Re: [AFMUG] dyn attack indicators

2016-10-24 Thread Josh Reynolds 
There's a big discussion that is still ongoing on NANOG. Expected size of
this botnet ranges from 1 million to 1.5 hosts.

Infected worldwide hosts... I saw a number of 50 million today, and the
comment was "this is likely a lowball".

On Oct 24, 2016 12:29 PM, "Ken Hohhof" <af...@kwisp.com> wrote:

> Supposedly it has been confirmed the attack was from a Mirai botnet.  This
> article has some good info on Mirai, unfortunately it has many attack
> vectors:
> https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
>
>
> -Original Message-
> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Larry Smith
> Sent: Monday, October 24, 2016 12:15 PM
> To: af@afmug.com
> Subject: Re: [AFMUG] dyn attack indicators
>
> On Mon October 24 2016 11:09, That One Guy /sarcasm wrote:
> > we are demoing a couple of netflow analysers since thursday, so we
> > have the networks traffic recorded from friday. Does anybody know what
> > specific criteria to look for to identify subscribers who may have been
> involved?
>
> https://labs.ripe.net/Members/massimo_candela/a-quick-look-
> at-the-attack-on-dyn
>
> --
> Larry Smith
> lesm...@ecsis.net
>
>
>

Re: [AFMUG] dyn attack indicators

2016-10-24 Thread Ken Hohhof 
Supposedly it has been confirmed the attack was from a Mirai botnet.  This 
article has some good info on Mirai, unfortunately it has many attack vectors:
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html


-Original Message-
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Larry Smith
Sent: Monday, October 24, 2016 12:15 PM
To: af@afmug.com
Subject: Re: [AFMUG] dyn attack indicators

On Mon October 24 2016 11:09, That One Guy /sarcasm wrote:
> we are demoing a couple of netflow analysers since thursday, so we 
> have the networks traffic recorded from friday. Does anybody know what 
> specific criteria to look for to identify subscribers who may have been 
> involved?

https://labs.ripe.net/Members/massimo_candela/a-quick-look-at-the-attack-on-dyn

--
Larry Smith
lesm...@ecsis.net

Re: [AFMUG] dyn attack indicators

2016-10-24 Thread Larry Smith 
On Mon October 24 2016 11:09, That One Guy /sarcasm wrote:
> we are demoing a couple of netflow analysers since thursday, so we have the
> networks traffic recorded from friday. Does anybody know what specific
> criteria to look for to identify subscribers who may have been involved?

https://labs.ripe.net/Members/massimo_candela/a-quick-look-at-the-attack-on-dyn

-- 
Larry Smith
lesm...@ecsis.net

Re: [AFMUG] dyn attack indicators

2016-10-24 Thread Paul Stewart 
May want to also look at this: 
https://labs.ripe.net/Members/massimo_candela/a-quick-look-at-the-attack-on-dyn 


On Oct 24, 2016, at 1:10 PM, Paul Stewart  wrote:



> SYN attack …
> 
> 
>> On Oct 24, 2016, at 12:09 PM, That One Guy /sarcasm 
>> > wrote:
>> 
>> we are demoing a couple of netflow analysers since thursday, so we have the 
>> networks traffic recorded from friday. Does anybody know what specific 
>> criteria to look for to identify subscribers who may have been involved?
>> 
>> -- 
>> If you only see yourself as part of the team but you don't see your team as 
>> part of yourself you have already failed as part of the team.
>

Re: [AFMUG] dyn attack indicators

2016-10-24 Thread Paul Stewart 
SYN attack …


> On Oct 24, 2016, at 12:09 PM, That One Guy /sarcasm 
>  wrote:
> 
> we are demoing a couple of netflow analysers since thursday, so we have the 
> networks traffic recorded from friday. Does anybody know what specific 
> criteria to look for to identify subscribers who may have been involved?
> 
> -- 
> If you only see yourself as part of the team but you don't see your team as 
> part of yourself you have already failed as part of the team.

[AFMUG] dyn attack indicators

2016-10-24 Thread That One Guy /sarcasm 
we are demoing a couple of netflow analysers since thursday, so we have the
networks traffic recorded from friday. Does anybody know what specific
criteria to look for to identify subscribers who may have been involved?

-- 
If you only see yourself as part of the team but you don't see your team as
part of yourself you have already failed as part of the team.