oct 22, 2016 at 10:14 AM, Mike Hammett <af...@ics-il.net> wrote:
>
>> Here's a tested config that works with standard IP Firewall. Once I get a
>> chance, I'll make and test a version that uses raw.
>>
>> /ip firewall address-list
>> add address=x.x.x.x/yy comment="My IPs" list=Public_Networks
>> add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks
>> add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation"
>> list=Public_Networks
>>
>> /ip firewall filter
>> add action=drop chain=forward comment="Block Spoofed Traffic"
>> out-interface=[upstream interface] src-address-list=!Public_Networks
>>
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>> *From: *"Mike Hammett" <af...@ics-il.net>
>> *To: *af@afmug.com
>> *Sent: *Friday, October 21, 2016 12:17:13 PM
>> *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> /ip firewall address-list
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
>> customer X IPs"
>>
>> /ip firewall filter
>> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
>> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>>
>> That was largely composed off of the top of my head and typed on my
>> phone, so it may not be completely accurate.
>>
&

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Kurt Fankhauser

ok I added the /30 on my upstream to the allow list

On Sat, Oct 22, 2016 at 12:33 PM, Mike Hammett <af...@ics-il.net> wrote:

> The IP address on your upstream interface needs to be able to respond to
> respond to ICMP and other requests.
>
>
> 10.0.0.0/30 Network
> 10.0.0.1/30 Their Router
> 10.0.0.2/30 Your Router
> 10.0.0.3/30 Broadcast
>
>
> 10.0.0.2 needs to be able to respond to things and the firewall should be
> blocking it if not otherwise allowed.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --------------
> *From: *"Kurt Fankhauser" <lists.wavel...@gmail.com>
> *To: *af@afmug.com
> *Sent: *Saturday, October 22, 2016 11:24:40 AM
> *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> Mike,
>
> Thank you for sharing this Mikrotik Firewall rule! I was at the WISPPlooza
> session on internet security and first heard of this spoofing problem and
> about how you should drop this traffic. I implemented the rule and logged
> it before I flat out dropped it and just in 60 seconds I was seeing
> thousands of packets showing up in my Mikrotik Log. Apparently I was being
> used as a spoof relay. I also noticed a slight decrease in overall traffic
> going out to my upstream provider. I can not believe how easy it was to
> implement this rule with Mikrotik. One thing I did not do was add my
> upstreams /30 BGP address to the allow list. Why should I do that? My BGP
> is still working without it.
>
> On Sat, Oct 22, 2016 at 10:14 AM, Mike Hammett <af...@ics-il.net> wrote:
>
>> Here's a tested config that works with standard IP Firewall. Once I get a
>> chance, I'll make and test a version that uses raw.
>>
>> /ip firewall address-list
>> add address=x.x.x.x/yy comment="My IPs" list=Public_Networks
>> add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks
>> add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation"
>> list=Public_Networks
>>
>> /ip firewall filter
>> add action=drop chain=forward comment="Block Spoofed Traffic"
>> out-interface=[upstream interface] src-address-list=!Public_Networks
>>
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>> *From: *"Mike Hammett" <af...@ics-il.net>
>> *To: *af@afmug.com
>> *Sent: *Friday, October 21, 2016 12:17:13 PM
>> *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> /ip firewall address-list
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
>> customer X IPs"
>>
>> /ip firewall filter
>> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
>> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>>
>> That was largely composed off of the top of my head and typed on my
>> phone, so it may not be completely accurate.
>>
>>
>> You should also do it on customer-facing ports not allowing anything to
>> come in, but that would be best approached once Mikrotik and the per
>> interface setting

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Mike Hammett

The IP address on your upstream interface needs to be able to respond to 
respond to ICMP and other requests. 


10.0.0.0/30 Network 
10.0.0.1/30 Their Router 
10.0.0.2/30 Your Router 
10.0.0.3/30 Broadcast 


10.0.0.2 needs to be able to respond to things and the firewall should be 
blocking it if not otherwise allowed. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Kurt Fankhauser" <lists.wavel...@gmail.com> 
To: af@afmug.com 
Sent: Saturday, October 22, 2016 11:24:40 AM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 



Mike, 


Thank you for sharing this Mikrotik Firewall rule! I was at the WISPPlooza 
session on internet security and first heard of this spoofing problem and about 
how you should drop this traffic. I implemented the rule and logged it before I 
flat out dropped it and just in 60 seconds I was seeing thousands of packets 
showing up in my Mikrotik Log. Apparently I was being used as a spoof relay. I 
also noticed a slight decrease in overall traffic going out to my upstream 
provider. I can not believe how easy it was to implement this rule with 
Mikrotik. One thing I did not do was add my upstreams /30 BGP address to the 
allow list. Why should I do that? My BGP is still working without it. 


On Sat, Oct 22, 2016 at 10:14 AM, Mike Hammett < af...@ics-il.net > wrote: 




Here's a tested config that works with standard IP Firewall. Once I get a 
chance, I'll make and test a version that uses raw. 

/ip firewall address-list 
add address=x.x.x.x/yy comment="My IPs" list=Public_Networks 
add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks 
add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" 
list=Public_Networks 

/ip firewall filter 
add action=drop chain=forward comment="Block Spoofed Traffic" 
out-interface=[upstream interface] src-address-list=!Public_Networks 





- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 






From: "Mike Hammett" < af...@ics-il.net > 
To: af@afmug.com 
Sent: Friday, October 21, 2016 12:17:13 PM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 




/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 






From: "Mike Hammett" < af...@ics-il.net > 
To: af@afmug.com 
Sent: Friday, October 21, 2016 11:21:35 AM 
Subject: [AFMUG] Another large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Ken Hohhof

Wonderful.  So people can buy cheap insecure Chinese crap, and then give it 
full control over their router.  It’s like a doggie door for your toaster, so 
it can go roam the neighborhood at night looking for skunks.  And invite its 
friends in.

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Reynolds
Sent: Saturday, October 22, 2016 11:14 AM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

Routers have firewalls... 

But UPNP works on ipv6 :(

 

On Oct 22, 2016 10:39 AM, "Ken Hohhof" <af...@kwisp.com 
<mailto:af...@kwisp.com> > wrote:

Takeaway quote:  the Internet is “vulnerable to toasters”.

 

I’ve got to suspect most of these cheap Chinese webcams (i.e. 90% of them) and 
other devices are only accessible via a public IP address because of UPnP.  And 
apparently they are forwarding not just HTTP and HTTPS through the router but 
also telnet and SSH.  Death to  UPnP!  We don’t enable it when customers lease 
routers from us.  These cams should be using some sort of proxy in the cloud to 
relay the video, not port forwarding on the customer’s router.

 

I also suspect a lot of these are outside the US.  At the risk of opening up 
the dreaded “NAT is not a firewall” and “IPv6 is great/terrible” debates, how 
does IPv6 not increase the IoT threat?  What is the typical setup for an IPv6 
enabled customer with toasters and webcams that get public IPs?  Does the 
router from the ISP or supplied by the customer still implement a stateful 
firewall so that inbound traffic is blocked unless a connection has been 
established by outbound traffic or a port forwarding rule?  Or are there IPv6 
toasters with web and CLI access wide open?  Does UPnP still exist with IPv6?  
Maybe it’s no more of a problem with IPv6, but then I still wonder, why are so 
many IoT devices accessible via telnet to exploit the hardcoded default 
passwords?  Maybe it’s not our customers buying cheap webcams at Costco, maybe 
it’s really businesses putting their security cameras directly on public IP 
addresses?

 

 

From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com> ] On Behalf 
Of Jaime Solorza
Sent: Saturday, October 22, 2016 9:57 AM
To: Animal Farm <af@afmug.com <mailto:af@afmug.com> >
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

'Smart' home devices used as weapons in website attack
http://www.bbc.com/news/technology-37738823

 

On Oct 22, 2016 8:14 AM, "Mike Hammett" <af...@ics-il.net 
<mailto:af...@ics-il.net> > wrote:

Here's a tested config that works with standard IP Firewall. Once I get a 
chance, I'll make and test a version that uses raw.

/ip firewall address-list
add address=x.x.x.x/yy comment="My IPs" list=Public_Networks
add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks
add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" 
list=Public_Networks

/ip firewall filter
add action=drop chain=forward comment="Block Spoofed Traffic" 
out-interface=[upstream interface] src-address-list=!Public_Networks



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 





  _  


From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> >
To: af@afmug.com <mailto:af@afmug.com> 
Sent: Friday, October 21, 2016 12:17:13 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs"

/ip firewall filter
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs"

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate.


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet.



-

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Cassidy B. Larson

IPv6 has “Temporary” outbound IPs for different outbound sessions. These temp 
IPv6 IPs expire over time and change.
I had four or five at one time on my mac for existing TCP sessions that were 
still open, but new traffic wouldn’t be allowed to talk to them.
There's also a fixed inbound IPv6 address, but the possibility of guessing the 
single IPv6 IP on a /64 subnet of 18 quintillion IPv6 IPs is a bit harder.
Well, a lot harder than script kiddies just scanning each port on each public 
IPv4 IP. 
So I guess it’s more like security through obscurity, but still nothing beats a 
properly configured firewall. 



> On Oct 22, 2016, at 9:39 AM, Ken Hohhof <af...@kwisp.com> wrote:
> 
> Takeaway quote:  the Internet is “vulnerable to toasters”.
>  
> I’ve got to suspect most of these cheap Chinese webcams (i.e. 90% of them) 
> and other devices are only accessible via a public IP address because of 
> UPnP.  And apparently they are forwarding not just HTTP and HTTPS through the 
> router but also telnet and SSH.  Death to  UPnP!  We don’t enable it when 
> customers lease routers from us.  These cams should be using some sort of 
> proxy in the cloud to relay the video, not port forwarding on the customer’s 
> router.
>  
> I also suspect a lot of these are outside the US.  At the risk of opening up 
> the dreaded “NAT is not a firewall” and “IPv6 is great/terrible” debates, how 
> does IPv6 not increase the IoT threat?  What is the typical setup for an IPv6 
> enabled customer with toasters and webcams that get public IPs?  Does the 
> router from the ISP or supplied by the customer still implement a stateful 
> firewall so that inbound traffic is blocked unless a connection has been 
> established by outbound traffic or a port forwarding rule?  Or are there IPv6 
> toasters with web and CLI access wide open?  Does UPnP still exist with IPv6? 
>  Maybe it’s no more of a problem with IPv6, but then I still wonder, why are 
> so many IoT devices accessible via telnet to exploit the hardcoded default 
> passwords?  Maybe it’s not our customers buying cheap webcams at Costco, 
> maybe it’s really businesses putting their security cameras directly on 
> public IP addresses?
>  
>   <>
> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza
> Sent: Saturday, October 22, 2016 9:57 AM
> To: Animal Farm <af@afmug.com>
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>  
> 'Smart' home devices used as weapons in website attack
> http://www.bbc.com/news/technology-37738823 
> <http://www.bbc.com/news/technology-37738823>
>  
> On Oct 22, 2016 8:14 AM, "Mike Hammett" <af...@ics-il.net 
> <mailto:af...@ics-il.net>> wrote:
>> Here's a tested config that works with standard IP Firewall. Once I get a 
>> chance, I'll make and test a version that uses raw.
>> 
>> /ip firewall address-list
>> add address=x.x.x.x/yy comment="My IPs" list=Public_Networks
>> add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks
>> add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" 
>> list=Public_Networks
>> 
>> /ip firewall filter
>> add action=drop chain=forward comment="Block Spoofed Traffic" 
>> out-interface=[upstream interface] src-address-list=!Public_Networks
>> 
>> 
>> 
>> 
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>  <https://www.facebook.com/ICSIL> 
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> 
>> <https://www.linkedin.com/company/intelligent-computing-solutions> 
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>  <https://www.facebook.com/mdwestix> 
>> <https://www.linkedin.com/company/midwest-internet-exchange> 
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>>  <https://www.facebook.com/thebrotherswisp>
>> 
>> 
>>  <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net>>
>> To: af@afmug.com <mailto:af@afmug.com>
>> Sent: Friday, October 21, 2016 12:17:13 PM
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>> 
>> /ip firewall address-list
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
>> customer X IPs"
>> 
>> /ip firewall filter
>> add action=drop chain=forward

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Josh Reynolds

Routers have firewalls...

But UPNP works on ipv6 :(

On Oct 22, 2016 10:39 AM, "Ken Hohhof" <af...@kwisp.com> wrote:

> Takeaway quote:  the Internet is “vulnerable to toasters”.
>
>
>
> I’ve got to suspect most of these cheap Chinese webcams (i.e. 90% of them)
> and other devices are only accessible via a public IP address because of
> UPnP.  And apparently they are forwarding not just HTTP and HTTPS through
> the router but also telnet and SSH.  Death to  UPnP!  We don’t enable it
> when customers lease routers from us.  These cams should be using some sort
> of proxy in the cloud to relay the video, not port forwarding on the
> customer’s router.
>
>
>
> I also suspect a lot of these are outside the US.  At the risk of opening
> up the dreaded “NAT is not a firewall” and “IPv6 is great/terrible”
> debates, how does IPv6 not increase the IoT threat?  What is the typical
> setup for an IPv6 enabled customer with toasters and webcams that get
> public IPs?  Does the router from the ISP or supplied by the customer still
> implement a stateful firewall so that inbound traffic is blocked unless a
> connection has been established by outbound traffic or a port forwarding
> rule?  Or are there IPv6 toasters with web and CLI access wide open?  Does
> UPnP still exist with IPv6?  Maybe it’s no more of a problem with IPv6, but
> then I still wonder, why are so many IoT devices accessible via telnet to
> exploit the hardcoded default passwords?  Maybe it’s not our customers
> buying cheap webcams at Costco, maybe it’s really businesses putting their
> security cameras directly on public IP addresses?
>
>
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Jaime Solorza
> *Sent:* Saturday, October 22, 2016 9:57 AM
> *To:* Animal Farm <af@afmug.com>
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
> 'Smart' home devices used as weapons in website attack
> http://www.bbc.com/news/technology-37738823
>
>
>
> On Oct 22, 2016 8:14 AM, "Mike Hammett" <af...@ics-il.net> wrote:
>
> Here's a tested config that works with standard IP Firewall. Once I get a
> chance, I'll make and test a version that uses raw.
>
> /ip firewall address-list
> add address=x.x.x.x/yy comment="My IPs" list=Public_Networks
> add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks
> add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation"
> list=Public_Networks
>
> /ip firewall filter
> add action=drop chain=forward comment="Block Spoofed Traffic"
> out-interface=[upstream interface] src-address-list=!Public_Networks
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
>
> *From: *"Mike Hammett" <af...@ics-il.net>
> *To: *af@afmug.com
> *Sent: *Friday, October 21, 2016 12:17:13 PM
> *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> /ip firewall address-list
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
> customer X IPs"
>
> /ip firewall filter
> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>
> That was largely composed off of the top of my head and typed on my phone,
> so it may not be completely accurate.
>
>
> You should also do it on customer-facing ports not allowing anything to
> come in, but that would be best approached once Mikrotik and the per
> interface setting for unicast reverse path filtering. You would then said
> customer facing interfaces to strict and all other interfaces to loose.
> They accepted the feature request, just haven't implemented it yet.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Ken Hohhof

Takeaway quote:  the Internet is “vulnerable to toasters”.

 

I’ve got to suspect most of these cheap Chinese webcams (i.e. 90% of them) and 
other devices are only accessible via a public IP address because of UPnP.  And 
apparently they are forwarding not just HTTP and HTTPS through the router but 
also telnet and SSH.  Death to  UPnP!  We don’t enable it when customers lease 
routers from us.  These cams should be using some sort of proxy in the cloud to 
relay the video, not port forwarding on the customer’s router.

 

I also suspect a lot of these are outside the US.  At the risk of opening up 
the dreaded “NAT is not a firewall” and “IPv6 is great/terrible” debates, how 
does IPv6 not increase the IoT threat?  What is the typical setup for an IPv6 
enabled customer with toasters and webcams that get public IPs?  Does the 
router from the ISP or supplied by the customer still implement a stateful 
firewall so that inbound traffic is blocked unless a connection has been 
established by outbound traffic or a port forwarding rule?  Or are there IPv6 
toasters with web and CLI access wide open?  Does UPnP still exist with IPv6?  
Maybe it’s no more of a problem with IPv6, but then I still wonder, why are so 
many IoT devices accessible via telnet to exploit the hardcoded default 
passwords?  Maybe it’s not our customers buying cheap webcams at Costco, maybe 
it’s really businesses putting their security cameras directly on public IP 
addresses?

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza
Sent: Saturday, October 22, 2016 9:57 AM
To: Animal Farm <af@afmug.com>
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

'Smart' home devices used as weapons in website attack
http://www.bbc.com/news/technology-37738823

 

On Oct 22, 2016 8:14 AM, "Mike Hammett" <af...@ics-il.net 
<mailto:af...@ics-il.net> > wrote:

Here's a tested config that works with standard IP Firewall. Once I get a 
chance, I'll make and test a version that uses raw.

/ip firewall address-list
add address=x.x.x.x/yy comment="My IPs" list=Public_Networks
add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks
add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" 
list=Public_Networks

/ip firewall filter
add action=drop chain=forward comment="Block Spoofed Traffic" 
out-interface=[upstream interface] src-address-list=!Public_Networks





-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 





  _  


From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> >
To: af@afmug.com <mailto:af@afmug.com> 
Sent: Friday, October 21, 2016 12:17:13 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs"

/ip firewall filter
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs"

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate.


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet.



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYN

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Jaime Solorza

'Smart' home devices used as weapons in website attack
http://www.bbc.com/news/technology-37738823

On Oct 22, 2016 8:14 AM, "Mike Hammett" <af...@ics-il.net> wrote:

> Here's a tested config that works with standard IP Firewall. Once I get a
> chance, I'll make and test a version that uses raw.
>
> /ip firewall address-list
> add address=x.x.x.x/yy comment="My IPs" list=Public_Networks
> add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks
> add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation"
> list=Public_Networks
>
> /ip firewall filter
> add action=drop chain=forward comment="Block Spoofed Traffic"
> out-interface=[upstream interface] src-address-list=!Public_Networks
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
> *From: *"Mike Hammett" <af...@ics-il.net>
> *To: *af@afmug.com
> *Sent: *Friday, October 21, 2016 12:17:13 PM
> *Subject: *Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> /ip firewall address-list
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
> customer X IPs"
>
> /ip firewall filter
> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>
> That was largely composed off of the top of my head and typed on my phone,
> so it may not be completely accurate.
>
>
> You should also do it on customer-facing ports not allowing anything to
> come in, but that would be best approached once Mikrotik and the per
> interface setting for unicast reverse path filtering. You would then said
> customer facing interfaces to strict and all other interfaces to loose.
> They accepted the feature request, just haven't implemented it yet.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
> *From: *"Mike Hammett" <af...@ics-il.net>
> *To: *af@afmug.com
> *Sent: *Friday, October 21, 2016 11:21:35 AM
> *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick
>
> There's another large DDoS going on now. Go to this page to see if you can
> be used for UDP amplification (or other spoofing) attacks:
>
> https://www.caida.org/projects/spoofer/
>
> Go to these pages for more longer term bad behavior monitoring:
>
> https://www.shadowserver.org/wiki/
> https://radar.qrator.net/
>
>
> Maybe we need to start a database of ASNs WISPs are using and start naming
> and shaming them when they have bad actors on their network. This is
> serious, people. Take it seriously.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>
>
>
>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-22 Thread Mike Hammett

Here's a tested config that works with standard IP Firewall. Once I get a 
chance, I'll make and test a version that uses raw. 

/ip firewall address-list 
add address=x.x.x.x/yy comment="My IPs" list=Public_Networks 
add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks 
add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" 
list=Public_Networks 

/ip firewall filter 
add action=drop chain=forward comment="Block Spoofed Traffic" 
out-interface=[upstream interface] src-address-list=!Public_Networks 





- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Mike Hammett" <af...@ics-il.net> 
To: af@afmug.com 
Sent: Friday, October 21, 2016 12:17:13 PM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 


/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Mike Hammett" <af...@ics-il.net> 
To: af@afmug.com 
Sent: Friday, October 21, 2016 11:21:35 AM 
Subject: [AFMUG] Another large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Ken Hohhof

Possibly.

https://www.opendns.com/about/press-releases/opendns-introduces-smartcache-new-feature-enables-web-sites-to-load-successfully-with-opendns-while-offline-for-the-rest-of-the-internet/

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of That One Guy /sarcasm
Sent: Friday, October 21, 2016 6:23 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

im seeing alot of people taling about using opendns to resolve alot of the 
issue for themselves, is opendnd one of those dickbags that break dynamic dns 
by extending ttl?

 

On Fri, Oct 21, 2016 at 5:55 PM, That One Guy /sarcasm 
<thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com> > wrote:

I audibly LOLd that. the person saying it doesnt realize that an individual who 
would be tiered and strapped financially to where data caps were and issue 
would be priced out of a "cyber hit" on comcast. lol lizard squad, like the 
boogey man

 

On Fri, Oct 21, 2016 at 5:35 PM, Ken Hohhof <af...@kwisp.com 
<mailto:af...@kwisp.com> > wrote:

Claiming someone was trying to take down Comcast because of their data caps.  
Here’s a sample comment:

 

“its most likely someone got pissed off at caps fees for Comcast and hired 
lizard squad or aka poodle corps”

 

All the top minds hang out on Broadband Reports.  And they think the most 
pressing issue the world faces is Comcast 1TB/mo data caps.  Never mind 
terrorism, nuclear war, global warming, Zika …

 

From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com> ] On Behalf 
Of Tim Reichhart
Sent: Friday, October 21, 2016 5:22 PM
To: af@afmug.com <mailto:af@afmug.com> 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

IF it was the data caps why would it take down like major apps like whatapp 
etc? There is other ISP's impose data caps just like comcast I dont think that 
part of it. I am thinking more forward to wikileaks its mostly blow back. 
Because Level 3 is also down again so something is up again with this DDOS.

 


  _  


-Original Message-
From: "Paul Stewart" <p...@paulstewart.org <mailto:p...@paulstewart.org> >
To: af@afmug.com <mailto:af@afmug.com> 
Date: 10/21/16 05:59 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Yup and while that sounds absolutely crazy in one regard, it's scary and real 
in another …..

 

There was a study (can't find it at moment) done that was in reference to a 
600Gb/s attack through NTP amplification and it showed that only 1-2% of 
*vulnerable* devices participated in the attack .. "what if" 50% of those 
devices were participating kind of thing

 

On Oct 21, 2016, at 5:50 PM, Ken Hohhof <af...@kwisp.com 
<mailto:af...@kwisp.com> > wrote:

 

 

Well, lots of theories.  Another is it's retaliation against Dyn for publicly 
calling out BackConnect for BGP spoofing.  One guy posted very authoritatively 
on Broadband Reports that the real target was Comcast because … data caps.

 

I'm not sure I buy that WikiLeaks attacked Dyn because of the Ecuador thing.  
For one thing, WikiLeaks does leaks, DDoS attacks is more like Anonymous.  But 
probably you're saying it's Russia.  H, that seems like quite an 
escalation, since Assange losing his WiFi in the embassy is hardly going to 
stop Wikileaks unless there's a lot bigger cyber attack on Wikileaks than has 
been reported.

 

I heard someone on the radio say after Ecuador took away Assange's Internet 
privileges, "be sure to lock your Ecuadors and windows".

 

One thing we can probably all agree on is that it was just a matter of time 
before somebody DDoS'd the whole Internet.  The capability has probably been 
there for awhile and it's almost surprising it took this long.  Nobody seemed 
to want to do anything about the DDoS problem when it was just gamer kids 
booting each other and DD4BC and little WISPs getting blown off the air because 
they couldn't mitigate 1 Gb+ attacks.  I hope someone has been thinking about 
what to do when they start blowing the whole Internet off the air on a daily 
basis.

 

 

 From: Af [ <mailto:af-boun...@afmug.com> mailto:af-boun...@afmug.com] On 
Behalf Of Tim Reichhart
Sent: Friday, October 21, 2016 4:14 PM
To:  <mailto:af@afmug.com> af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

 

 

  
<https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>
 
 

I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader.

  _  

-Original Message-
From: "That One Guy /sarcasm" < <mailto:thatoneguyst...@gmail.com> 
thatoneguyst...@gmail.com>
To:  <mailto:af@afmug.com> af@afmug.com
Date: 10/21/16 05:06 PM

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Josh Reynolds

Hahahaha...

On Oct 21, 2016 4:11 PM, "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
wrote:

> *rené* ‏@Renatus84  <https://twitter.com/Renatus84> 23m23 minutes ago
> <https://twitter.com/Renatus84/status/789568998895656964>
>
> We're going to build a firewall, a huge, beautiful firewall, and hackers
> are gonna pay for it #*DDoS* <https://twitter.com/hashtag/DDoS?src=hash> #
> DDoSAttack <https://twitter.com/hashtag/DDoSAttack?src=hash>
>
> On Fri, Oct 21, 2016 at 4:06 PM, That One Guy /sarcasm <
> thatoneguyst...@gmail.com> wrote:
>
>> i think there are only two hackers left, the rest are script kiddies
>> half of these mopes calling themselves "hackers" have little education,
>> hacking quite often requires a high degree of mathmatics capability, most
>> of these l77t "hackers" cant even multiply
>>
>> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org>
>> wrote:
>>
>>> Good point … and totally agree that the word “hacking” used to mean
>>> something - now it just kinda makes people laugh and not take it seriously
>>> at all anymore…
>>>
>>>
>>> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>>
>>> I think his point was that a denial of service attack is not hacking.
>>>
>>> I just heard on the radio someone was asking, if I try to use Twitter
>>> and it doesn’t work because of this attack, is my computer how hacked?
>>>
>>> Even stuff that rightly gets called hacking is an insult to hackers.
>>> Like if your webcam is on a public IP address and I guess that the password
>>> is 1234, and that gets me root access to install whatever I want, it hardly
>>> seems right to call that hacking.
>>>
>>> But taking down a site by flooding it (or its authoritative DNS servers)
>>> with traffic is not the same as hacking the site.
>>>
>>>
>>> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
>>> Behalf Of *Paul Stewart
>>> *Sent:* Friday, October 21, 2016 3:34 PM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>
>>> Agree…. it should be focused on end users better securing themselves ….
>>>
>>>
>>> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <
>>> thatoneguyst...@gmail.com> wrote:
>>>
>>> Im getting irritated by news reports calling this hacking. That term has
>>> been so obfuscated by dimwits that it has no value
>>>
>>> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <
>>> j...@imaginenetworksllc.com> wrote:
>>>
>>> It works great for me 90% of the time.  The other 10% it refuses to
>>> function at all.
>>>
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>>
>>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org>
>>> wrote:
>>>
>>> LOL …. scary shit….
>>>
>>> Facebook being slow isn’t anything new in my experience … they have to
>>> be having a hard time keeping up sometimes …. last I heard they were adding
>>> something around 200-300 new servers a day in each data centre
>>>
>>>
>>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <
>>> thatoneguyst...@gmail.com> wrote:
>>>
>>> forcing people to interact in person... a dangerous prospect in these
>>> times
>>>
>>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <
>>> timreichh...@hometowncable.net> wrote:
>>>
>>> It seems like facebook is also getting slow.
>>>
>>>
>>> --
>>>
>>> -Original Message-
>>> From: "Travis Johnson" <t...@ida.net>
>>> To: af@afmug.com
>>> Date: 10/21/16 02:37 PM
>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>
>>> This is still going right now... big and small websites and ISP's are
>>> unreachable and unresponsive. :(
>>>
>>> Travis
>>>
>>> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>>>
>>>
>>> Interesting, according to that, the ISP DNS servers are recruited as
>>> part of the attack on the victim's authoritative DNS servers, by sending
>>> queries from within the ISP's net

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

im seeing alot of people taling about using opendns to resolve alot of the
issue for themselves, is opendnd one of those dickbags that break dynamic
dns by extending ttl?

On Fri, Oct 21, 2016 at 5:55 PM, That One Guy /sarcasm <
thatoneguyst...@gmail.com> wrote:

> I audibly LOLd that. the person saying it doesnt realize that an
> individual who would be tiered and strapped financially to where data caps
> were and issue would be priced out of a "cyber hit" on comcast. lol lizard
> squad, like the boogey man
>
> On Fri, Oct 21, 2016 at 5:35 PM, Ken Hohhof <af...@kwisp.com> wrote:
>
>> Claiming someone was trying to take down Comcast because of their data
>> caps.  Here’s a sample comment:
>>
>>
>>
>> “its most likely someone got pissed off at caps fees for Comcast and
>> hired lizard squad or aka poodle corps”
>>
>>
>>
>> All the top minds hang out on Broadband Reports.  And they think the most
>> pressing issue the world faces is Comcast 1TB/mo data caps.  Never mind
>> terrorism, nuclear war, global warming, Zika …
>>
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Tim Reichhart
>> *Sent:* Friday, October 21, 2016 5:22 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>>
>>
>> IF it was the data caps why would it take down like major apps like
>> whatapp etc? There is other ISP's impose data caps just like comcast I dont
>> think that part of it. I am thinking more forward to wikileaks its mostly
>> blow back. Because Level 3 is also down again so something is up again with
>> this DDOS.
>>
>>
>>
>> --
>>
>> -Original Message-
>> From: "Paul Stewart" <p...@paulstewart.org>
>> To: af@afmug.com
>> Date: 10/21/16 05:59 PM
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> Yup and while that sounds absolutely crazy in one regard, it's scary and
>> real in another …..
>>
>>
>>
>> There was a study (can't find it at moment) done that was in reference to
>> a 600Gb/s attack through NTP amplification and it showed that only 1-2% of
>> *vulnerable* devices participated in the attack .. "what if" 50% of those
>> devices were participating kind of thing
>>
>>
>>
>> On Oct 21, 2016, at 5:50 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>
>>
>>
>>
>>
>> Well, lots of theories.  Another is it's retaliation against Dyn for
>> publicly calling out BackConnect for BGP spoofing.  One guy posted very
>> authoritatively on Broadband Reports that the real target was Comcast
>> because … data caps.
>>
>>
>>
>> I'm not sure I buy that WikiLeaks attacked Dyn because of the Ecuador
>> thing.  For one thing, WikiLeaks does leaks, DDoS attacks is more like
>> Anonymous.  But probably you're saying it's Russia.  H, that seems like
>> quite an escalation, since Assange losing his WiFi in the embassy is hardly
>> going to stop Wikileaks unless there's a lot bigger cyber attack on
>> Wikileaks than has been reported.
>>
>>
>>
>> I heard someone on the radio say after Ecuador took away Assange's
>> Internet privileges, "be sure to lock your Ecuadors and windows".
>>
>>
>>
>> One thing we can probably all agree on is that it was just a matter of
>> time before somebody DDoS'd the whole Internet.  The capability has
>> probably been there for awhile and it's almost surprising it took this
>> long.  Nobody seemed to want to do anything about the DDoS problem when it
>> was just gamer kids booting each other and DD4BC and little WISPs getting
>> blown off the air because they couldn't mitigate 1 Gb+ attacks.  I hope
>> someone has been thinking about what to do when they start blowing the
>> whole Internet off the air on a daily basis.
>>
>>
>>
>>
>>
>>  *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
>> Behalf Of *Tim Reichhart
>> *Sent:* Friday, October 21, 2016 4:14 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>>
>>
>>
>>
>>
>>
>> <https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>
>>
>>
>> I say this major ddos attack is sure blow back on what US told Ecuador to
&g

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

I audibly LOLd that. the person saying it doesnt realize that an individual
who would be tiered and strapped financially to where data caps were and
issue would be priced out of a "cyber hit" on comcast. lol lizard squad,
like the boogey man

On Fri, Oct 21, 2016 at 5:35 PM, Ken Hohhof <af...@kwisp.com> wrote:

> Claiming someone was trying to take down Comcast because of their data
> caps.  Here’s a sample comment:
>
>
>
> “its most likely someone got pissed off at caps fees for Comcast and
> hired lizard squad or aka poodle corps”
>
>
>
> All the top minds hang out on Broadband Reports.  And they think the most
> pressing issue the world faces is Comcast 1TB/mo data caps.  Never mind
> terrorism, nuclear war, global warming, Zika …
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Tim Reichhart
> *Sent:* Friday, October 21, 2016 5:22 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
> IF it was the data caps why would it take down like major apps like
> whatapp etc? There is other ISP's impose data caps just like comcast I dont
> think that part of it. I am thinking more forward to wikileaks its mostly
> blow back. Because Level 3 is also down again so something is up again with
> this DDOS.
>
>
>
> --
>
> -Original Message-----
> From: "Paul Stewart" <p...@paulstewart.org>
> To: af@afmug.com
> Date: 10/21/16 05:59 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> Yup and while that sounds absolutely crazy in one regard, it's scary and
> real in another …..
>
>
>
> There was a study (can't find it at moment) done that was in reference to
> a 600Gb/s attack through NTP amplification and it showed that only 1-2% of
> *vulnerable* devices participated in the attack .. "what if" 50% of those
> devices were participating kind of thing
>
>
>
> On Oct 21, 2016, at 5:50 PM, Ken Hohhof <af...@kwisp.com> wrote:
>
>
>
>
>
> Well, lots of theories.  Another is it's retaliation against Dyn for
> publicly calling out BackConnect for BGP spoofing.  One guy posted very
> authoritatively on Broadband Reports that the real target was Comcast
> because … data caps.
>
>
>
> I'm not sure I buy that WikiLeaks attacked Dyn because of the Ecuador
> thing.  For one thing, WikiLeaks does leaks, DDoS attacks is more like
> Anonymous.  But probably you're saying it's Russia.  H, that seems like
> quite an escalation, since Assange losing his WiFi in the embassy is hardly
> going to stop Wikileaks unless there's a lot bigger cyber attack on
> Wikileaks than has been reported.
>
>
>
> I heard someone on the radio say after Ecuador took away Assange's
> Internet privileges, "be sure to lock your Ecuadors and windows".
>
>
>
> One thing we can probably all agree on is that it was just a matter of
> time before somebody DDoS'd the whole Internet.  The capability has
> probably been there for awhile and it's almost surprising it took this
> long.  Nobody seemed to want to do anything about the DDoS problem when it
> was just gamer kids booting each other and DD4BC and little WISPs getting
> blown off the air because they couldn't mitigate 1 Gb+ attacks.  I hope
> someone has been thinking about what to do when they start blowing the
> whole Internet off the air on a daily basis.
>
>
>
>
>
>  *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of *Tim Reichhart
> *Sent:* Friday, October 21, 2016 4:14 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
>
>
>
>
> <https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>
>
>
> I say this major ddos attack is sure blow back on what US told Ecuador to
> Act Against WikiLeaks Leader.
>
> --
>
> -Original Message-
> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
> To: af@afmug.com
> Date: 10/21/16 05:06 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
> i think there are only two hackers left, the rest are script kiddies
>
> half of these mopes calling themselves "hackers" have little education,
> hacking quite often requires a high degree of mathmatics capability, most
> of these l77t "hackers" cant even multiply
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart &l

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Tim Reichhart

Well if it was one pissed off customer I dont think he could pull it off by 
himself it would take good size group to do amount of damage they have done 
just saying.  I am still thinking its blow back against US for whole wikileaks 
thing. We will never know the reason but I can say that would be the top thing 
right now.

-Original Message-
From: "Ken Hohhof" <af...@kwisp.com>
To: af@afmug.com
Date: 10/21/16 06:35 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Claiming someone was trying to take down Comcast because of their data caps.  
Here's a sample comment:

"its most likely someone got pissed off at caps fees for Comcast and hired 
lizard squad or aka poodle corps"

All the top minds hang out on Broadband Reports.  And they think the most 
pressing issue the world faces is Comcast 1TB/mo data caps.  Never mind 
terrorism, nuclear war, global warming, Zika …

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tim Reichhart
Sent: Friday, October 21, 2016 5:22 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

IF it was the data caps why would it take down like major apps like whatapp 
etc? There is other ISP's impose data caps just like comcast I dont think that 
part of it. I am thinking more forward to wikileaks its mostly blow back. 
Because Level 3 is also down again so something is up again with this DDOS.

-Original Message-
From: "Paul Stewart" <p...@paulstewart.org>
To: af@afmug.com
Date: 10/21/16 05:59 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Yup and while that sounds absolutely crazy in one regard, it's scary and real 
in another …..

There was a study (can't find it at moment) done that was in reference to a 
600Gb/s attack through NTP amplification and it showed that only 1-2% of 
*vulnerable* devices participated in the attack .. "what if" 50% of those 
devices were participating kind of thing

On Oct 21, 2016, at 5:50 PM, Ken Hohhof <af...@kwisp.com> wrote:

Well, lots of theories.  Another is it's retaliation against Dyn for publicly 
calling out BackConnect for BGP spoofing.  One guy posted very authoritatively 
on Broadband Reports that the real target was Comcast because … data caps.

I'm not sure I buy that WikiLeaks attacked Dyn because of the Ecuador thing.  
For one thing, WikiLeaks does leaks, DDoS attacks is more like Anonymous.  But 
probably you're saying it's Russia.  H, that seems like quite an 
escalation, since Assange losing his WiFi in the embassy is hardly going to 
stop Wikileaks unless there's a lot bigger cyber attack on Wikileaks than has 
been reported.

I heard someone on the radio say after Ecuador took away Assange's Internet 
privileges, "be sure to lock your Ecuadors and windows".

One thing we can probably all agree on is that it was just a matter of time 
before somebody DDoS'd the whole Internet.  The capability has probably been 
there for awhile and it's almost surprising it took this long.  Nobody seemed 
to want to do anything about the DDoS problem when it was just gamer kids 
booting each other and DD4BC and little WISPs getting blown off the air because 
they couldn't mitigate 1 Gb+ attacks.  I hope someone has been thinking about 
what to do when they start blowing the whole Internet off the air on a daily 
basis.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tim Reichhart
Sent: Friday, October 21, 2016 4:14 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader.

-Original Message-
From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
To: af@afmug.com
Date: 10/21/16 05:06 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

i think there are only two hackers left, the rest are script kiddies

half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org> wrote:

Good point … and totally agree that the word "hacking" used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore…

On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:

I think his point was that a denial of service attack is not hacking.

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked?

Even stuff that rightly gets called hacking is an insult to hackers. Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Ken Hohhof

Claiming someone was trying to take down Comcast because of their data caps.  
Here’s a sample comment:

 

“its most likely someone got pissed off at caps fees for Comcast and hired 
lizard squad or aka poodle corps”

 

All the top minds hang out on Broadband Reports.  And they think the most 
pressing issue the world faces is Comcast 1TB/mo data caps.  Never mind 
terrorism, nuclear war, global warming, Zika …

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tim Reichhart
Sent: Friday, October 21, 2016 5:22 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

IF it was the data caps why would it take down like major apps like whatapp 
etc? There is other ISP's impose data caps just like comcast I dont think that 
part of it. I am thinking more forward to wikileaks its mostly blow back. 
Because Level 3 is also down again so something is up again with this DDOS.

 


  _  


-Original Message-
From: "Paul Stewart" <p...@paulstewart.org <mailto:p...@paulstewart.org> >
To: af@afmug.com <mailto:af@afmug.com> 
Date: 10/21/16 05:59 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Yup and while that sounds absolutely crazy in one regard, it's scary and real 
in another …..

 

There was a study (can't find it at moment) done that was in reference to a 
600Gb/s attack through NTP amplification and it showed that only 1-2% of 
*vulnerable* devices participated in the attack .. "what if" 50% of those 
devices were participating kind of thing

 

On Oct 21, 2016, at 5:50 PM, Ken Hohhof <af...@kwisp.com 
<mailto:af...@kwisp.com> > wrote:

 

 

Well, lots of theories.  Another is it's retaliation against Dyn for publicly 
calling out BackConnect for BGP spoofing.  One guy posted very authoritatively 
on Broadband Reports that the real target was Comcast because … data caps.

 

I'm not sure I buy that WikiLeaks attacked Dyn because of the Ecuador thing.  
For one thing, WikiLeaks does leaks, DDoS attacks is more like Anonymous.  But 
probably you're saying it's Russia.  H, that seems like quite an 
escalation, since Assange losing his WiFi in the embassy is hardly going to 
stop Wikileaks unless there's a lot bigger cyber attack on Wikileaks than has 
been reported.

 

I heard someone on the radio say after Ecuador took away Assange's Internet 
privileges, "be sure to lock your Ecuadors and windows".

 

One thing we can probably all agree on is that it was just a matter of time 
before somebody DDoS'd the whole Internet.  The capability has probably been 
there for awhile and it's almost surprising it took this long.  Nobody seemed 
to want to do anything about the DDoS problem when it was just gamer kids 
booting each other and DD4BC and little WISPs getting blown off the air because 
they couldn't mitigate 1 Gb+ attacks.  I hope someone has been thinking about 
what to do when they start blowing the whole Internet off the air on a daily 
basis.

 

 

 From: Af [ <mailto:af-boun...@afmug.com> mailto:af-boun...@afmug.com] On 
Behalf Of Tim Reichhart
Sent: Friday, October 21, 2016 4:14 PM
To:  <mailto:af@afmug.com> af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

 

 

  
<https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>
 
 

I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader.

  _  

-Original Message-
From: "That One Guy /sarcasm" < <mailto:thatoneguyst...@gmail.com> 
thatoneguyst...@gmail.com>
To:  <mailto:af@afmug.com> af@afmug.com
Date: 10/21/16 05:06 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

i think there are only two hackers left, the rest are script kiddies

half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply

 

 

 

 

 

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart < <mailto:p...@paulstewart.org> 
p...@paulstewart.org> wrote:

 

Good point … and totally agree that the word "hacking" used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore…

 

 

 

 

On Oct 21, 2016, at 4:44 PM, Ken Hohhof < <mailto:af...@kwisp.com> 
af...@kwisp.com> wrote:

 

 

 

I think his point was that a denial of service attack is not hacking.

 

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked?

 

Even stuff that rightly gets called hacking is an insult to hackers. Like if 
your webcam is on a public IP address and I guess that the password i

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Tim Reichhart

IF it was the data caps why would it take down like major apps like whatapp 
etc? There is other ISP's impose data caps just like comcast I dont think that 
part of it. I am thinking more forward to wikileaks its mostly blow back. 
Because Level 3 is also down again so something is up again with this DDOS.

-Original Message-
From: "Paul Stewart" <p...@paulstewart.org>
To: af@afmug.com
Date: 10/21/16 05:59 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Yup and while that sounds absolutely crazy in one regard, it's scary and real 
in another …..

There was a study (can't find it at moment) done that was in reference to a 
600Gb/s attack through NTP amplification and it showed that only 1-2% of 
*vulnerable* devices participated in the attack .. "what if" 50% of those 
devices were participating kind of thing

On Oct 21, 2016, at 5:50 PM, Ken Hohhof <af...@kwisp.com> wrote:
 Well, lots of theories.  Another is it's retaliation against Dyn for publicly 
calling out BackConnect for BGP spoofing.  One guy posted very authoritatively 
on Broadband Reports that the real target was Comcast because … data caps.

I'm not sure I buy that WikiLeaks attacked Dyn because of the Ecuador thing.  
For one thing, WikiLeaks does leaks, DDoS attacks is more like Anonymous.  But 
probably you're saying it's Russia.  H, that seems like quite an 
escalation, since Assange losing his WiFi in the embassy is hardly going to 
stop Wikileaks unless there's a lot bigger cyber attack on Wikileaks than has 
been reported.

I heard someone on the radio say after Ecuador took away Assange's Internet 
privileges, "be sure to lock your Ecuadors and windows".

One thing we can probably all agree on is that it was just a matter of time 
before somebody DDoS'd the whole Internet.  The capability has probably been 
there for awhile and it's almost surprising it took this long.  Nobody seemed 
to want to do anything about the DDoS problem when it was just gamer kids 
booting each other and DD4BC and little WISPs getting blown off the air because 
they couldn't mitigate 1 Gb+ attacks.  I hope someone has been thinking about 
what to do when they start blowing the whole Internet off the air on a daily 
basis.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tim Reichhart
Sent: Friday, October 21, 2016 4:14 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader.

-Original Message-
From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
To: af@afmug.com
Date: 10/21/16 05:06 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick i think there are 
only two hackers left, the rest are script kiddies
half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply

 On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org> wrote:
 Good point … and totally agree that the word "hacking" used to mean something 
- now it just kinda makes people laugh and not take it seriously at all anymore…

 On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:

I think his point was that a denial of service attack is not hacking.

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked?

Even stuff that rightly gets called hacking is an insult to hackers. Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I want, it hardly seems right 
to call that hacking.

But taking down a site by flooding it (or its authoritative DNS servers) with 
traffic is not the same as hacking the site.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
Sent: Friday, October 21, 2016 3:34 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

Agree…. it should be focused on end users better securing themselves …. 

On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com> 
wrote:

 Im getting irritated by news reports calling this hacking. That term has been 
so obfuscated by dimwits that it has no value

 On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com> 
wrote:
It works great for me 90% of the time. The other 10% it refuses to function at 
all.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

 On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org> wrote:
 LOL …. scary shit….

Facebook being slow isn't anything new in my experience … they have to be 
having a hard time keeping up sometim

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Ken Hohhof

It doesn’t help that DynECT sets the TTL so low.  I was trying to check SOA 
records for twitter.com earlier but couldn’t, now I see that TTL is set to 60 
seconds.

 

I know they want the ability to dynamically change their DNS records almost on 
the fly.  But if it were set to let’s say 1 hour, all the caching nameservers 
on the Internet would have just used cached information for an hour, during 
which time if the authoritative servers were intermittently available they 
might even have refreshed the information.

 

So knowing that DynECT is the sole authoritative DNS for many major sites which 
set their TTL extremely short, that makes Dyn a good target to take down whole 
swaths of the Internet.  I wonder if that TTL really needs to be 1 minute.  I 
guess it’s a balancing act, if their primary datacenter gets nuked, they want 
to be able to switch DNS records instantaneously and point at the backup 
datacenter.  But by essentially forcing every query to the authoritative 
servers, they make those a single point of failure.

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tim Reichhart
Sent: Friday, October 21, 2016 4:35 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

 https://twitter.com/wikileaks/status/789574436219449345

Wikileaks is asking its supporters to stop taking websites down so its for sure 
its blow back against US. Please dont say its not we all know how wikileaks is 
that powerful.

 


  _  


-Original Message-
From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> >
To: af@afmug.com <mailto:af@afmug.com> 
Date: 10/21/16 05:26 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

What?



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 



 


  _  


 From: "Tim Reichhart" <timreichh...@hometowncable.net 
<mailto:timreichh...@hometowncable.net> >
To: af@afmug.com <mailto:af@afmug.com> 
Sent: Friday, October 21, 2016 4:14:15 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

  
<https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>
 
I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader.


  _  


-Original Message-
From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com 
<mailto:thatoneguyst...@gmail.com> >
To: af@afmug.com <mailto:af@afmug.com> 
Date: 10/21/16 05:06 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

i think there are only two hackers left, the rest are script kiddies

half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply

 

 

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org 
<mailto:p...@paulstewart.org> > wrote:

Good point … and totally agree that the word "hacking" used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore…

 

 

On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com 
<mailto:af...@kwisp.com> > wrote:

 

 

I think his point was that a denial of service attack is not hacking.

 

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked?

 

Even stuff that rightly gets called hacking is an insult to hackers. Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I want, it hardly seems right 
to call that hacking.

 

But taking down a site by flooding it (or its authoritative DNS servers) with 
traffic is not the same as hacking the site.

 

 

 From: Af [ <mailto:af-boun...@afmug.com> mailto:af-boun...@afmug.com] On 
Behalf Of Paul Stewart
Sent: Friday, October 21, 2016 3:34 PM
To:  <mailto:af@afmug.com> af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

 

Agree…. it should be focused on end users better securing themselves …. 

 

On

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Paul Stewart

Yup and while that sounds absolutely crazy in one regard, it’s scary and real 
in another …..

There was a study (can’t find it at moment) done that was in reference to a 
600Gb/s attack through NTP amplification and it showed that only 1-2% of 
*vulnerable* devices participated in the attack .. “what if” 50% of those 
devices were participating kind of thing

> On Oct 21, 2016, at 5:50 PM, Ken Hohhof <af...@kwisp.com> wrote:
> 
> Well, lots of theories.  Another is it’s retaliation against Dyn for publicly 
> calling out BackConnect for BGP spoofing.  One guy posted very 
> authoritatively on Broadband Reports that the real target was Comcast because 
> … data caps.
>  
> I’m not sure I buy that WikiLeaks attacked Dyn because of the Ecuador thing.  
> For one thing, WikiLeaks does leaks, DDoS attacks is more like Anonymous.  
> But probably you’re saying it’s Russia.  H, that seems like quite an 
> escalation, since Assange losing his WiFi in the embassy is hardly going to 
> stop Wikileaks unless there’s a lot bigger cyber attack on Wikileaks than has 
> been reported.
>  
> I heard someone on the radio say after Ecuador took away Assange’s Internet 
> privileges, “be sure to lock your Ecuadors and windows”.
>  
> One thing we can probably all agree on is that it was just a matter of time 
> before somebody DDoS’d the whole Internet.  The capability has probably been 
> there for awhile and it’s almost surprising it took this long.  Nobody seemed 
> to want to do anything about the DDoS problem when it was just gamer kids 
> booting each other and DD4BC and little WISPs getting blown off the air 
> because they couldn’t mitigate 1 Gb+ attacks.  I hope someone has been 
> thinking about what to do when they start blowing the whole Internet off the 
> air on a daily basis.
>  
>   <>
> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
> Behalf Of Tim Reichhart
> Sent: Friday, October 21, 2016 4:14 PM
> To: af@afmug.com <mailto:af@afmug.com>
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>  
>  
>  
> <https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>
> I say this major ddos attack is sure blow back on what US told Ecuador to Act 
> Against WikiLeaks Leader.
>> 
>> -Original Message-
>> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com 
>> <mailto:thatoneguyst...@gmail.com>>
>> To: af@afmug.com <mailto:af@afmug.com>
>> Date: 10/21/16 05:06 PM
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>> 
>> i think there are only two hackers left, the rest are script kiddies
>> half of these mopes calling themselves "hackers" have little education, 
>> hacking quite often requires a high degree of mathmatics capability, most of 
>> these l77t "hackers" cant even multiply
>>  
>>  
>> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org 
>> <mailto:p...@paulstewart.org>> wrote:
>>> Good point … and totally agree that the word "hacking" used to mean 
>>> something - now it just kinda makes people laugh and not take it seriously 
>>> at all anymore…
>>>  
>>>  
>>>> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com 
>>>> <mailto:af...@kwisp.com>> wrote:
>>>>  
>>>>  
>>>> I think his point was that a denial of service attack is not hacking.
>>>>  
>>>> I just heard on the radio someone was asking, if I try to use Twitter and 
>>>> it doesn't work because of this attack, is my computer how hacked?
>>>>  
>>>> Even stuff that rightly gets called hacking is an insult to hackers. Like 
>>>> if your webcam is on a public IP address and I guess that the password is 
>>>> 1234, and that gets me root access to install whatever I want, it hardly 
>>>> seems right to call that hacking.
>>>>  
>>>> But taking down a site by flooding it (or its authoritative DNS servers) 
>>>> with traffic is not the same as hacking the site.
>>>>  
>>>>   <>
>>>>  From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
>>>> Behalf Of Paul Stewart
>>>> Sent: Friday, October 21, 2016 3:34 PM
>>>> To: af@afmug.com <mailto:af@afmug.com>
>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 
>>>>  
>>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Ken Hohhof

Well, lots of theories.  Another is it’s retaliation against Dyn for publicly 
calling out BackConnect for BGP spoofing.  One guy posted very authoritatively 
on Broadband Reports that the real target was Comcast because … data caps.

 

I’m not sure I buy that WikiLeaks attacked Dyn because of the Ecuador thing.  
For one thing, WikiLeaks does leaks, DDoS attacks is more like Anonymous.  But 
probably you’re saying it’s Russia.  H, that seems like quite an 
escalation, since Assange losing his WiFi in the embassy is hardly going to 
stop Wikileaks unless there’s a lot bigger cyber attack on Wikileaks than has 
been reported.

 

I heard someone on the radio say after Ecuador took away Assange’s Internet 
privileges, “be sure to lock your Ecuadors and windows”.

 

One thing we can probably all agree on is that it was just a matter of time 
before somebody DDoS’d the whole Internet.  The capability has probably been 
there for awhile and it’s almost surprising it took this long.  Nobody seemed 
to want to do anything about the DDoS problem when it was just gamer kids 
booting each other and DD4BC and little WISPs getting blown off the air because 
they couldn’t mitigate 1 Gb+ attacks.  I hope someone has been thinking about 
what to do when they start blowing the whole Internet off the air on a daily 
basis.

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tim Reichhart
Sent: Friday, October 21, 2016 4:14 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

  
<https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>
 


I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader.


  _  


-Original Message-
From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com 
<mailto:thatoneguyst...@gmail.com> >
To: af@afmug.com <mailto:af@afmug.com> 
Date: 10/21/16 05:06 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

i think there are only two hackers left, the rest are script kiddies

half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply

 

 

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org 
<mailto:p...@paulstewart.org> > wrote:

Good point … and totally agree that the word "hacking" used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore…

 

 

On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com 
<mailto:af...@kwisp.com> > wrote:

 

 

I think his point was that a denial of service attack is not hacking.

 

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked?

 

Even stuff that rightly gets called hacking is an insult to hackers. Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I want, it hardly seems right 
to call that hacking.

 

But taking down a site by flooding it (or its authoritative DNS servers) with 
traffic is not the same as hacking the site.

 

 

 From: Af [ <mailto:af-boun...@afmug.com> mailto:af-boun...@afmug.com] On 
Behalf Of Paul Stewart
Sent: Friday, October 21, 2016 3:34 PM
To:  <mailto:af@afmug.com> af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

 

Agree…. it should be focused on end users better securing themselves …. 

 

On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm < 
<mailto:thatoneguyst...@gmail.com> thatoneguyst...@gmail.com> wrote:

 

Im getting irritated by news reports calling this hacking. That term has been 
so obfuscated by dimwits that it has no value

 

On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman < 
<mailto:j...@imaginenetworksllc.com> j...@imaginenetworksllc.com> wrote:

It works great for me 90% of the time. The other 10% it refuses to function at 
all.




 

Josh Luthman
Office:  <http://tel:937-552-2340> 937-552-2340
Direct:  <http://tel:937-552-2343> 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

 

 

On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart < <mailto:p...@paulstewart.org> 
p...@paulstewart.org> wrote:

LOL …. scary shit….

 

Facebook being slow isn't anything new in my experience … they have to be 
having a hard time keeping up sometimes …. last I heard they were adding 
something around 200-300 new servers a day in each data centre

 

On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm < 
<mailto:thatoneguyst...@gmail.com> thatoneguyst...@gmail.com> wrote:

 

forcing people to interact in person...

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

that wikileaks post looks more like theyre taking credit for somebody elses
work to garner threat cred

On Fri, Oct 21, 2016 at 4:34 PM, Tim Reichhart <
timreichh...@hometowncable.net> wrote:

>  https://twitter.com/wikileaks/status/789574436219449345
>
> Wikileaks is asking its supporters to stop taking websites down so its for
> sure its blow back against US. Please dont say its not we all know how
> wikileaks is that powerful.
>
> --
> -Original Message-
> From: "Mike Hammett" <af...@ics-il.net>
> To: af@afmug.com
> Date: 10/21/16 05:26 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> What?
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>
> ----------
>  *From:* "Tim Reichhart" <timreichh...@hometowncable.net>
> *To:* af@afmug.com
> *Sent:* Friday, October 21, 2016 4:14:15 PM
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
> <https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>I
> say this major ddos attack is sure blow back on what US told Ecuador to Act
> Against WikiLeaks Leader.
>
> --
> -Original Message-
> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
> To: af@afmug.com
> Date: 10/21/16 05:06 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> i think there are only two hackers left, the rest are script kiddies
> half of these mopes calling themselves "hackers" have little education,
> hacking quite often requires a high degree of mathmatics capability, most
> of these l77t "hackers" cant even multiply
>
>
> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org>
> wrote:
>
>> Good point … and totally agree that the word "hacking" used to mean
>> something - now it just kinda makes people laugh and not take it seriously
>> at all anymore…
>>
>>
>> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>
>>
>> I think his point was that a denial of service attack is not hacking.
>>
>> I just heard on the radio someone was asking, if I try to use Twitter and
>> it doesn't work because of this attack, is my computer how hacked?
>>
>> Even stuff that rightly gets called hacking is an insult to hackers. Like
>> if your webcam is on a public IP address and I guess that the password is
>> 1234, and that gets me root access to install whatever I want, it hardly
>> seems right to call that hacking.
>>
>> But taking down a site by flooding it (or its authoritative DNS servers)
>> with traffic is not the same as hacking the site.
>>
>>
>>  *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
>> Behalf Of *Paul Stewart
>> *Sent:* Friday, October 21, 2016 3:34 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> Agree…. it should be focused on end users better securing themselves ….
>>
>>
>> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <
>> thatoneguyst...@gmail.com> wrote:
>>
>> Im getting irritated by news reports calling this hacking. That term has
>> been so obfuscated by dimwits that it has no value
>>
>> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <
>> j...@imaginenetworksllc.com> wrote:
>>
>> It works great for me 90% of the time. The other 10% it refuses to
>> function at all.
>>
>>
>> Josh Luthman
>> Office: 937-552-2340 <http://tel:937-552-2340>
>> Direct: 937-552-2343 <http://tel:937-552-2343>
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>>
>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p.

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Tim Reichhart

https://twitter.com/wikileaks/status/789574436219449345

Wikileaks is asking its supporters to stop taking websites down so its for sure 
its blow back against US. Please dont say its not we all know how wikileaks is 
that powerful.

-Original Message-
From: "Mike Hammett" <af...@ics-il.net>
To: af@afmug.com
Date: 10/21/16 05:26 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

What?

-
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

 From: "Tim Reichhart" <timreichh...@hometowncable.net>
To: af@afmug.com
Sent: Friday, October 21, 2016 4:14:15 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader.

-Original Message-
From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
To: af@afmug.com
Date: 10/21/16 05:06 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

i think there are only two hackers left, the rest are script kiddies
half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org> wrote:
Good point … and totally agree that the word "hacking" used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore…

On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:

 I think his point was that a denial of service attack is not hacking.

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked?

Even stuff that rightly gets called hacking is an insult to hackers. Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I want, it hardly seems right 
to call that hacking.

But taking down a site by flooding it (or its authoritative DNS servers) with 
traffic is not the same as hacking the site.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
Sent: Friday, October 21, 2016 3:34 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

Agree…. it should be focused on end users better securing themselves …. 

On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com> 
wrote:

Im getting irritated by news reports calling this hacking. That term has been 
so obfuscated by dimwits that it has no value

On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com> 
wrote:

It works great for me 90% of the time. The other 10% it refuses to function at 
all.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org> wrote:

LOL …. scary shit….

Facebook being slow isn't anything new in my experience … they have to be 
having a hard time keeping up sometimes …. last I heard they were adding 
something around 200-300 new servers a day in each data centre

On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com> 
wrote:

forcing people to interact in person... a dangerous prospect in these times

On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <timreichh...@hometowncable.net> 
wrote:

It seems like facebook is also getting slow.

-Original Message-
From: "Travis Johnson" <t...@ida.net>
To: af@afmug.com
Date: 10/21/16 02:37 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

This is still going right now... big and small websites and ISP's are 
unreachable and unresponsive. :(

Travis

On 10/21/2016 12:19 PM, Ken Hohhof wrote:

Interesting, according to that, the ISP DNS servers are recruited as part of 
the attack on the victim's authoritative DNS servers, by sending queries from 
within the ISP's network.

No spoofing, no amplification, no misconfigured DNS servers required, yet the 
ISP's DNS servers are used to send the attack traffic. All that is needed is a 
compromised IoT to send the query.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:42 PM 

To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Right - crap IoT devices on the Mirai botnet were responsible for shoving 
620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down 
OVH). No spoofing involved.

Interesting article on the techniques used by Mirai:

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

What? 

- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Tim Reichhart" <timreichh...@hometowncable.net> 
To: af@afmug.com 
Sent: Friday, October 21, 2016 4:14:15 PM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader. 

-Original Message- 
From: "That One Guy /sarcasm" < thatoneguyst...@gmail.com > 
To: af@afmug.com 
Date: 10/21/16 05:06 PM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

i think there are only two hackers left, the rest are script kiddies 
half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply 

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart < p...@paulstewart.org > wrote: 

Good point … and totally agree that the word "hacking" used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore… 

On Oct 21, 2016, at 4:44 PM, Ken Hohhof < af...@kwisp.com > wrote: 

I think his point was that a denial of service attack is not hacking. 

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked? 

Even stuff that rightly gets called hacking is an insult to hackers. Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I want, it hardly seems right 
to call that hacking. 

But taking down a site by flooding it (or its authoritative DNS servers) with 
traffic is not the same as hacking the site. 

From: Af [ mailto:af-boun...@afmug.com ] On Behalf Of Paul Stewart 
Sent: Friday, October 21, 2016 3:34 PM 
To: af@afmug.com 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

Agree…. it should be focused on end users better securing themselves …. 

On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm < thatoneguyst...@gmail.com 
> wrote: 

Im getting irritated by news reports calling this hacking. That term has been 
so obfuscated by dimwits that it has no value 

On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman < j...@imaginenetworksllc.com > 
wrote: 

It works great for me 90% of the time. The other 10% it refuses to function at 
all. 

Josh Luthman 
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St 
Suite 1337 
Troy, OH 45373 

On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart < p...@paulstewart.org > wrote: 

LOL …. scary shit…. 

Facebook being slow isn't anything new in my experience … they have to be 
having a hard time keeping up sometimes …. last I heard they were adding 
something around 200-300 new servers a day in each data centre 

On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm < thatoneguyst...@gmail.com 
> wrote: 

forcing people to interact in person... a dangerous prospect in these times 

On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart < timreichh...@hometowncable.net 
> wrote: 

It seems like facebook is also getting slow. 

-Original Message- 
From: "Travis Johnson" < t...@ida.net > 
To: af@afmug.com 
Date: 10/21/16 02:37 PM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

This is still going right now... big and small websites and ISP's are 
unreachable and unresponsive. :( 

Travis 

On 10/21/2016 12:19 PM, Ken Hohhof wrote: 

Interesting, according to that, the ISP DNS servers are recruited as part of 
the attack on the victim's authoritative DNS servers, by sending queries from 
within the ISP's network. 

No spoofing, no amplification, no misconfigured DNS servers required, yet the 
ISP's DNS servers are used to send the attack traffic. All that is needed is a 
compromised IoT to send the query. 

From: Af [ mailto:af-boun...@afmug.com ] On Behalf Of Josh Baird 
Sent: Friday, October 21, 2016 12:42 PM 

To: af@afmug.com 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

Right - crap IoT devices on the Mirai botnet were responsible for shoving 
620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down 
OVH). No spoofing involved. 

Interesting article on the techniques used by Mirai: 

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof < af...@kwisp.com > wrote: 

The amplifier would receive a query from a spoofed IP address, and respond 
using a legit IP address. So the attacker needs to control some computers that 
can spoof the victim's IP address, but the actual attack traffic comes from the 
amplifiers using legi

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Tim Reichhart

Just think about it for sec or two blow backs always paybacks.

-Original Message-
From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
To: af@afmug.com
Date: 10/21/16 05:20 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

i never followed wikileaks until recently, but their twitter stuff sounds like 
its operated by a 9 year old who hasnt gotten his chicken nuggets or adderal

On Fri, Oct 21, 2016 at 4:17 PM, Tushar Patel <tpa...@ecpi.com> wrote:

Lol was for the "wall". 

Tushar

On Oct 21, 2016, at 4:14 PM, Tim Reichhart <timreichh...@hometowncable.net> 
wrote:

I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader.

-Original Message-
From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
To: af@afmug.com
Date: 10/21/16 05:06 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 i think there are only two hackers left, the rest are script kiddies
half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org> wrote:
Good point … and totally agree that the word "hacking" used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore…

On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:

 I think his point was that a denial of service attack is not hacking.

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked?

Even stuff that rightly gets called hacking is an insult to hackers. Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I want, it hardly seems right 
to call that hacking.

But taking down a site by flooding it (or its authoritative DNS servers) with 
traffic is not the same as hacking the site.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
Sent: Friday, October 21, 2016 3:34 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

Agree…. it should be focused on end users better securing themselves …. 

On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com> 
wrote:

Im getting irritated by news reports calling this hacking. That term has been 
so obfuscated by dimwits that it has no value

On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com> 
wrote:

It works great for me 90% of the time. The other 10% it refuses to function at 
all.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org> wrote:

LOL …. scary shit….

Facebook being slow isn't anything new in my experience … they have to be 
having a hard time keeping up sometimes …. last I heard they were adding 
something around 200-300 new servers a day in each data centre

On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com> 
wrote:

forcing people to interact in person... a dangerous prospect in these times

On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <timreichh...@hometowncable.net> 
wrote:

It seems like facebook is also getting slow.

-Original Message-
From: "Travis Johnson" <t...@ida.net>
To: af@afmug.com
Date: 10/21/16 02:37 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

This is still going right now... big and small websites and ISP's are 
unreachable and unresponsive. :(

Travis

On 10/21/2016 12:19 PM, Ken Hohhof wrote:

Interesting, according to that, the ISP DNS servers are recruited as part of 
the attack on the victim's authoritative DNS servers, by sending queries from 
within the ISP's network.

No spoofing, no amplification, no misconfigured DNS servers required, yet the 
ISP's DNS servers are used to send the attack traffic. All that is needed is a 
compromised IoT to send the query.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:42 PM 

To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Right - crap IoT devices on the Mirai botnet were responsible for shoving 
620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down 
OVH). No spoofing involved.

Interesting article on the techniques used by Mirai:

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote:

The amplifier would receive a query from a spoofed IP address, a

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

i never followed wikileaks until recently, but their twitter stuff sounds
like its operated by a 9 year old who hasnt gotten his chicken nuggets or
adderal

On Fri, Oct 21, 2016 at 4:17 PM, Tushar Patel <tpa...@ecpi.com> wrote:

> Lol was for the "wall".
>
> Tushar
>
>
> On Oct 21, 2016, at 4:14 PM, Tim Reichhart <timreichh...@hometowncable.net>
> wrote:
>
>
>
> <https://www.google.com/url?sa=t=j==s=web=3=rja=8=0ahUKEwiWw6Pz5-zPAhULw4MKHXxzAdEQqQIIIzAC=http%3A%2F%2Fwww.nbcnews.com%2Fnews%2Fus-news%2Fu-s-urged-ecuador-act-against-assange-n669271=AFQjCNFuBoBAn34nGg1E9PfoLvURndTCFQ>
> I say this major ddos attack is sure blow back on what US told Ecuador to
> Act Against WikiLeaks Leader.
>
> --
> -Original Message-
> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
> To: af@afmug.com
> Date: 10/21/16 05:06 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> i think there are only two hackers left, the rest are script kiddies
> half of these mopes calling themselves "hackers" have little education,
> hacking quite often requires a high degree of mathmatics capability, most
> of these l77t "hackers" cant even multiply
>
>
> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org>
> wrote:
>
>> Good point … and totally agree that the word "hacking" used to mean
>> something - now it just kinda makes people laugh and not take it seriously
>> at all anymore…
>>
>>
>> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>
>>
>> I think his point was that a denial of service attack is not hacking.
>>
>> I just heard on the radio someone was asking, if I try to use Twitter and
>> it doesn't work because of this attack, is my computer how hacked?
>>
>> Even stuff that rightly gets called hacking is an insult to hackers. Like
>> if your webcam is on a public IP address and I guess that the password is
>> 1234, and that gets me root access to install whatever I want, it hardly
>> seems right to call that hacking.
>>
>> But taking down a site by flooding it (or its authoritative DNS servers)
>> with traffic is not the same as hacking the site.
>>
>>
>>  *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
>> Behalf Of *Paul Stewart
>> *Sent:* Friday, October 21, 2016 3:34 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> Agree…. it should be focused on end users better securing themselves ….
>>
>>
>> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <
>> thatoneguyst...@gmail.com> wrote:
>>
>> Im getting irritated by news reports calling this hacking. That term has
>> been so obfuscated by dimwits that it has no value
>>
>> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <
>> j...@imaginenetworksllc.com> wrote:
>>
>> It works great for me 90% of the time. The other 10% it refuses to
>> function at all.
>>
>>
>> Josh Luthman
>> Office: 937-552-2340 <http://tel:937-552-2340>
>> Direct: 937-552-2343 <http://tel:937-552-2343>
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>>
>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org>
>> wrote:
>>
>> LOL …. scary shit….
>>
>> Facebook being slow isn't anything new in my experience … they have to be
>> having a hard time keeping up sometimes …. last I heard they were adding
>> something around 200-300 new servers a day in each data centre
>>
>>
>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <
>> thatoneguyst...@gmail.com> wrote:
>>
>> forcing people to interact in person... a dangerous prospect in these
>> times
>>
>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <
>> timreichh...@hometowncable.net> wrote:
>>
>> It seems like facebook is also getting slow.
>>
>>
>> --
>>
>> -Original Message-
>> From: "Travis Johnson" <t...@ida.net>
>> To: af@afmug.com
>> Date: 10/21/16 02:37 PM
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> This is still going right now... big and small websites and ISP's are
>> unreachable and unresponsive. :(
>>
>> Travis
>>
>> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>>
>>
>> Interesting, according to that, the ISP DNS servers are recruited as part
>> of

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Tushar Patel

Lol was for the "wall". 

Tushar


> On Oct 21, 2016, at 4:14 PM, Tim Reichhart <timreichh...@hometowncable.net> 
> wrote:
> 
>  
> I say this major ddos attack is sure blow back on what US told Ecuador to Act 
> Against WikiLeaks Leader.
> -Original Message-
> From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
> To: af@afmug.com
> Date: 10/21/16 05:06 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
> 
> i think there are only two hackers left, the rest are script kiddies
> half of these mopes calling themselves "hackers" have little education, 
> hacking quite often requires a high degree of mathmatics capability, most of 
> these l77t "hackers" cant even multiply
>  
>  
>> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org> wrote:
>> Good point … and totally agree that the word "hacking" used to mean 
>> something - now it just kinda makes people laugh and not take it seriously 
>> at all anymore…
>> 
>> 
>>> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>> 
>>>  
>>> I think his point was that a denial of service attack is not hacking.
>>>  
>>> I just heard on the radio someone was asking, if I try to use Twitter and 
>>> it doesn't work because of this attack, is my computer how hacked?
>>>  
>>> Even stuff that rightly gets called hacking is an insult to hackers. Like 
>>> if your webcam is on a public IP address and I guess that the password is 
>>> 1234, and that gets me root access to install whatever I want, it hardly 
>>> seems right to call that hacking.
>>>  
>>> But taking down a site by flooding it (or its authoritative DNS servers) 
>>> with traffic is not the same as hacking the site.
>>>  
>>>  
>>>  From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
>>> Sent: Friday, October 21, 2016 3:34 PM
>>> To: af@afmug.com
>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 
>>>  
>>> Agree…. it should be focused on end users better securing themselves …. 
>>>  
>>>> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm 
>>>> <thatoneguyst...@gmail.com> wrote:
>>>>  
>>>> Im getting irritated by news reports calling this hacking. That term has 
>>>> been so obfuscated by dimwits that it has no value
>>>>  
>>>>> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman 
>>>>> <j...@imaginenetworksllc.com> wrote:
>>>>> It works great for me 90% of the time. The other 10% it refuses to 
>>>>> function at all.
>>>>> 
>>>>>  
>>>>> Josh Luthman
>>>>> Office: 937-552-2340
>>>>> Direct: 937-552-2343
>>>>> 1100 Wayne St
>>>>> Suite 1337
>>>>> Troy, OH 45373
>>>>>  
>>>>>  
>>>>>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org> 
>>>>>> wrote:
>>>>>> LOL …. scary shit….
>>>>>>  
>>>>>> Facebook being slow isn't anything new in my experience … they have to 
>>>>>> be having a hard time keeping up sometimes …. last I heard they were 
>>>>>> adding something around 200-300 new servers a day in each data centre
>>>>>>  
>>>>>>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm 
>>>>>>> <thatoneguyst...@gmail.com> wrote:
>>>>>>>  
>>>>>>> forcing people to interact in person... a dangerous prospect in these 
>>>>>>> times
>>>>>>>  
>>>>>>>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart 
>>>>>>>> <timreichh...@hometowncable.net> wrote:
>>>>>>>> It seems like facebook is also getting slow.
>>>>>>>>  
>>>>>>>>> 
>>>>>>>>> -Original Message-----
>>>>>>>>> From: "Travis Johnson" <t...@ida.net>
>>>>>>>>> To: af@afmug.com
>>>>>>>>> Date: 10/21/16 02:37 PM
>>>>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>>>>>>> 
>>>>>>>>> This is still going right now... big and small websites and ISP's are 
>>>>>>>>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Tushar Patel

LOL

Tushar


> On Oct 21, 2016, at 4:11 PM, That One Guy /sarcasm 
> <thatoneguyst...@gmail.com> wrote:
> 
> rené ‏@Renatus84  23m23 minutes ago
> We're going to build a firewall, a huge, beautiful firewall, and hackers are 
> gonna pay for it #DDoS #DDoSAttack
> 
>> On Fri, Oct 21, 2016 at 4:06 PM, That One Guy /sarcasm 
>> <thatoneguyst...@gmail.com> wrote:
>> i think there are only two hackers left, the rest are script kiddies
>> half of these mopes calling themselves "hackers" have little education, 
>> hacking quite often requires a high degree of mathmatics capability, most of 
>> these l77t "hackers" cant even multiply
>> 
>>> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org> wrote:
>>> Good point … and totally agree that the word “hacking” used to mean 
>>> something - now it just kinda makes people laugh and not take it seriously 
>>> at all anymore…
>>> 
>>> 
>>>> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>>> 
>>>> I think his point was that a denial of service attack is not hacking.
>>>>  
>>>> I just heard on the radio someone was asking, if I try to use Twitter and 
>>>> it doesn’t work because of this attack, is my computer how hacked?
>>>>  
>>>> Even stuff that rightly gets called hacking is an insult to hackers.  Like 
>>>> if your webcam is on a public IP address and I guess that the password is 
>>>> 1234, and that gets me root access to install whatever I want, it hardly 
>>>> seems right to call that hacking.
>>>>  
>>>> But taking down a site by flooding it (or its authoritative DNS servers) 
>>>> with traffic is not the same as hacking the site.
>>>>  
>>>>  
>>>> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
>>>> Sent: Friday, October 21, 2016 3:34 PM
>>>> To: af@afmug.com
>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>>  
>>>> Agree…. it should be focused on end users better securing themselves …. 
>>>>  
>>>>> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm 
>>>>> <thatoneguyst...@gmail.com> wrote:
>>>>>  
>>>>> Im getting irritated by news reports calling this hacking. That term has 
>>>>> been so obfuscated by dimwits that it has no value
>>>>>  
>>>>>> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman 
>>>>>> <j...@imaginenetworksllc.com> wrote:
>>>>>> It works great for me 90% of the time.  The other 10% it refuses to 
>>>>>> function at all.
>>>>>> 
>>>>>>  
>>>>>> Josh Luthman
>>>>>> Office: 937-552-2340
>>>>>> Direct: 937-552-2343
>>>>>> 1100 Wayne St
>>>>>> Suite 1337
>>>>>> Troy, OH 45373
>>>>>>  
>>>>>>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org> 
>>>>>>> wrote:
>>>>>>> LOL …. scary shit….
>>>>>>>  
>>>>>>> Facebook being slow isn’t anything new in my experience … they have to 
>>>>>>> be having a hard time keeping up sometimes …. last I heard they were 
>>>>>>> adding something around 200-300 new servers a day in each data centre
>>>>>>>  
>>>>>>>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm 
>>>>>>>> <thatoneguyst...@gmail.com> wrote:
>>>>>>>>  
>>>>>>>> forcing people to interact in person... a dangerous prospect in these 
>>>>>>>> times
>>>>>>>>  
>>>>>>>>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart 
>>>>>>>>> <timreichh...@hometowncable.net> wrote:
>>>>>>>>> It seems like facebook is also getting slow.
>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> -Original Message-
>>>>>>>>>> From: "Travis Johnson" <t...@ida.net>
>>>>>>>>>> To: af@afmug.com
>>>>>>>>>> Date: 10/21/16 02:37 PM
>>>>>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>>>>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Tim Reichhart

I say this major ddos attack is sure blow back on what US told Ecuador to Act 
Against WikiLeaks Leader. 

-Original Message-
From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
To: af@afmug.com
Date: 10/21/16 05:06 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

i think there are only two hackers left, the rest are script kiddies
half of these mopes calling themselves "hackers" have little education, hacking 
quite often requires a high degree of mathmatics capability, most of these l77t 
"hackers" cant even multiply

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org> wrote:
Good point … and totally agree that the word "hacking" used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore…

On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:

 I think his point was that a denial of service attack is not hacking.

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn't work because of this attack, is my computer how hacked?

Even stuff that rightly gets called hacking is an insult to hackers.  Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I want, it hardly seems right 
to call that hacking.

But taking down a site by flooding it (or its authoritative DNS servers) with 
traffic is not the same as hacking the site.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
Sent: Friday, October 21, 2016 3:34 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

Agree…. it should be focused on end users better securing themselves …. 

On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com> 
wrote:

Im getting irritated by news reports calling this hacking. That term has been 
so obfuscated by dimwits that it has no value

On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com> 
wrote:

It works great for me 90% of the time.  The other 10% it refuses to function at 
all.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org> wrote:

LOL …. scary shit….

Facebook being slow isn't anything new in my experience … they have to be 
having a hard time keeping up sometimes …. last I heard they were adding 
something around 200-300 new servers a day in each data centre

On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com> 
wrote:

forcing people to interact in person... a dangerous prospect in these times

On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <timreichh...@hometowncable.net> 
wrote:

It seems like facebook is also getting slow.

-Original Message-
From: "Travis Johnson" <t...@ida.net>
To: af@afmug.com
Date: 10/21/16 02:37 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

This is still going right now... big and small websites and ISP's are 
unreachable and unresponsive. :(

Travis

On 10/21/2016 12:19 PM, Ken Hohhof wrote:

Interesting, according to that, the ISP DNS servers are recruited as part of 
the attack on the victim's authoritative DNS servers, by sending queries from 
within the ISP's network.

No spoofing, no amplification, no misconfigured DNS servers required, yet the 
ISP's DNS servers are used to send the attack traffic. All that is needed is a 
compromised IoT to send the query.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:42 PM 

To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Right - crap IoT devices on the Mirai botnet were responsible for shoving 
620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down 
OVH). No spoofing involved.

Interesting article on the techniques used by Mirai:

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote:

The amplifier would receive a query from a spoofed IP address, and respond 
using a legit IP address. So the attacker needs to control some computers that 
can spoof the victim's IP address, but the actual attack traffic comes from the 
amplifiers using legit source IPs.

In the case of IoT botnets, I'm not sure any spoofing is required.

 From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:21 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

It's a good start. It attempts to prevent spoofed traffic originating from your 
network to leave your network (or BCP38).

On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imagine

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

*rené* ‏@Renatus84  <https://twitter.com/Renatus84> 23m23 minutes ago
<https://twitter.com/Renatus84/status/789568998895656964>

We're going to build a firewall, a huge, beautiful firewall, and hackers
are gonna pay for it #*DDoS* <https://twitter.com/hashtag/DDoS?src=hash> #
DDoSAttack <https://twitter.com/hashtag/DDoSAttack?src=hash>

On Fri, Oct 21, 2016 at 4:06 PM, That One Guy /sarcasm <
thatoneguyst...@gmail.com> wrote:

> i think there are only two hackers left, the rest are script kiddies
> half of these mopes calling themselves "hackers" have little education,
> hacking quite often requires a high degree of mathmatics capability, most
> of these l77t "hackers" cant even multiply
>
> On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org>
> wrote:
>
>> Good point … and totally agree that the word “hacking” used to mean
>> something - now it just kinda makes people laugh and not take it seriously
>> at all anymore…
>>
>>
>> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>
>> I think his point was that a denial of service attack is not hacking.
>>
>> I just heard on the radio someone was asking, if I try to use Twitter and
>> it doesn’t work because of this attack, is my computer how hacked?
>>
>> Even stuff that rightly gets called hacking is an insult to hackers.
>> Like if your webcam is on a public IP address and I guess that the password
>> is 1234, and that gets me root access to install whatever I want, it hardly
>> seems right to call that hacking.
>>
>> But taking down a site by flooding it (or its authoritative DNS servers)
>> with traffic is not the same as hacking the site.
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
>> Behalf Of *Paul Stewart
>> *Sent:* Friday, October 21, 2016 3:34 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> Agree…. it should be focused on end users better securing themselves ….
>>
>>
>> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <
>> thatoneguyst...@gmail.com> wrote:
>>
>> Im getting irritated by news reports calling this hacking. That term has
>> been so obfuscated by dimwits that it has no value
>>
>> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <
>> j...@imaginenetworksllc.com> wrote:
>>
>> It works great for me 90% of the time.  The other 10% it refuses to
>> function at all.
>>
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org>
>> wrote:
>>
>> LOL …. scary shit….
>>
>> Facebook being slow isn’t anything new in my experience … they have to be
>> having a hard time keeping up sometimes …. last I heard they were adding
>> something around 200-300 new servers a day in each data centre
>>
>>
>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <
>> thatoneguyst...@gmail.com> wrote:
>>
>> forcing people to interact in person... a dangerous prospect in these
>> times
>>
>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <
>> timreichh...@hometowncable.net> wrote:
>>
>> It seems like facebook is also getting slow.
>>
>>
>> --
>>
>> -Original Message-
>> From: "Travis Johnson" <t...@ida.net>
>> To: af@afmug.com
>> Date: 10/21/16 02:37 PM
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> This is still going right now... big and small websites and ISP's are
>> unreachable and unresponsive. :(
>>
>> Travis
>>
>> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>>
>>
>> Interesting, according to that, the ISP DNS servers are recruited as part
>> of the attack on the victim's authoritative DNS servers, by sending queries
>> from within the ISP's network.
>>
>> No spoofing, no amplification, no misconfigured DNS servers required, yet
>> the ISP's DNS servers are used to send the attack traffic. All that is
>> needed is a compromised IoT to send the query.
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
>> Behalf Of* Josh Baird
>> *Sent:* Friday, October 21, 2016 12:42 PM
>>
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>>
>> Right - c

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

i think there are only two hackers left, the rest are script kiddies
half of these mopes calling themselves "hackers" have little education,
hacking quite often requires a high degree of mathmatics capability, most
of these l77t "hackers" cant even multiply

On Fri, Oct 21, 2016 at 3:52 PM, Paul Stewart <p...@paulstewart.org> wrote:

> Good point … and totally agree that the word “hacking” used to mean
> something - now it just kinda makes people laugh and not take it seriously
> at all anymore…
>
>
> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:
>
> I think his point was that a denial of service attack is not hacking.
>
> I just heard on the radio someone was asking, if I try to use Twitter and
> it doesn’t work because of this attack, is my computer how hacked?
>
> Even stuff that rightly gets called hacking is an insult to hackers.  Like
> if your webcam is on a public IP address and I guess that the password is
> 1234, and that gets me root access to install whatever I want, it hardly
> seems right to call that hacking.
>
> But taking down a site by flooding it (or its authoritative DNS servers)
> with traffic is not the same as hacking the site.
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of *Paul Stewart
> *Sent:* Friday, October 21, 2016 3:34 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> Agree…. it should be focused on end users better securing themselves ….
>
>
> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <
> thatoneguyst...@gmail.com> wrote:
>
> Im getting irritated by news reports calling this hacking. That term has
> been so obfuscated by dimwits that it has no value
>
> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com>
> wrote:
>
> It works great for me 90% of the time.  The other 10% it refuses to
> function at all.
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org>
> wrote:
>
> LOL …. scary shit….
>
> Facebook being slow isn’t anything new in my experience … they have to be
> having a hard time keeping up sometimes …. last I heard they were adding
> something around 200-300 new servers a day in each data centre
>
>
> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <
> thatoneguyst...@gmail.com> wrote:
>
> forcing people to interact in person... a dangerous prospect in these times
>
> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <
> timreichh...@hometowncable.net> wrote:
>
> It seems like facebook is also getting slow.
>
>
> --
>
> -Original Message-
> From: "Travis Johnson" <t...@ida.net>
> To: af@afmug.com
> Date: 10/21/16 02:37 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> This is still going right now... big and small websites and ISP's are
> unreachable and unresponsive. :(
>
> Travis
>
> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>
>
> Interesting, according to that, the ISP DNS servers are recruited as part
> of the attack on the victim's authoritative DNS servers, by sending queries
> from within the ISP's network.
>
> No spoofing, no amplification, no misconfigured DNS servers required, yet
> the ISP's DNS servers are used to send the attack traffic. All that is
> needed is a compromised IoT to send the query.
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of* Josh Baird
> *Sent:* Friday, October 21, 2016 12:42 PM
>
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
> Right - crap IoT devices on the Mirai botnet were responsible for shoving
> 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take
> down OVH). No spoofing involved.
>
> Interesting article on the techniques used by Mirai:
>
> https://f5.com/about-us/news/articles/mirai-the-iot-bot-
> that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
>
>
> On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote:
>
> The amplifier would receive a query from a spoofed IP address, and respond
> using a legit IP address. So the attacker needs to control some computers
> that can spoof the victim's IP address, but the actual attack traffic comes
> from the amplifiers using legit source IPs.
>
> In the case of IoT botnets, I'm not sure any spoofing is required.
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of* Josh Baird
&g

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Paul Stewart

Good point … and totally agree that the word “hacking” used to mean something - 
now it just kinda makes people laugh and not take it seriously at all anymore…


> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote:
> 
> I think his point was that a denial of service attack is not hacking.
>  
> I just heard on the radio someone was asking, if I try to use Twitter and it 
> doesn’t work because of this attack, is my computer how hacked?
>  
> Even stuff that rightly gets called hacking is an insult to hackers.  Like if 
> your webcam is on a public IP address and I guess that the password is 1234, 
> and that gets me root access to install whatever I want, it hardly seems 
> right to call that hacking.
>  
> But taking down a site by flooding it (or its authoritative DNS servers) with 
> traffic is not the same as hacking the site.
>  
>   <>
> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
> Behalf Of Paul Stewart
> Sent: Friday, October 21, 2016 3:34 PM
> To: af@afmug.com <mailto:af@afmug.com>
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>  
> Agree…. it should be focused on end users better securing themselves …. 
>  
>> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm 
>> <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote:
>>  
>> Im getting irritated by news reports calling this hacking. That term has 
>> been so obfuscated by dimwits that it has no value
>>  
>> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com 
>> <mailto:j...@imaginenetworksllc.com>> wrote:
>>> It works great for me 90% of the time.  The other 10% it refuses to 
>>> function at all.
>>> 
>>>  
>>> Josh Luthman
>>> Office: 937-552-2340 
>>> Direct: 937-552-2343 
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>>  
>>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org 
>>> <mailto:p...@paulstewart.org>> wrote:
>>>> LOL …. scary shit….
>>>>  
>>>> Facebook being slow isn’t anything new in my experience … they have to be 
>>>> having a hard time keeping up sometimes …. last I heard they were adding 
>>>> something around 200-300 new servers a day in each data centre
>>>>  
>>>>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm 
>>>>> <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote:
>>>>>  
>>>>> forcing people to interact in person... a dangerous prospect in these 
>>>>> times
>>>>>  
>>>>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart 
>>>>> <timreichh...@hometowncable.net <mailto:timreichh...@hometowncable.net>> 
>>>>> wrote:
>>>>>> It seems like facebook is also getting slow.
>>>>>>  
>>>>>>> 
>>>>>>> -Original Message-
>>>>>>> From: "Travis Johnson" <t...@ida.net <mailto:t...@ida.net>>
>>>>>>> To: af@afmug.com <mailto:af@afmug.com>
>>>>>>> Date: 10/21/16 02:37 PM
>>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>>>>> 
>>>>>>> This is still going right now... big and small websites and ISP's are 
>>>>>>> unreachable and unresponsive. :(
>>>>>>> 
>>>>>>> Travis
>>>>>>> 
>>>>>>> 
>>>>>>> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>>>>>>>  
>>>>>>>> Interesting, according to that, the ISP DNS servers are recruited as 
>>>>>>>> part of the attack on the victim's authoritative DNS servers, by 
>>>>>>>> sending queries from within the ISP's network.
>>>>>>>>  
>>>>>>>> No spoofing, no amplification, no misconfigured DNS servers required, 
>>>>>>>> yet the ISP's DNS servers are used to send the attack traffic. All 
>>>>>>>> that is needed is a compromised IoT to send the query.
>>>>>>>>  
>>>>>>>>  
>>>>>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] 
>>>>>>>> On Behalf Of Josh Baird
>>>>>>>> Sent: Friday, October 21, 2016 12:42 PM
>>>>>>>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Ken Hohhof

I think his point was that a denial of service attack is not hacking.

 

I just heard on the radio someone was asking, if I try to use Twitter and it 
doesn’t work because of this attack, is my computer how hacked?

 

Even stuff that rightly gets called hacking is an insult to hackers.  Like if 
your webcam is on a public IP address and I guess that the password is 1234, 
and that gets me root access to install whatever I want, it hardly seems right 
to call that hacking.

 

But taking down a site by flooding it (or its authoritative DNS servers) with 
traffic is not the same as hacking the site.

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
Sent: Friday, October 21, 2016 3:34 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

Agree…. it should be focused on end users better securing themselves …. 

 

On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com 
<mailto:thatoneguyst...@gmail.com> > wrote:

 

Im getting irritated by news reports calling this hacking. That term has been 
so obfuscated by dimwits that it has no value

 

On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com 
<mailto:j...@imaginenetworksllc.com> > wrote:

It works great for me 90% of the time.  The other 10% it refuses to function at 
all.




 

Josh Luthman
Office: 937-552-2340  
Direct: 937-552-2343  
1100 Wayne St
Suite 1337
Troy, OH 45373

 

On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org 
<mailto:p...@paulstewart.org> > wrote:

LOL …. scary shit….

 

Facebook being slow isn’t anything new in my experience … they have to be 
having a hard time keeping up sometimes …. last I heard they were adding 
something around 200-300 new servers a day in each data centre

 

On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com 
<mailto:thatoneguyst...@gmail.com> > wrote:

 

forcing people to interact in person... a dangerous prospect in these times

 

On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <timreichh...@hometowncable.net 
<mailto:timreichh...@hometowncable.net> > wrote:

It seems like facebook is also getting slow.

 


  _  


-Original Message-
From: "Travis Johnson" <t...@ida.net <mailto:t...@ida.net> >
To: af@afmug.com <mailto:af@afmug.com> 
Date: 10/21/16 02:37 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

This is still going right now... big and small websites and ISP's are 
unreachable and unresponsive. :(

Travis



On 10/21/2016 12:19 PM, Ken Hohhof wrote:
 

Interesting, according to that, the ISP DNS servers are recruited as part of 
the attack on the victim's authoritative DNS servers, by sending queries from 
within the ISP's network.

 

No spoofing, no amplification, no misconfigured DNS servers required, yet the 
ISP's DNS servers are used to send the attack traffic. All that is needed is a 
compromised IoT to send the query.

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:42 PM


To: af@afmug.com <mailto:af@afmug.com> 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

 

Right - crap IoT devices on the Mirai botnet were responsible for shoving 
620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down 
OVH). No spoofing involved.

 

Interesting article on the techniques used by Mirai:

 

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

 

 

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com 
<mailto:af...@kwisp.com> > wrote:

The amplifier would receive a query from a spoofed IP address, and respond 
using a legit IP address. So the attacker needs to control some computers that 
can spoof the victim's IP address, but the actual attack traffic comes from the 
amplifiers using legit source IPs.

 

In the case of IoT botnets, I'm not sure any spoofing is required.

 

 

From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com> ] On Behalf 
Of Josh Baird
Sent: Friday, October 21, 2016 12:21 PM
To: af@afmug.com <mailto:af@afmug.com> 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

It's a good start. It attempts to prevent spoofed traffic originating from your 
network to leave your network (or BCP38).

 

On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com 
<mailto:j...@imaginenetworksllc.com> > wrote:

It can't be that simple...can it?




 

Josh Luthman
Office: 937-552-2340 <http://tel:937-552-2340> 
Direct: 937-552-2343 <http://tel:937-552-2343> 
1100 Wayne St
Suite 1337
Troy, OH 45373

 

 

On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net 
<mailto:af...@ics-il.net> > wrote:

/ip firewall address-list
add list="Public-IPs" address=x.

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Paul Stewart

Agree…. it should be focused on end users better securing themselves …. 

> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm 
> <thatoneguyst...@gmail.com> wrote:
> 
> Im getting irritated by news reports calling this hacking. That term has been 
> so obfuscated by dimwits that it has no value
> 
> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com 
> <mailto:j...@imaginenetworksllc.com>> wrote:
> It works great for me 90% of the time.  The other 10% it refuses to function 
> at all.
> 
> 
> Josh Luthman
> Office: 937-552-2340 
> Direct: 937-552-2343 
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org 
> <mailto:p...@paulstewart.org>> wrote:
> LOL …. scary shit….
> 
> Facebook being slow isn’t anything new in my experience … they have to be 
> having a hard time keeping up sometimes …. last I heard they were adding 
> something around 200-300 new servers a day in each data centre
> 
>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm 
>> <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote:
>> 
>> forcing people to interact in person... a dangerous prospect in these times
>> 
>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart 
>> <timreichh...@hometowncable.net <mailto:timreichh...@hometowncable.net>> 
>> wrote:
>> It seems like facebook is also getting slow.
>> 
>> -----Original Message-
>> From: "Travis Johnson" <t...@ida.net <mailto:t...@ida.net>>
>> To: af@afmug.com <mailto:af@afmug.com>
>> Date: 10/21/16 02:37 PM
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>> 
>> This is still going right now... big and small websites and ISP's are 
>> unreachable and unresponsive. :(
>> 
>> Travis
>> 
>> 
>> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>>  
>>> Interesting, according to that, the ISP DNS servers are recruited as part 
>>> of the attack on the victim's authoritative DNS servers, by sending queries 
>>> from within the ISP's network.
>>> 
>>>  
>>> No spoofing, no amplification, no misconfigured DNS servers required, yet 
>>> the ISP's DNS servers are used to send the attack traffic. All that is 
>>> needed is a compromised IoT to send the query.
>>> 
>>>  
>>>   <>
>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
>>> Behalf Of Josh Baird
>>> Sent: Friday, October 21, 2016 12:42 PM
>>> 
>>> 
>>> To: af@afmug.com <mailto:af@afmug.com>
>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>> 
>>>  
>>> Right - crap IoT devices on the Mirai botnet were responsible for shoving 
>>> 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take 
>>> down OVH). No spoofing involved.
>>> 
>>>  
>>> Interesting article on the techniques used by Mirai:
>>> 
>>>  
>>> https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
>>>  
>>> <https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937>
>>>  
>>>  
>>> On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com 
>>> <mailto:af...@kwisp.com>> wrote:
>>> 
>>> The amplifier would receive a query from a spoofed IP address, and respond 
>>> using a legit IP address. So the attacker needs to control some computers 
>>> that can spoof the victim's IP address, but the actual attack traffic comes 
>>> from the amplifiers using legit source IPs.
>>> 
>>>  
>>> In the case of IoT botnets, I'm not sure any spoofing is required.
>>> 
>>>  
>>>   <>
>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
>>> Behalf Of Josh Baird
>>> Sent: Friday, October 21, 2016 12:21 PM
>>> To: af@afmug.com <mailto:af@afmug.com>
>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>> 
>>>  
>>> It's a good start. It attempts to prevent spoofed traffic originating from 
>>> your network to leave your network (or BCP38).
>>> 
>>>  
>>> On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com 
>>> <mailto:j...@imaginenetworksllc.com>> wrote:
>&g

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

Im getting irritated by news reports calling this hacking. That term has
been so obfuscated by dimwits that it has no value

On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com>
wrote:

> It works great for me 90% of the time.  The other 10% it refuses to
> function at all.
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org>
> wrote:
>
>> LOL …. scary shit….
>>
>> Facebook being slow isn’t anything new in my experience … they have to be
>> having a hard time keeping up sometimes …. last I heard they were adding
>> something around 200-300 new servers a day in each data centre
>>
>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <
>> thatoneguyst...@gmail.com> wrote:
>>
>> forcing people to interact in person... a dangerous prospect in these
>> times
>>
>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <
>> timreichh...@hometowncable.net> wrote:
>>
>>> It seems like facebook is also getting slow.
>>>
>>> --------------
>>> -Original Message-
>>> From: "Travis Johnson" <t...@ida.net>
>>> To: af@afmug.com
>>> Date: 10/21/16 02:37 PM
>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>
>>> This is still going right now... big and small websites and ISP's are
>>> unreachable and unresponsive. :(
>>>
>>> Travis
>>>
>>>
>>> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>>>
>>>
>>> Interesting, according to that, the ISP DNS servers are recruited as
>>> part of the attack on the victim's authoritative DNS servers, by sending
>>> queries from within the ISP's network.
>>>
>>>
>>> No spoofing, no amplification, no misconfigured DNS servers required,
>>> yet the ISP's DNS servers are used to send the attack traffic. All that is
>>> needed is a compromised IoT to send the query.
>>>
>>>
>>>
>>>
>>> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
>>> Behalf Of* Josh Baird
>>> *Sent:* Friday, October 21, 2016 12:42 PM
>>>
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>
>>>
>>>
>>> Right - crap IoT devices on the Mirai botnet were responsible for
>>> shoving 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to
>>> take down OVH). No spoofing involved.
>>>
>>>
>>> Interesting article on the techniques used by Mirai:
>>>
>>>
>>> https://f5.com/about-us/news/articles/mirai-the-iot-bot-that
>>> -took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
>>>
>>>
>>>
>>> On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>>
>>> The amplifier would receive a query from a spoofed IP address, and
>>> respond using a legit IP address. So the attacker needs to control some
>>> computers that can spoof the victim's IP address, but the actual attack
>>> traffic comes from the amplifiers using legit source IPs.
>>>
>>>
>>> In the case of IoT botnets, I'm not sure any spoofing is required.
>>>
>>>
>>>
>>>
>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of* Josh Baird
>>> *Sent:* Friday, October 21, 2016 12:21 PM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>>
>>>
>>> It's a good start. It attempts to prevent spoofed traffic originating
>>> from your network to leave your network (or BCP38).
>>>
>>>
>>> On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <
>>> j...@imaginenetworksllc.com> wrote:
>>>
>>> It can't be that simple...can it?
>>>
>>>
>>>
>>>
>>> Josh Luthman
>>> Office: 937-552-2340 <http://tel:937-552-2340>
>>> Direct: 937-552-2343 <http://tel:937-552-2343>
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>>
>>>
>>>
>>> On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net> wrote:
>>>
>>> /ip firewall address-list
>>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
>>> add

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Josh Luthman

It works great for me 90% of the time.  The other 10% it refuses to
function at all.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org> wrote:

> LOL …. scary shit….
>
> Facebook being slow isn’t anything new in my experience … they have to be
> having a hard time keeping up sometimes …. last I heard they were adding
> something around 200-300 new servers a day in each data centre
>
> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm <
> thatoneguyst...@gmail.com> wrote:
>
> forcing people to interact in person... a dangerous prospect in these times
>
> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <
> timreichh...@hometowncable.net> wrote:
>
>> It seems like facebook is also getting slow.
>>
>> --
>> -Original Message-
>> From: "Travis Johnson" <t...@ida.net>
>> To: af@afmug.com
>> Date: 10/21/16 02:37 PM
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>> This is still going right now... big and small websites and ISP's are
>> unreachable and unresponsive. :(
>>
>> Travis
>>
>>
>> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>>
>>
>> Interesting, according to that, the ISP DNS servers are recruited as part
>> of the attack on the victim's authoritative DNS servers, by sending queries
>> from within the ISP's network.
>>
>>
>> No spoofing, no amplification, no misconfigured DNS servers required, yet
>> the ISP's DNS servers are used to send the attack traffic. All that is
>> needed is a compromised IoT to send the query.
>>
>>
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
>> Behalf Of* Josh Baird
>> *Sent:* Friday, October 21, 2016 12:42 PM
>>
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>>
>>
>> Right - crap IoT devices on the Mirai botnet were responsible for shoving
>> 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take
>> down OVH). No spoofing involved.
>>
>>
>> Interesting article on the techniques used by Mirai:
>>
>>
>> https://f5.com/about-us/news/articles/mirai-the-iot-bot-that
>> -took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
>>
>>
>>
>> On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote:
>>
>> The amplifier would receive a query from a spoofed IP address, and
>> respond using a legit IP address. So the attacker needs to control some
>> computers that can spoof the victim's IP address, but the actual attack
>> traffic comes from the amplifiers using legit source IPs.
>>
>>
>> In the case of IoT botnets, I'm not sure any spoofing is required.
>>
>>
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of* Josh Baird
>> *Sent:* Friday, October 21, 2016 12:21 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>>
>>
>> It's a good start. It attempts to prevent spoofed traffic originating
>> from your network to leave your network (or BCP38).
>>
>>
>> On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <
>> j...@imaginenetworksllc.com> wrote:
>>
>> It can't be that simple...can it?
>>
>>
>>
>>
>> Josh Luthman
>> Office: 937-552-2340 <http://tel:937-552-2340>
>> Direct: 937-552-2343 <http://tel:937-552-2343>
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>>
>>
>> On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net> wrote:
>>
>> /ip firewall address-list
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
>> customer X IPs"
>>
>> /ip firewall filter
>> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
>> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>>
>> That was largely composed off of the top of my head and typed on my
>> phone, so it may not be completely accurate.
>>
>>
>> You should also do it on customer-facing ports not allowing anything to
>> come in, but that would be best approached once Mikrotik and the per
>> interface setting for unicast reverse

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread chuck

Funny, just read an article about colleges being safe zones and they have 
policies preventing speech or actions containing harmful words or thoughts.  
Poor college students, have to be sheltered...
But then they are all on social media where sometimes it is nothing but harsh 
rhetoric.  
On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm  
wrote:

  forcing people to interact in person... a dangerous prospect in these times

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Paul Stewart

LOL …. scary shit….

Facebook being slow isn’t anything new in my experience … they have to be 
having a hard time keeping up sometimes …. last I heard they were adding 
something around 200-300 new servers a day in each data centre

> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm 
> <thatoneguyst...@gmail.com> wrote:
> 
> forcing people to interact in person... a dangerous prospect in these times
> 
> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart 
> <timreichh...@hometowncable.net <mailto:timreichh...@hometowncable.net>> 
> wrote:
> It seems like facebook is also getting slow.
> 
> -Original Message-
> From: "Travis Johnson" <t...@ida.net <mailto:t...@ida.net>>
> To: af@afmug.com <mailto:af@afmug.com>
> Date: 10/21/16 02:37 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
> 
> This is still going right now... big and small websites and ISP's are 
> unreachable and unresponsive. :(
> 
> Travis
> 
> 
> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>  
>> Interesting, according to that, the ISP DNS servers are recruited as part of 
>> the attack on the victim's authoritative DNS servers, by sending queries 
>> from within the ISP's network.
>> 
>>  
>> No spoofing, no amplification, no misconfigured DNS servers required, yet 
>> the ISP's DNS servers are used to send the attack traffic. All that is 
>> needed is a compromised IoT to send the query.
>> 
>>  
>>   <>
>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
>> Behalf Of Josh Baird
>> Sent: Friday, October 21, 2016 12:42 PM
>> To: af@afmug.com <mailto:af@afmug.com>
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>> 
>>  
>> Right - crap IoT devices on the Mirai botnet were responsible for shoving 
>> 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take 
>> down OVH). No spoofing involved.
>> 
>>  
>> Interesting article on the techniques used by Mirai:
>> 
>>  
>> https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
>>  
>> <https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937>
>>  
>>  
>> On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com 
>> <mailto:af...@kwisp.com>> wrote:
>> 
>> The amplifier would receive a query from a spoofed IP address, and respond 
>> using a legit IP address. So the attacker needs to control some computers 
>> that can spoof the victim's IP address, but the actual attack traffic comes 
>> from the amplifiers using legit source IPs.
>> 
>>  
>> In the case of IoT botnets, I'm not sure any spoofing is required.
>> 
>>  
>>   <>
>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On 
>> Behalf Of Josh Baird
>> Sent: Friday, October 21, 2016 12:21 PM
>> To: af@afmug.com <mailto:af@afmug.com>
>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>> 
>>  
>> It's a good start. It attempts to prevent spoofed traffic originating from 
>> your network to leave your network (or BCP38).
>> 
>>  
>> On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com 
>> <mailto:j...@imaginenetworksllc.com>> wrote:
>> 
>> It can't be that simple...can it?
>> 
>> 
>> 
>>  
>> Josh Luthman
>> Office: 937-552-2340 <http://tel:937-552-2340>
>> Direct: 937-552-2343 <http://tel:937-552-2343>
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>> 
>>  
>>  
>> On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net 
>> <mailto:af...@ics-il.net>> wrote:
>> 
>> /ip firewall address-list
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
>> customer X IPs"
>> 
>> /ip firewall filter
>> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
>> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>> 
>> That was largely composed off of the top of my head and typed on my phone, 
>> so it may not be completely accurate.
>> 
>> 
>> You should also do it on customer-facing ports not allowing anything to come 
>> in, but that would be best approached o

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Bill Prince


I may be traumatized until November 9.


bp
<part15sbs{at}gmail{dot}com>

On 10/21/2016 11:48 AM, That One Guy /sarcasm wrote:
forcing people to interact in person... a dangerous prospect in these 
times


On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart 
<timreichh...@hometowncable.net 
<mailto:timreichh...@hometowncable.net>> wrote:


It seems like facebook is also getting slow.


-Original Message-
From: "Travis Johnson" <t...@ida.net <mailto:t...@ida.net>>
To: af@afmug.com <mailto:af@afmug.com>
Date: 10/21/16 02:37 PM
    Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

This is still going right now... big and small websites and
ISP's are unreachable and unresponsive. :(

Travis


On 10/21/2016 12:19 PM, Ken Hohhof wrote:


Interesting, according to that, the ISP DNS servers are
recruited as part of the attack on the victim's authoritative
DNS servers, by sending queries from within the ISP's network.

No spoofing, no amplification, no misconfigured DNS servers
required, yet the ISP's DNS servers are used to send the
attack traffic. All that is needed is a compromised IoT to
send the query.

*From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of* Josh
Baird
*Sent:* Friday, October 21, 2016 12:42 PM
*To:* af@afmug.com <mailto:af@afmug.com>
    *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick

Right - crap IoT devices on the Mirai botnet were responsible
for shoving 620+Gbps of traffic at Akamai to take down Krebs
(and over 1Tbps to take down OVH). No spoofing involved.

Interesting article on the techniques used by Mirai:


https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

<https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937>

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com
<mailto:af...@kwisp.com>> wrote:

The amplifier would receive a query from a spoofed IP
address, and respond using a legit IP address. So the
attacker needs to control some computers that can spoof
the victim's IP address, but the actual attack traffic
comes from the amplifiers using legit source IPs.

In the case of IoT botnets, I'm not sure any spoofing is
required.

*From:* Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of* Josh Baird
*Sent:* Friday, October 21, 2016 12:21 PM
    *To:* af@afmug.com <mailto:af@afmug.com>
*Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick

It's a good start. It attempts to prevent spoofed traffic
originating from your network to leave your network (or
BCP38).

On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman
<j...@imaginenetworksllc.com
<mailto:j...@imaginenetworksllc.com>> wrote:

It can't be that simple...can it?


Josh Luthman
Office: 937-552-2340 <http://tel:937-552-2340>
Direct: 937-552-2343 <http://tel:937-552-2343>
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett
<af...@ics-il.net <mailto:af...@ics-il.net>> wrote:

/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy
disabled=no comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy
disabled=no comment="Downstream customer X IPs"

/ip firewall filter
add action=drop chain=forward comment="Drop
spoofed traffic" disabled=no
out-interface="To-Upstream"
dst-address-list=!"Public-IPs"

That was largely composed off of the top of my
head and typed on my phone, so it may not be
completely accurate.


You should also do it on customer-facing ports
not allowing anything to come in, but that would
be best approached once Mikrotik and the per
interface setting for unicast reverse path
filtering. You would then said customer facing
interfaces to strict and all other in

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

forcing people to interact in person... a dangerous prospect in these times

On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart <
timreichh...@hometowncable.net> wrote:

> It seems like facebook is also getting slow.
>
> --
> -Original Message-
> From: "Travis Johnson" <t...@ida.net>
> To: af@afmug.com
> Date: 10/21/16 02:37 PM
> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
> This is still going right now... big and small websites and ISP's are
> unreachable and unresponsive. :(
>
> Travis
>
>
> On 10/21/2016 12:19 PM, Ken Hohhof wrote:
>
>
>
>
> Interesting, according to that, the ISP DNS servers are recruited as part
> of the attack on the victim's authoritative DNS servers, by sending queries
> from within the ISP's network.
>
>
>
> No spoofing, no amplification, no misconfigured DNS servers required, yet
> the ISP's DNS servers are used to send the attack traffic. All that is
> needed is a compromised IoT to send the query.
>
>
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of* Josh Baird
> *Sent:* Friday, October 21, 2016 12:42 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
> Right - crap IoT devices on the Mirai botnet were responsible for shoving
> 620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take
> down OVH). No spoofing involved.
>
>
>
> Interesting article on the techniques used by Mirai:
>
>
>
> https://f5.com/about-us/news/articles/mirai-the-iot-bot-
> that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
>
>
>
>
> On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote:
>
> The amplifier would receive a query from a spoofed IP address, and respond
> using a legit IP address. So the attacker needs to control some computers
> that can spoof the victim's IP address, but the actual attack traffic comes
> from the amplifiers using legit source IPs.
>
>
>
> In the case of IoT botnets, I'm not sure any spoofing is required.
>
>
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of* Josh Baird
> *Sent:* Friday, October 21, 2016 12:21 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
> It's a good start. It attempts to prevent spoofed traffic originating from
> your network to leave your network (or BCP38).
>
>
>
> On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com>
> wrote:
>
> It can't be that simple...can it?
>
>
>
>
> Josh Luthman
> Office: 937-552-2340 <http://tel:937-552-2340>
> Direct: 937-552-2343 <http://tel:937-552-2343>
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
>
>
>
> On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net> wrote:
>
> /ip firewall address-list
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
> customer X IPs"
>
> /ip firewall filter
> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>
> That was largely composed off of the top of my head and typed on my phone,
> so it may not be completely accurate.
>
>
> You should also do it on customer-facing ports not allowing anything to
> come in, but that would be best approached once Mikrotik and the per
> interface setting for unicast reverse path filtering. You would then said
> customer facing interfaces to strict and all other interfaces to loose.
> They accepted the feature request, just haven't implemented it yet.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
>
> *From:* "Mike Hammett" <af...@ics-il.net>
> *To:* af

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Tim Reichhart

It seems like facebook is also getting slow.

-Original Message-
From: "Travis Johnson" <t...@ida.net>
To: af@afmug.com
Date: 10/21/16 02:37 PM
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

This is still going right now... big and small websites and ISP's are 
unreachable and unresponsive. :(

Travis

On 10/21/2016 12:19 PM, Ken Hohhof wrote:

Interesting, according to that, the ISP DNS servers are recruited as part of 
the attack on the victim's authoritative DNS servers, by sending queries from 
within the ISP's network.

No spoofing, no amplification, no misconfigured DNS servers required, yet the 
ISP's DNS servers are used to send the attack traffic.  All that is needed is a 
compromised IoT to send the query.

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:42 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

Right - crap IoT devices on the Mirai botnet were responsible for shoving 
620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down 
OVH).  No spoofing involved.

Interesting article on the techniques used by Mirai:

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote:

The amplifier would receive a query from a spoofed IP address, and respond 
using a legit IP address.  So the attacker needs to control some computers that 
can spoof the victim's IP address, but the actual attack traffic comes from the 
amplifiers using legit source IPs.

In the case of IoT botnets, I'm not sure any spoofing is required.

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:21 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

It's a good start.  It attempts to prevent spoofed traffic originating from 
your network to leave your network (or BCP38).

On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com> 
wrote:

It can't be that simple...can it?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373 

On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net> wrote:

/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs"

/ip firewall filter
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs"

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate.

You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet.

-
Mike Hammett
 Intelligent Computing Solutions

 Midwest Internet Exchange

 The Brothers WISP

From: "Mike Hammett" <af...@ics-il.net>
To: af@afmug.com
Sent: Friday, October 21, 2016 11:21:35 AM
Subject: [AFMUG] Another large DDoS, Stop Being a Dick
There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks:

https://www.caida.org/projects/spoofer/

Go to these pages for more longer term bad behavior monitoring:

https://www.shadowserver.org/wiki/
https://radar.qrator.net/

Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously.

-
Mike Hammett
 Intelligent Computing Solutions

 Midwest Internet Exchange

 The Brothers WISP

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Travis Johnson

This is still going right now... big and small websites and ISP's are 
unreachable and unresponsive. :(


Travis


On 10/21/2016 12:19 PM, Ken Hohhof wrote:


Interesting, according to that, the ISP DNS servers are recruited as 
part of the attack on the victim’s authoritative DNS servers, by 
sending queries from within the ISP’s network.


No spoofing, no amplification, no misconfigured DNS servers required, 
yet the ISP’s DNS servers are used to send the attack traffic.  All 
that is needed is a compromised IoT to send the query.


*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Josh Baird
*Sent:* Friday, October 21, 2016 12:42 PM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick

Right - crap IoT devices on the Mirai botnet were responsible for 
shoving 620+Gbps of traffic at Akamai to take down Krebs (and over 
1Tbps to take down OVH).  No spoofing involved.


Interesting article on the techniques used by Mirai:

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com 
<mailto:af...@kwisp.com>> wrote:


The amplifier would receive a query from a spoofed IP address, and
respond using a legit IP address.  So the attacker needs to
control some computers that can spoof the victim’s IP address, but
the actual attack traffic comes from the amplifiers using legit
source IPs.

In the case of IoT botnets, I’m not sure any spoofing is required.

*From:*Af [mailto:af-boun...@afmug.com
<mailto:af-boun...@afmug.com>] *On Behalf Of *Josh Baird
*Sent:* Friday, October 21, 2016 12:21 PM
*To:* af@afmug.com <mailto:af@afmug.com>
    *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick

It's a good start.  It attempts to prevent spoofed traffic
originating from your network to leave your network (or BCP38).

On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman
<j...@imaginenetworksllc.com <mailto:j...@imaginenetworksllc.com>>
wrote:

It can't be that simple...can it?


Josh Luthman
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett
<af...@ics-il.net <mailto:af...@ics-il.net>> wrote:

/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy disabled=no
comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy disabled=no
comment="Downstream customer X IPs"

/ip firewall filter
add action=drop chain=forward comment="Drop spoofed
traffic" disabled=no out-interface="To-Upstream"
dst-address-list=!"Public-IPs"

That was largely composed off of the top of my head and
typed on my phone, so it may not be completely accurate.


You should also do it on customer-facing ports not
allowing anything to come in, but that would be best
approached once Mikrotik and the per interface setting for
unicast reverse path filtering. You would then said
customer facing interfaces to strict and all other
interfaces to loose. They accepted the feature request,
just haven't implemented it yet.



-
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>

<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>

<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>




*From: *"Mike Hammett" <af...@ics-il.net
        <mailto:af...@ics-il.net>>
*To: *af@afmug.com <mailto:af@afmug.com>
*Sent: *Friday, October 21, 2016 11:21:35 AM
*Subject: *[AFMUG] Another large DDoS, Stop Being a Dick

There's another large DDoS going on now. Go to this page
to see if you can be used for UDP amplification (or other
spoofing) attacks:

https://www.caida.org/projects/spoofer/

Go to these pages for more longer term bad behavior

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Ken Hohhof

Interesting, according to that, the ISP DNS servers are recruited as part of 
the attack on the victim’s authoritative DNS servers, by sending queries from 
within the ISP’s network.

 

No spoofing, no amplification, no misconfigured DNS servers required, yet the 
ISP’s DNS servers are used to send the attack traffic.  All that is needed is a 
compromised IoT to send the query.

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:42 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

Right - crap IoT devices on the Mirai botnet were responsible for shoving 
620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take down 
OVH).  No spoofing involved.

 

Interesting article on the techniques used by Mirai:

 

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

 

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com 
<mailto:af...@kwisp.com> > wrote:

The amplifier would receive a query from a spoofed IP address, and respond 
using a legit IP address.  So the attacker needs to control some computers that 
can spoof the victim’s IP address, but the actual attack traffic comes from the 
amplifiers using legit source IPs.

 

In the case of IoT botnets, I’m not sure any spoofing is required.

 

 

From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com> ] On Behalf 
Of Josh Baird
Sent: Friday, October 21, 2016 12:21 PM
To: af@afmug.com <mailto:af@afmug.com> 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

It's a good start.  It attempts to prevent spoofed traffic originating from 
your network to leave your network (or BCP38).

 

On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com 
<mailto:j...@imaginenetworksllc.com> > wrote:

It can't be that simple...can it?




 

Josh Luthman
Office: 937-552-2340  
Direct: 937-552-2343  
1100 Wayne St
Suite 1337
Troy, OH 45373

 

On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net 
<mailto:af...@ics-il.net> > wrote:

/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs"

/ip firewall filter
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs"

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate.


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet.



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 





  _  


From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> >
To: af@afmug.com <mailto:af@afmug.com> 
Sent: Friday, October 21, 2016 11:21:35 AM
Subject: [AFMUG] Another large DDoS, Stop Being a Dick

There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks:

https://www.caida.org/projects/spoofer/

Go to these pages for more longer term bad behavior monitoring:

https://www.shadowserver.org/wiki/
https://radar.qrator.net/


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously.



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Justin Wilson

Ignorance is what you have to fight against though.  I know folks who have bad 
BGP setups and it works for them. When their bad configuration becomes my issue 
and either loses me revenue or causes my support costs to go it becomes a 
priority. For example, I can’t get to my cloud hosted accounting, but more 
importantly a couple of clients who need to pay can’t either.   If you are 
participating in BGP you should either have someone to call or you should know 
it yourself.  If your own house is a mess thats fine, but if your  misconfigure 
car gets on the road and crashes into a telephone pole it’s not just your 
problem.  Therein lies the issue.  BGP is a very fragile ecosystem when it 
comes down to it.  So is DNS.  The problem is these are like water and oxygen 
to the Internet.  They must exist.   

If anyone out there has a BGP setup they have questions about i would gladly do 
a 15 minute session with them for free and tell them whats being done right and 
what’s being done wrong.

Justin Wilson
j...@mtin.net

---
http://www.mtin.net Owner/CEO
xISP Solutions- Consulting – Data Centers - Bandwidth

http://www.midwest-ix.com  COO/Chairman
Internet Exchange - Peering - Distributed Fabric

> On Oct 21, 2016, at 12:26 PM, Sean Heskett  wrote:
> 
> I think instead of naming and shaming you'd get more traction if you informed 
> and taught them how to prevent and stop this traffic.  
> 
> Many WISPs don't have the technical know how (or time) to even realize it's 
> happening.  They are just trying to get customers connected.
> 
> I know my network isn't perfect and I'd gladly submit a list of subnets I 
> control to a group that would be willing to tell me what's wrong and how I 
> can fix it so I'm not part of the problem.
> 
> 2 cents
> 
> -Sean 
> 
> On Friday, October 21, 2016, Mike Hammett  > wrote:
> There's another large DDoS going on now. Go to this page to see if you can be 
> used for UDP amplification (or other spoofing) attacks:
> 
> https://www.caida.org/projects/spoofer/ 
> 
> 
> Go to these pages for more longer term bad behavior monitoring:
> 
> https://www.shadowserver.org/wiki/ 
> https://radar.qrator.net/ 
> 
> 
> Maybe we need to start a database of ASNs WISPs are using and start naming 
> and shaming them when they have bad actors on their network. This is serious, 
> people. Take it seriously.
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions 
>   
>  
>  
> 
> Midwest Internet Exchange 
>   
>  
> 
> The Brothers WISP 
>  
> 
> 
>  
>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Josh Baird

Right - crap IoT devices on the Mirai botnet were responsible for shoving
620+Gbps of traffic at Akamai to take down Krebs (and over 1Tbps to take
down OVH).  No spoofing involved.

Interesting article on the techniques used by Mirai:

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com> wrote:

> The amplifier would receive a query from a spoofed IP address, and respond
> using a legit IP address.  So the attacker needs to control some computers
> that can spoof the victim’s IP address, but the actual attack traffic comes
> from the amplifiers using legit source IPs.
>
>
>
> In the case of IoT botnets, I’m not sure any spoofing is required.
>
>
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Josh Baird
> *Sent:* Friday, October 21, 2016 12:21 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
> It's a good start.  It attempts to prevent spoofed traffic originating
> from your network to leave your network (or BCP38).
>
>
>
> On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com>
> wrote:
>
> It can't be that simple...can it?
>
>
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
>
>
> On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net> wrote:
>
> /ip firewall address-list
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
> customer X IPs"
>
> /ip firewall filter
> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>
> That was largely composed off of the top of my head and typed on my phone,
> so it may not be completely accurate.
>
>
> You should also do it on customer-facing ports not allowing anything to
> come in, but that would be best approached once Mikrotik and the per
> interface setting for unicast reverse path filtering. You would then said
> customer facing interfaces to strict and all other interfaces to loose.
> They accepted the feature request, just haven't implemented it yet.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
>
> *From: *"Mike Hammett" <af...@ics-il.net>
> *To: *af@afmug.com
> *Sent: *Friday, October 21, 2016 11:21:35 AM
> *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick
>
> There's another large DDoS going on now. Go to this page to see if you can
> be used for UDP amplification (or other spoofing) attacks:
>
> https://www.caida.org/projects/spoofer/
>
> Go to these pages for more longer term bad behavior monitoring:
>
> https://www.shadowserver.org/wiki/
> https://radar.qrator.net/
>
>
> Maybe we need to start a database of ASNs WISPs are using and start naming
> and shaming them when they have bad actors on their network. This is
> serious, people. Take it seriously.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>
>
>
>
>
>
>
>
>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Ken Hohhof

The amplifier would receive a query from a spoofed IP address, and respond 
using a legit IP address.  So the attacker needs to control some computers that 
can spoof the victim’s IP address, but the actual attack traffic comes from the 
amplifiers using legit source IPs.

 

In the case of IoT botnets, I’m not sure any spoofing is required.

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird
Sent: Friday, October 21, 2016 12:21 PM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

It's a good start.  It attempts to prevent spoofed traffic originating from 
your network to leave your network (or BCP38).

 

On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com 
<mailto:j...@imaginenetworksllc.com> > wrote:

It can't be that simple...can it?




 

Josh Luthman
Office: 937-552-2340  
Direct: 937-552-2343  
1100 Wayne St
Suite 1337
Troy, OH 45373

 

On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net 
<mailto:af...@ics-il.net> > wrote:

/ip firewall address-list
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs"

/ip firewall filter
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs"

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate.


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet.



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 





  _  


From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> >
To: af@afmug.com <mailto:af@afmug.com> 
Sent: Friday, October 21, 2016 11:21:35 AM
Subject: [AFMUG] Another large DDoS, Stop Being a Dick

There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks:

https://www.caida.org/projects/spoofer/

Go to these pages for more longer term bad behavior monitoring:

https://www.shadowserver.org/wiki/
https://radar.qrator.net/


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously.



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

No, but only because I don't know how. If I knew how, I would. Hopefully 
someone else can contribute that. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Sean Heskett" <af...@zirkel.us> 
To: af@afmug.com 
Sent: Friday, October 21, 2016 12:25:54 PM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 


we use all imagestream routers at our towers and we have a Juniper MX104 at our 
10gig circuit. 


would you be able to re-write those rules for iptables?? 


Thanks! 


-sean 




On Fri, Oct 21, 2016 at 11:17 AM, Mike Hammett < af...@ics-il.net > wrote: 




/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 






From: "Mike Hammett" < af...@ics-il.net > 
To: af@afmug.com 
Sent: Friday, October 21, 2016 11:21:35 AM 
Subject: [AFMUG] Another large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

imagestream still exists?


On Fri, Oct 21, 2016 at 12:25 PM, Sean Heskett <af...@zirkel.us> wrote:

> we use all imagestream routers at our towers and we have a Juniper MX104
> at our 10gig circuit.
>
> would you be able to re-write those rules for iptables??
>
> Thanks!
>
> -sean
>
>
> On Fri, Oct 21, 2016 at 11:17 AM, Mike Hammett <af...@ics-il.net> wrote:
>
>> /ip firewall address-list
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
>> customer X IPs"
>>
>> /ip firewall filter
>> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
>> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>>
>> That was largely composed off of the top of my head and typed on my
>> phone, so it may not be completely accurate.
>>
>>
>> You should also do it on customer-facing ports not allowing anything to
>> come in, but that would be best approached once Mikrotik and the per
>> interface setting for unicast reverse path filtering. You would then said
>> customer facing interfaces to strict and all other interfaces to loose.
>> They accepted the feature request, just haven't implemented it yet.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>> *From: *"Mike Hammett" <af...@ics-il.net>
>> *To: *af@afmug.com
>> *Sent: *Friday, October 21, 2016 11:21:35 AM
>> *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick
>>
>> There's another large DDoS going on now. Go to this page to see if you
>> can be used for UDP amplification (or other spoofing) attacks:
>>
>> https://www.caida.org/projects/spoofer/
>>
>> Go to these pages for more longer term bad behavior monitoring:
>>
>> https://www.shadowserver.org/wiki/
>> https://radar.qrator.net/
>>
>>
>> Maybe we need to start a database of ASNs WISPs are using and start
>> naming and shaming them when they have bad actors on their network. This is
>> serious, people. Take it seriously.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>>
>>
>>
>


-- 
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Sean Heskett

we use all imagestream routers at our towers and we have a Juniper MX104 at
our 10gig circuit.

would you be able to re-write those rules for iptables??

Thanks!

-sean


On Fri, Oct 21, 2016 at 11:17 AM, Mike Hammett <af...@ics-il.net> wrote:

> /ip firewall address-list
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
> customer X IPs"
>
> /ip firewall filter
> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>
> That was largely composed off of the top of my head and typed on my phone,
> so it may not be completely accurate.
>
>
> You should also do it on customer-facing ports not allowing anything to
> come in, but that would be best approached once Mikrotik and the per
> interface setting for unicast reverse path filtering. You would then said
> customer facing interfaces to strict and all other interfaces to loose.
> They accepted the feature request, just haven't implemented it yet.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
> *From: *"Mike Hammett" <af...@ics-il.net>
> *To: *af@afmug.com
> *Sent: *Friday, October 21, 2016 11:21:35 AM
> *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick
>
> There's another large DDoS going on now. Go to this page to see if you can
> be used for UDP amplification (or other spoofing) attacks:
>
> https://www.caida.org/projects/spoofer/
>
> Go to these pages for more longer term bad behavior monitoring:
>
> https://www.shadowserver.org/wiki/
> https://radar.qrator.net/
>
>
> Maybe we need to start a database of ASNs WISPs are using and start naming
> and shaming them when they have bad actors on their network. This is
> serious, people. Take it seriously.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>
>
>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

Yes. That stops all spoofed traffic. 

Sorry, src-address-list, not dst-address-list. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Josh Luthman" <j...@imaginenetworksllc.com> 
To: af@afmug.com 
Sent: Friday, October 21, 2016 12:19:31 PM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 


It can't be that simple...can it? 






Josh Luthman 
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St 
Suite 1337 
Troy, OH 45373 

On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett < af...@ics-il.net > wrote: 




/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 






From: "Mike Hammett" < af...@ics-il.net > 
To: af@afmug.com 
Sent: Friday, October 21, 2016 11:21:35 AM 
Subject: [AFMUG] Another large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Josh Baird

It's a good start.  It attempts to prevent spoofed traffic originating from
your network to leave your network (or BCP38).

On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com>
wrote:

> It can't be that simple...can it?
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net> wrote:
>
>> /ip firewall address-list
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
>> customer X IPs"
>>
>> /ip firewall filter
>> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
>> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>>
>> That was largely composed off of the top of my head and typed on my
>> phone, so it may not be completely accurate.
>>
>>
>> You should also do it on customer-facing ports not allowing anything to
>> come in, but that would be best approached once Mikrotik and the per
>> interface setting for unicast reverse path filtering. You would then said
>> customer facing interfaces to strict and all other interfaces to loose.
>> They accepted the feature request, just haven't implemented it yet.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>> *From: *"Mike Hammett" <af...@ics-il.net>
>> *To: *af@afmug.com
>> *Sent: *Friday, October 21, 2016 11:21:35 AM
>> *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick
>>
>> There's another large DDoS going on now. Go to this page to see if you
>> can be used for UDP amplification (or other spoofing) attacks:
>>
>> https://www.caida.org/projects/spoofer/
>>
>> Go to these pages for more longer term bad behavior monitoring:
>>
>> https://www.shadowserver.org/wiki/
>> https://radar.qrator.net/
>>
>>
>> Maybe we need to start a database of ASNs WISPs are using and start
>> naming and shaming them when they have bad actors on their network. This is
>> serious, people. Take it seriously.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>>
>>
>>
>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Josh Luthman

It can't be that simple...can it?


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net> wrote:

> /ip firewall address-list
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs"
> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream
> customer X IPs"
>
> /ip firewall filter
> add action=drop chain=forward comment="Drop spoofed traffic" disabled=no
> out-interface="To-Upstream" dst-address-list=!"Public-IPs"
>
> That was largely composed off of the top of my head and typed on my phone,
> so it may not be completely accurate.
>
>
> You should also do it on customer-facing ports not allowing anything to
> come in, but that would be best approached once Mikrotik and the per
> interface setting for unicast reverse path filtering. You would then said
> customer facing interfaces to strict and all other interfaces to loose.
> They accepted the feature request, just haven't implemented it yet.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
> *From: *"Mike Hammett" <af...@ics-il.net>
> *To: *af@afmug.com
> *Sent: *Friday, October 21, 2016 11:21:35 AM
> *Subject: *[AFMUG] Another large DDoS, Stop Being a Dick
>
> There's another large DDoS going on now. Go to this page to see if you can
> be used for UDP amplification (or other spoofing) attacks:
>
> https://www.caida.org/projects/spoofer/
>
> Go to these pages for more longer term bad behavior monitoring:
>
> https://www.shadowserver.org/wiki/
> https://radar.qrator.net/
>
>
> Maybe we need to start a database of ASNs WISPs are using and start naming
> and shaming them when they have bad actors on their network. This is
> serious, people. Take it seriously.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>
>
>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

/ip firewall address-list 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" 
add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream 
customer X IPs" 

/ip firewall filter 
add action=drop chain=forward comment="Drop spoofed traffic" disabled=no 
out-interface="To-Upstream" dst-address-list=!"Public-IPs" 

That was largely composed off of the top of my head and typed on my phone, so 
it may not be completely accurate. 


You should also do it on customer-facing ports not allowing anything to come 
in, but that would be best approached once Mikrotik and the per interface 
setting for unicast reverse path filtering. You would then said customer facing 
interfaces to strict and all other interfaces to loose. They accepted the 
feature request, just haven't implemented it yet. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Mike Hammett" <af...@ics-il.net> 
To: af@afmug.com 
Sent: Friday, October 21, 2016 11:21:35 AM 
Subject: [AFMUG] Another large DDoS, Stop Being a Dick 


There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

Going to the links I provided is a good start. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Sean Heskett" <af...@zirkel.us> 
To: af@afmug.com 
Sent: Friday, October 21, 2016 11:26:42 AM 
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 

I think instead of naming and shaming you'd get more traction if you informed 
and taught them how to prevent and stop this traffic. 


Many WISPs don't have the technical know how (or time) to even realize it's 
happening. They are just trying to get customers connected. 


I know my network isn't perfect and I'd gladly submit a list of subnets I 
control to a group that would be willing to tell me what's wrong and how I can 
fix it so I'm not part of the problem. 


2 cents 


-Sean 

On Friday, October 21, 2016, Mike Hammett < af...@ics-il.net > wrote: 




There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Josh Baird

Insecure IOT devices are a *big* problem, especially, like you said, when
Tom and Harry have supar-fiber-fast connectivity to the intarnets.


On Fri, Oct 21, 2016 at 1:01 PM, Ken Hohhof <af...@kwisp.com> wrote:

> If a WISP customer is being used as part of a DDoS attack, chances are the
> volume upstream traffic will make their own Internet unusable and they will
> end up calling in.
>
>
>
> It’s probably more important to make sure that infrastructure like routers
> and DNS servers are not misconfigured to act as DNS or NTP amplifiers.
> Mikrotik routers by default are DNS amplifiers if you turn on Allow Remote
> Requests and don’t create a firewall rule to block DNS requests from
> outside your network, so that’s something to watch for.
>
>
>
> What I worry about are the Internet Things like webcams that have been
> hacked and recruited into a botnet, and are sitting on a residential
> symmetric gigabit fiber connection.  Most WISP customers have a lot less
> firepower.  I really think FISPs are going to need some mechanisms to
> protect the rest of the Internet if they are going to give every Tom, Dick
> and Harry a gig upstream.  Oh wait, Mike said to stop being a Dick, so make
> that Tom and Harry.
>
>
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Paul Stewart
> *Sent:* Friday, October 21, 2016 11:47 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] Another large DDoS, Stop Being a Dick
>
>
>
> I liked Scrutenizer when we tested in my former job … we ran into serious
> scaling issues with it that they said weren’t possible - too long ago to
> recall details around that problem.  But visually and detail wise it was
> pretty nice….
>
>
>
> Arbor is the best solution in my opinion if it’s in budget - and it’s not
> remotely cheap (6 figures to get started)
>
>
>
>
>
> On Oct 21, 2016, at 12:41 PM, That One Guy /sarcasm <
> thatoneguyst...@gmail.com> wrote:
>
>
>
> shadow server is going down for a week isnt it to move their data center,
> expect the exploits to be strong
>
> i just ran that caida app the other day, our office firewall got pretty mad
>
>
>
> Sign up at shadwoserver sean
>
>
>
> Im demoing scrutinizer right now, but waiting on the actual quote, i think
> it will end up too cost prohibitive but man does it have some nice
> monitoring and alerting
>
>
>
> Expect to see a whole lot more nastiness as the election gets closer, alot
> of dogs are going to be wagged before its over
>
>
>
> On Fri, Oct 21, 2016 at 11:26 AM, Sean Heskett <af...@zirkel.us> wrote:
>
> I think instead of naming and shaming you'd get more traction if you
> informed and taught them how to prevent and stop this traffic.
>
>
>
> Many WISPs don't have the technical know how (or time) to even realize
> it's happening.  They are just trying to get customers connected.
>
>
>
> I know my network isn't perfect and I'd gladly submit a list of subnets I
> control to a group that would be willing to tell me what's wrong and how I
> can fix it so I'm not part of the problem.
>
>
>
> 2 cents
>
>
>
> -Sean
>
>
>
> On Friday, October 21, 2016, Mike Hammett <af...@ics-il.net> wrote:
>
> There's another large DDoS going on now. Go to this page to see if you can
> be used for UDP amplification (or other spoofing) attacks:
>
> https://www.caida.org/projects/spoofer/
>
> Go to these pages for more longer term bad behavior monitoring:
>
> https://www.shadowserver.org/wiki/
> https://radar.qrator.net/
>
>
> Maybe we need to start a database of ASNs WISPs are using and start naming
> and shaming them when they have bad actors on their network. This is
> serious, people. Take it seriously.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>
>
>
>
>
>
>
> --
>
> If you only see yourself as part of the team but you don't see your team
> as part of yourself you have already failed as part of the team.
>
>
>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Ken Hohhof

If a WISP customer is being used as part of a DDoS attack, chances are the 
volume upstream traffic will make their own Internet unusable and they will end 
up calling in.

 

It’s probably more important to make sure that infrastructure like routers and 
DNS servers are not misconfigured to act as DNS or NTP amplifiers.  Mikrotik 
routers by default are DNS amplifiers if you turn on Allow Remote Requests and 
don’t create a firewall rule to block DNS requests from outside your network, 
so that’s something to watch for.

 

What I worry about are the Internet Things like webcams that have been hacked 
and recruited into a botnet, and are sitting on a residential symmetric gigabit 
fiber connection.  Most WISP customers have a lot less firepower.  I really 
think FISPs are going to need some mechanisms to protect the rest of the 
Internet if they are going to give every Tom, Dick and Harry a gig upstream.  
Oh wait, Mike said to stop being a Dick, so make that Tom and Harry.

 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
Sent: Friday, October 21, 2016 11:47 AM
To: af@afmug.com
Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick

 

I liked Scrutenizer when we tested in my former job … we ran into serious 
scaling issues with it that they said weren’t possible - too long ago to recall 
details around that problem.  But visually and detail wise it was pretty nice….

 

Arbor is the best solution in my opinion if it’s in budget - and it’s not 
remotely cheap (6 figures to get started)

 

 

On Oct 21, 2016, at 12:41 PM, That One Guy /sarcasm <thatoneguyst...@gmail.com 
<mailto:thatoneguyst...@gmail.com> > wrote:

 

shadow server is going down for a week isnt it to move their data center, 
expect the exploits to be strong 

i just ran that caida app the other day, our office firewall got pretty mad

 

Sign up at shadwoserver sean

 

Im demoing scrutinizer right now, but waiting on the actual quote, i think it 
will end up too cost prohibitive but man does it have some nice monitoring and 
alerting

 

Expect to see a whole lot more nastiness as the election gets closer, alot of 
dogs are going to be wagged before its over

 

On Fri, Oct 21, 2016 at 11:26 AM, Sean Heskett <af...@zirkel.us 
<mailto:af...@zirkel.us> > wrote:

I think instead of naming and shaming you'd get more traction if you informed 
and taught them how to prevent and stop this traffic.  

 

Many WISPs don't have the technical know how (or time) to even realize it's 
happening.  They are just trying to get customers connected.

 

I know my network isn't perfect and I'd gladly submit a list of subnets I 
control to a group that would be willing to tell me what's wrong and how I can 
fix it so I'm not part of the problem.

 

2 cents

 

-Sean 



On Friday, October 21, 2016, Mike Hammett <af...@ics-il.net 
<mailto:af...@ics-il.net> > wrote:

There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks:

https://www.caida.org/projects/spoofer/

Go to these pages for more longer term bad behavior monitoring:

https://www.shadowserver.org/wiki/
https://radar.qrator.net/


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously.



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 




 





 

-- 

If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Paul Stewart

I liked Scrutenizer when we tested in my former job … we ran into serious 
scaling issues with it that they said weren’t possible - too long ago to recall 
details around that problem.  But visually and detail wise it was pretty nice….

Arbor is the best solution in my opinion if it’s in budget - and it’s not 
remotely cheap (6 figures to get started)


> On Oct 21, 2016, at 12:41 PM, That One Guy /sarcasm 
>  wrote:
> 
> shadow server is going down for a week isnt it to move their data center, 
> expect the exploits to be strong 
> i just ran that caida app the other day, our office firewall got pretty mad
> 
> Sign up at shadwoserver sean
> 
> Im demoing scrutinizer right now, but waiting on the actual quote, i think it 
> will end up too cost prohibitive but man does it have some nice monitoring 
> and alerting
> 
> Expect to see a whole lot more nastiness as the election gets closer, alot of 
> dogs are going to be wagged before its over
> 
> On Fri, Oct 21, 2016 at 11:26 AM, Sean Heskett  > wrote:
> I think instead of naming and shaming you'd get more traction if you informed 
> and taught them how to prevent and stop this traffic.  
> 
> Many WISPs don't have the technical know how (or time) to even realize it's 
> happening.  They are just trying to get customers connected.
> 
> I know my network isn't perfect and I'd gladly submit a list of subnets I 
> control to a group that would be willing to tell me what's wrong and how I 
> can fix it so I'm not part of the problem.
> 
> 2 cents
> 
> -Sean 
> 
> 
> On Friday, October 21, 2016, Mike Hammett  > wrote:
> There's another large DDoS going on now. Go to this page to see if you can be 
> used for UDP amplification (or other spoofing) attacks:
> 
> https://www.caida.org/projects/spoofer/ 
> 
> 
> Go to these pages for more longer term bad behavior monitoring:
> 
> https://www.shadowserver.org/wiki/ 
> https://radar.qrator.net/ 
> 
> 
> Maybe we need to start a database of ASNs WISPs are using and start naming 
> and shaming them when they have bad actors on their network. This is serious, 
> people. Take it seriously.
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions 
>   
>  
>  
> 
> Midwest Internet Exchange 
>   
>  
> 
> The Brothers WISP 
>  
> 
> 
>  
> 
> 
> 
> 
> -- 
> If you only see yourself as part of the team but you don't see your team as 
> part of yourself you have already failed as part of the team.

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Paul Stewart

it’s a really serious issue .. we deal with this daily (open/vulnerable 
routers, infected customers etc)

We know our network is fairly robust in that regard but the challenge we are 
faced with is education of end customers and trying to enforce AUP with them.  
If we use the manpower to track down these customers and help them, that’s a 
challenge in itself that is typically met (in the average ISP) with resistance 
as it’s sometimes significant manpower with zero additional revenue gain.  If 
we do enforce stringent AUP on them with “three strikes” kind of approach then 
we’ll lose customers that can sign up with the competition that probably won’t 
do any enforcement - then we end up with lost customers who think we’re jerks ….

> On Oct 21, 2016, at 12:21 PM, Mike Hammett  wrote:
> 
> There's another large DDoS going on now. Go to this page to see if you can be 
> used for UDP amplification (or other spoofing) attacks:
> 
> https://www.caida.org/projects/spoofer/ 
> 
> 
> Go to these pages for more longer term bad behavior monitoring:
> 
> https://www.shadowserver.org/wiki/ 
> https://radar.qrator.net/ 
> 
> 
> Maybe we need to start a database of ASNs WISPs are using and start naming 
> and shaming them when they have bad actors on their network. This is serious, 
> people. Take it seriously.
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions 
>   
>  
>  
> 
> Midwest Internet Exchange 
>   
>  
> 
> The Brothers WISP 
>   
>

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread That One Guy /sarcasm

shadow server is going down for a week isnt it to move their data center,
expect the exploits to be strong
i just ran that caida app the other day, our office firewall got pretty mad

Sign up at shadwoserver sean

Im demoing scrutinizer right now, but waiting on the actual quote, i think
it will end up too cost prohibitive but man does it have some nice
monitoring and alerting

Expect to see a whole lot more nastiness as the election gets closer, alot
of dogs are going to be wagged before its over

On Fri, Oct 21, 2016 at 11:26 AM, Sean Heskett  wrote:

> I think instead of naming and shaming you'd get more traction if you
> informed and taught them how to prevent and stop this traffic.
>
> Many WISPs don't have the technical know how (or time) to even realize
> it's happening.  They are just trying to get customers connected.
>
> I know my network isn't perfect and I'd gladly submit a list of subnets I
> control to a group that would be willing to tell me what's wrong and how I
> can fix it so I'm not part of the problem.
>
> 2 cents
>
> -Sean
>
>
> On Friday, October 21, 2016, Mike Hammett  wrote:
>
>> There's another large DDoS going on now. Go to this page to see if you
>> can be used for UDP amplification (or other spoofing) attacks:
>>
>> https://www.caida.org/projects/spoofer/
>>
>> Go to these pages for more longer term bad behavior monitoring:
>>
>> https://www.shadowserver.org/wiki/
>> https://radar.qrator.net/
>>
>>
>> Maybe we need to start a database of ASNs WISPs are using and start
>> naming and shaming them when they have bad actors on their network. This is
>> serious, people. Take it seriously.
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions 
>> 
>> 
>> 
>> 
>> Midwest Internet Exchange 
>> 
>> 
>> 
>> The Brothers WISP 
>> 
>>
>>
>> 
>>
>>


-- 
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.

Re: [AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Sean Heskett

I think instead of naming and shaming you'd get more traction if you
informed and taught them how to prevent and stop this traffic.

Many WISPs don't have the technical know how (or time) to even realize it's
happening.  They are just trying to get customers connected.

I know my network isn't perfect and I'd gladly submit a list of subnets I
control to a group that would be willing to tell me what's wrong and how I
can fix it so I'm not part of the problem.

2 cents

-Sean

On Friday, October 21, 2016, Mike Hammett  wrote:

> There's another large DDoS going on now. Go to this page to see if you can
> be used for UDP amplification (or other spoofing) attacks:
>
> https://www.caida.org/projects/spoofer/
>
> Go to these pages for more longer term bad behavior monitoring:
>
> https://www.shadowserver.org/wiki/
> https://radar.qrator.net/
>
>
> Maybe we need to start a database of ASNs WISPs are using and start naming
> and shaming them when they have bad actors on their network. This is
> serious, people. Take it seriously.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions 
> 
> 
> 
> 
> Midwest Internet Exchange 
> 
> 
> 
> The Brothers WISP 
> 
>
>
> 
>
>

[AFMUG] Another large DDoS, Stop Being a Dick

2016-10-21 Thread Mike Hammett

There's another large DDoS going on now. Go to this page to see if you can be 
used for UDP amplification (or other spoofing) attacks: 

https://www.caida.org/projects/spoofer/ 

Go to these pages for more longer term bad behavior monitoring: 

https://www.shadowserver.org/wiki/ 
https://radar.qrator.net/ 


Maybe we need to start a database of ASNs WISPs are using and start naming and 
shaming them when they have bad actors on their network. This is serious, 
people. Take it seriously. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP

60 matches

Mail list logo