Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 10 Dec 2015, at 13:21, Joe Morgan wrote:

We have custom in house software that watches the traffic flows from 
our edge routers and automatically blackholes any ip getting targeted.


Suggest you take a look at the presos I posted earlier and look into 
S/RTBH, flowspec, some limited QoS, and some preemptive ACLs so that you 
aren't forced into completing the DDoS.


---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[Joe Morgan]

Just an update for those following. We have custom in house software that
watches the traffic flows from our edge routers and automatically
blackholes any ip getting targeted. The blackhole gets sent upstream which
is what we did to maintain the network for our customers during the first
attack. We did not suffer any network outage because of the attacks other
than our public facing website which honestly is not critical. Since we
submitted this thread originally we have gotten two responses from "Armada
Collective". One basically a reminder telling us we had 24 hours left to
pay. The next came tonight as they were supposed to be hitting us.  The
second response said they were supposed to be hitting us but decided to
give us two more days to get the cash into bitcoin. As of right now we have
not replied to them and have no plans to do so. We never had plans to
respond or pay them, although telling them whats on my mind sounds
appealing. We have contacted the FBI and are working with them providing
info. As for protecting our network from future attacks we put all public
facing web sites behind Cloudflare and changed the ips from what they were.
We left the old ips nulled at our edge and with our providers. We plan to
null any ip they decide to hit and and wait it out. As of right now all
they have done is take our website offline briefly so not much of a
problems as it has not caused our customers issues. Thanks for all the help
and info that has been provided and we plan to update this thread as things
unfold. I know there are others that have had similar demands (several have
reached out off list.) so hopefully the info is useful.

-- 
Thank You,
Joe Morgan - Owner
Joe's Datacenter, LLC
http://joesdatacenter.com
816-726-7615

Re: Looking for VPS providers with BGP session

[Yang Yu]

On Tue, Dec 8, 2015 at 8:52 PM, Yucong Sun  wrote:
> I recommend http://www.quadranet.com/ ! I have been a happy customer
> for almost two years,
>
> I have a single dedicated server over there,  running full BGP feed
> with them, It's a fairly extensive setup with multiple sessions,
> automatic null routing and all the communities tinkering! Their NOC is
> very friendly and very easy to work with!
>

I would avoid QuadraNet for VPS services. They refused to give me a
/48 (not even another /64). And it took a shout on WHT for them to
respond to my tickets opened months ago.


Yang

Re: Ransom DDoS attack - need help!

[Baldur Norddahl]

>
>
> On 10 December 2015 at 01:48, alvin nanog  > wrote:
>
>> what app do yu have that talks to port 1900 ?
>>
>
> UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are
> also from a reflection attack.
>
>
Sorry I was made aware that UDP 1900 is SSDP. We still block it :-) To my
knowledge there is no real use case for it and no user has ever complained
about that being blocked.

Regards,

Baldur

Re: Ransom DDoS attack - need help!

[Baldur Norddahl]

On 10 December 2015 at 01:48, alvin nanog 
wrote:

> what app do yu have that talks to port 1900 ?
>

UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are
also from a reflection attack.

We filter UDP 1900 at our border. Not to protect our network from attack,
although it still helps. The packets might have come down our IP transit
pipes, which are high capacity, but we can still stop it from doing further
damage at the smaller pipes in our access network.

We filter UDP 1900 because too many of our customers run vulnerable CPE
devices that can be abused as a Chargen reflector. We stop that hard by
dropping UDP 1900 both ingress and egress.

He is being hit with a volume based UDP reflection attack. The IP addresses
are not faked. They all lead back to people that run vulnerable CPE
devices, NTP servers or open DNS resolvers.

Reflection attacks require that you have the ability to send out faked IP
addresses. Botnets are generally unable to do that. Their max attack size
is limited by the bandwidth at the server, where they have the ability to
send out faked UDP packets.

Keep attacking you if you do not pay is bad business. They could be
attacking someone who will pay instead. No one has infinite attack
bandwidth available.

Regards,

Baldur

Re: Ransom DDoS attack - need help!

[Roland Dobbins]

On 8 Dec 2015, at 14:24, Joe Morgan wrote:


At the point in time we blackholed our ip we were seeing 20+Gbps.


These two presos discuss extortion DDoS and UDP reflection/amplification 
attacks, specifically - it isn't necessary to resort to D/RTBH to deal 
with these attacks:






---
Roland Dobbins 

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi joe

On 12/08/15 at 01:24am, Joe Morgan wrote:
> We received a similar ransom e-mail yesterday 

:-)

dont pay real $$$ ... pretend that it was paid and watch for
them to come get the ransom ... never give your real banking info

ask them, where do you send the "$xx,000" mastercard gift card
by fedex/ups/dhl ... law enforcement might get lucky with real 
physical addresses ... once in a while, there are dumb criminals
that show up on tv news

> followed by a UDP flood attack. 

*pout* or not  ... their demo shows they've got the zombie botnet
capable of sending 20+Gbps  law enforcement and ISP security dept 
"should be interested" to trace them down ... but it takes
tons of (their) resources to take the next steps: who is it and
where are the attackers

*pout* ... udp ddos floods are "expensive" to solve ...

unfortunately, you cannot mitigate any incoming UDP-ddos attacks at your
server/router udp mitigation has to be done by"
- somehow, you need to find out who they are etc and legally seize their botnet
- your upstream ISP/peer whom doesn't send it to you
- or you setup and 2nd pipe at a geographically different colo ( cheaper )
- or you first send your udp traffic thru a ( expensive ) ddos scrubber

the idea of "limit" the udp traffic is basically useless, since
udp packets already came down the wire ... 

you should at least not reply to any udp ddos packet 
- don't send "host not available", etc etc

> Here is a sample of the attack traffic we received as well as a
> copy of the ransom e-mail. Thought this might be useful to others who have
> been targeted as well. I will have to talk with our upstream providers to
> get a definitive on the size of the attacks. At the point in time we
> blackholed our ip we were seeing 20+Gbps.
> 
> *Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
> during the ddos event:

since it is a webserver they're playing with ... there's "dozen" things you
can do to mitigate the UDP flood attacks
- web server should only be running apache ...
  remove ntpd, bind, etc, etc, etc aka, remove the risks of udp amplification
- make sure required things like ntpd/sshd etc are using local non-routable ip#
- long common sense list of stuff to do ... including the 4 points listed above

everybody would want the timezone so they can check their "bandwidth" monitor
to see if 20Gbps hurts them too

> Top 10 flows by packets per pecond for dst IP: 96.43.134.147
>   Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
>  0.001 UDP  175.43.224.99  1900  2245620482.0 M5.8 G
>  0.002 UDP120.199.113.49  1900  5417720481.0 M2.8 G
>  0.002 UDP27.208.164.227  1900  5417720481.0 M2.7 G

what app do yu have that talks to port 1900 ?

these are probably spoof'd src address  but you will never know
until you look up these ip# to see if there is any common link to it
like it all belonging to the same zombie net

for all ListofZombiehosts
do
 - whois 175.43.224.99
 - traceroute 175.43.224.99
done

- udp is primarily used for ntp, dns, nfs, x11, snmp, etc
  if the service is not used, turn off the ntp/bind/nfsd/X11/snmpd daemons

> Top 10 flows by flows per second for dst IP: 96.43.134.147
>   Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
>248.847 UDP  41.214.2.249123  472078.6 M34594  133.4 M
>248.886 UDP91.208.136.126123  637756.7 M26813  103.4 M
>150.893 UDP  85.118.98.253123  472075.1 M33843  130.5 M

they like to play with ntpd ... make sure your NTPd sw is patched

> Top 10 flows by bits per second for dst IP: 96.43.134.147
>   Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
>  0.002 UDP92.241.8.7553  557520481.0 M  12.4 G
>  0.003 UDP190.184.144.7453  183402048  6826668.3 G
>  0.003 UDP190.109.218.6953  634922048  6826668.3 G

they like to play with DNS ... make sure your bind sw is patched and
properly configured ( not open resolver, etc )

> 
> 
> Copy of the e-mail headers:
> 
> Delivered-To: j...@joesdatacenter.com
> Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
> Mon, 7 Dec 2015 15:32:22 -0800 (PST)

i assume this ip# is your own local lan ?

> X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088;
> Mon, 07 Dec 2015 15:32:22 -0800 (PST)
> Return-Path: 

something tangible to trace/monitor

good luck trying to get bk.ru and their ISP to help resolve the ransom issue

traceroute bk.ru
traceroute mail.ru

traceroute 217.69.141.11
traceroute 95.191.131.93

whois 217.69.141.11
whois 95.191.131.93

politely rattle the security cages of the NOC for each of the ISPs that
is listed in traceroute and especially the IP# owner

> Received: from f369.i.mail.ru (f369.i.mai

Re: Ransom DDoS attack - need help!

[Joe Morgan]

We received a similar ransom e-mail yesterday followed by a UDP flood
attack. Here is a sample of the attack traffic we received as well as a
copy of the ransom e-mail. Thought this might be useful to others who have
been targeted as well. I will have to talk with our upstream providers to
get a definitive on the size of the attacks. At the point in time we
blackholed our ip we were seeing 20+Gbps.

*Dec/07/2015 5:40:22PM *Here is a summary of the flows to our web server IP
during the ddos event:


Top 10 flows by packets per pecond for dst IP: 96.43.134.147
  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
 0.001 UDP  175.43.224.99  1900  2245620482.0 M5.8 G
 0.002 UDP120.199.113.49  1900  5417720481.0 M2.8 G
 0.002 UDP27.208.164.227  1900  5417720481.0 M2.7 G
 0.002 UDP  60.209.31.218  1900  1663220481.0 M3.0 G
 0.002 UDP  27.220.71.238  1900  2245620481.0 M3.0 G
 0.002 UDP  120.236.121.9  1900  6200520481.0 M2.5 G
 0.002 UDP104.137.222.90  1900  1494420481.0 M3.7 G
 0.002 UDP  121.27.133.72  1900  4441720481.0 M3.0 G
 0.002 UDP92.241.8.7553  557520481.0 M  12.4 G
 0.002 UDP120.197.56.134  1900  3067220481.0 M2.7 G

Top 10 flows by flows per second for dst IP: 96.43.134.147
  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
   248.847 UDP  41.214.2.249123  472078.6 M34594  133.4 M
   248.886 UDP91.208.136.126123  637756.7 M26813  103.4 M
   150.893 UDP  85.118.98.253123  472075.1 M33843  130.5 M
   151.053 UDP  80.179.166.7123  637755.0 M33292  128.4 M
   151.230 UDP  69.31.105.142123  472074.9 M32657  125.9 M
   150.436 UDP  182.190.0.17123  452914.8 M32128  123.9 M
   248.832 UDP  95.128.184.10123  637754.7 M19020  73.3 M
   150.573 UDP  188.162.13.4123  425714.6 M30514  117.7 M
   150.261 UDP  205.128.68.5123  452914.2 M2  107.1 M
   149.962 UDP  205.128.68.5123  425714.1 M27443  105.8 M

Top 10 flows by bits per second for dst IP: 96.43.134.147
  Duration Proto  Src IP Addr Src Pt Dst Pt  Packets  pps  bps
 0.002 UDP92.241.8.7553  557520481.0 M  12.4 G
 0.003 UDP190.184.144.7453  183402048  6826668.3 G
 0.003 UDP190.109.218.6953  634922048  6826668.3 G
 0.004 UDP103.251.48.24553  437012048  5120006.2 G
 0.004 UDP46.149.191.23953  584392048  5120006.2 G
 0.001 UDP  175.43.224.99  1900  2245620482.0 M5.8 G
 0.006 UDP37.72.70.8553  639092048  3413334.1 G
 0.006 UDP138.204.178.16953  21622048  3413334.1 G
 0.006 UDP  200.31.97.10753  337652048  3413334.1 G
 0.006 UDP  110.164.58.8253  613972048  3413334.1 G



Copy of the e-mail headers:

Delivered-To: j...@joesdatacenter.com
Received: by 10.79.27.84 with SMTP id b81csp1190623ivb;
Mon, 7 Dec 2015 15:32:22 -0800 (PST)
X-Received: by 10.25.88.208 with SMTP id m199mr28948lfb.157.1449531142088;
Mon, 07 Dec 2015 15:32:22 -0800 (PST)
Return-Path: 
Received: from f369.i.mail.ru (f369.i.mail.ru. [217.69.141.11])
by mx.google.com with ESMTPS id 7si214394lfk.103.2015.12.07.15.32.21
for 
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 07 Dec 2015 15:32:22 -0800 (PST)
Received-SPF: pass (google.com: domain of armada.collect...@bk.ru
designates 217.69.141.11 as permitted sender) client-ip=217.69.141.11;
Authentication-Results: mx.google.com;
   spf=pass (google.com: domain of armada.collect...@bk.ru
designates 217.69.141.11 as permitted sender)
smtp.mailfrom=armada.collect...@bk.ru;
   dkim=pass header.i=@bk.ru;
   dmarc=pass (p=NONE dis=NONE) header.from=bk.ru
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=bk.ru; s=mail;
h=Content-Type:Message-ID:Reply-To:Date:MIME-Version:Subject:To:From;
bh=1BpwCe2lM8814gJCW/09LwlVtrY6pZtMIFMB0Eprzmw=;

b=DKaMWqtH3zre6+R+qmC6+5DTa/o3zx58ubNGalhnEP8cJUtZ/Ln8DnxkQojAdL46g06xlY8rl2QhH07Rm/BHMG9ahsqKSW59F04vcrSv6m6vLnu+4GVwW0ZnRrbkYIaKJohosgdUzUMew9naxuDpF+fD1UqPKCqSs2jgu5071Dw=;
Received: from [95.191.131.93] (ident=mail)
by f369.i.mail.ru with local (envelope-from )
id 1a65GX-0008H5-DO
for j...@joesdatacenter.com; Tue, 08 Dec 2015 02:32:21 +0300
Received: from [95.191.131.93] by e.mail.ru with HTTP;
Tue, 08 Dec 2015 02:32:21 +0300
From: =?UTF-8?B?QXJtYWRhIENvbGxlY3RpdmU=?= 
To: j...@joesdatacenter.com
Subject: =?UTF-8?B?UmFuc29tIHJlcXVlc3Q6IEREb1MgQXR0YWNr?=
MIME-Ve

CAIDA BGP Hackathon 6,7 Feb 2016 -- Call for Participation

[Alberto Dainotti]

What: CAIDA BGP Hackathon, Call for Participation (CFP)
When: Feb 6-7, 2016
Where: the San Diego Supercomputer Center (SDSC) on the University of
California at San Diego (UCSD) campus.
Who: Parties interested in hacking on live BGP data.
Inquiries: bgp-hackathon-i...@caida.org
Important Deadline: Dec 22, 2015 for travel grant requests
Apply to attend: http://www.caida.org/workshops/bgp-hackathon/1602/ 


CAIDA, in cooperation with CSU, USC, UFMG, FORTH, Route Views, RIPE
NCC, will host a BGP Hackathon on the 6-7th of February 2016 at UC San
Diego (La Jolla, CA, USA).
The theme of the hackathon is “live BGP measurements and monitoring”.

We will provide participating teams with access to data sources and a
toolbox: live streaming of BGP data, the new BGPMon interface, BGP
processing tools and APIs such as the opensource BGPStream software
framework, the PEERING testbed, RIPE RIS, visualization tools, and
data-plane active measurement platforms such as CAIDA Ark and RIPE
Atlas. Participating teams will work on "challenges" that extend,
integrate and demonstrate the utility of these platforms/data for
understanding or solving practical problems (e.g., detecting BGP
prefix hijacking, evaluating anycast performance, effectively
visualizing phenomena).

The hackathon will be held in San Diego the weekend immediately
preceding the NANOG conference and the AIMS academic Internet
measurement workshop.
The hackathon aims to:
- bring together these different communities, e.g., to discuss
  problems operators face that academics may want to research;
- advertise tools (e.g., PEERING peering.usc.edu, BGPStream
  bgpstream.caida.org) to the communities and get people familiar with
  using them, and encourage further use in the future;
- get people working together on interesting/important problems,
  hopefully spurring further collaboration on these problems;
- provide extra incentive for students to attend NANOG.  

### FORMAT
Each team of 2-4 people will work on a "challenge".
The organization committee will propose a set of challenges to
bootstrap feedback and refinement based on community input:
participants can propose totally new challenges, modifications to
existing ones, and express their preferences.
The set of potential challenges is described in the event website at
https://github.com/CAIDA/bgp-hackathon/wiki/List-of-Challenges
and will continuously evolve in the days preceding the hackathon. 

On Saturday morning, participants will very briefly introduce their
interests and ideas and teams will be officially formed. On Saturday
and Sunday, participants will work together in teams to hack and
develop their ideas, culminating in very short presentations to the
jury on Sunday evening and a party to announce the winning teams and
celebrate everyone's participation.
During the event, domain-experts will provide support to the teams.

Participants are free to work on drafted challenges and on their own
ideas in the days preceding the hackathon. A mailing list and
documentation will provide support on the platforms/tools/data used in
the hackathon. However, for the teams to compete in the hackathon for
prizes, they will have to demonstrate that substantial work was done
during the two-day event.
 
### PARTICIPATION AND TRAVEL GRANTS
Application to participate in the hackathon is open from December
8, 2016. Application does not guarantee participation. There is no
application fee, and no participation fee.  We will accept
applications until one week before the hackathon, or until capacity is
reached. However, the deadline to apply for a travel grant (through
the hackathon application form) is 22 December 2015. Travel grants
reimburse flights and hotel expenses.
Food and drinks will be provided throughout the two-day event.

http://www.caida.org/workshops/bgp-hackathon/1602/

Re: Ransom DDoS attack - need help!

[Stephen]

I believe that is what he meant, yeah. Figurative opening of the bank
account - showing them that you're willing to pay makes you a target
for future payments as well.
On Thu, 03 Dec 2015, Daniel Corbe wrote:

> 
> > On Dec 3, 2015, at 10:26 AM, Nick Hilliard  wrote:
> > 
> > On 03/12/2015 08:15, halp us wrote:
> >> a very well known group that has been in the news lately. Recently they've
> >> threatened to carry out a major DDoS attack if they are not paid by a
> >> deadline which is approaching. They've performed an attack of a smaller
> >> magnitude to prove that they're serious.
> > 
> > bear in mind that if you pay a ransom like this:
> > 
> > 1. you're opening up a bank account for them to dip into whenever they feel
> > they need more money.
> 
> Most of these types of service ransom deals are conducted via bitcoin.  So I 
> don’t see how this could be the case unless you mean to say that appeasing 
> your attackers is a bad idea because they might just be emboldened enough to 
> try and extort you again whenever the piggy bank is beginning to run dry.
> 

Re: Is RouteViews dead? Is there any alternatives?

[Ashwin Jacob Mathew]

PCH maintains routing archives here:
https://www.pch.net/resources/Raw_Routing_Data/

In aggregate, our AS3856 collects routes from 1307 distinct ASNs spread
across 82 IXPs.

> *From:* Kurt Kraut via NANOG mailto:nanog@nanog.org>>
> *Date:* December 8, 2015 at 08:24:31 PST
> *To:* NANOG list mailto:nanog@nanog.org>>
> *Subject:* *Is RouteViews dead? Is there any alternatives?*
> *Reply-To:* Kurt Kraut  >
>
> Hi,
>
>
> For the past couple of months I've been attempting to add new Autonomous
> Systems to the RouteViews project and got no response. Talking to other AS
> in my area, I wasn't able to find no new BGP operator that got a response
> from them since July.
>
> Is RouteViews dead? If the answer is yes, it is sad. It is the most used
> resource about the internet routing for multiple perspectives.
>
> Is there any other similar project that I could colaborate providing the
> point of view of my routers have of the internet?
>
>
> Best regards,
>
>
> Kurt Kraut

Re: IGF Mandate Renewl

[Eliot Lear]

On 12/8/15 1:06 AM, Randy Bush wrote:
> they eat better food than we do

Not in my considerable experience.  I always thought that was part of
the problem.

Eliot




signature.asc
Description: OpenPGP digital signature

Re: Looking for VPS providers with BGP session

[Felipe Zanchet Grazziotin]

Hi,

you might find useful to see Nat Morris's presentation on "Anycast on a
shoe string".
He lists several VPS providers that do BGP for his project.

Here is one link:
http://www.slideshare.net/natmorris/anycast-on-a-shoe-string

Regards,
Felipe


On 7 December 2015 at 12:40, Philippe Bonvin via NANOG 
wrote:

> Hello,
>
>
> I'm looking for providers around the world who are able to provide VPS
> with a BGP session but it seems to be rather difficult to find. I have
> already found a few with WHT/bgp.he.net/google but a little help would be
> appreciated.
>
>
> Does anyone have contact or know people who can offer such services ?
>
> If yes, please contact me off list.
>
>
> Our budget is quite low: around 50$/month/node +/- 50$ depending the
> transit providers for a server with 1-2 CPU cores, 20 Go SSD or SAS and 1-2
> Go RAM.
>
>
> I'll be happy to share my provider list we use with anyone who needs it.
>
>
> Thanks for your help,
>
> Philippe
>
> [EDSI-Tech Sarl]
> Philippe Bonvin, Directeur
> EDSI-Tech S?rl
> EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T?l?phone: +41
> (0) 21 566 14 15
> Savoie Technolac, 17 Avenue du Lac L?man, 73375 Le Bourget-du-Lac, France
> | T?l?phone: +33 (0)4 86 15 44 78
>

Re: Modem as a service?

[Henry Yen]

On Mon, Dec 07, 2015 at 11:54:17AM -0600, Larry Sheldon wrote:
> I'll join the confusion--I thought the OP wanted to test for power 
> availability at the distant site by seeing if a modem there would answer 
> the phone there.  That it HAD to be a modem in that case makes no sense 
> to me.
> 
> I'm of the line now and have been for a while and maybe y'all don't do 
> things the way we did--we always had an answering machine (two or three 
> in some places*) that always answered on the first ring and gave some 
> kind of status report that was updated hourly on on event).  If it did 
> not answer, the power was out.

At a client wiring closet, the super-conscientious rack maintainer one day
decided that it was good practice to replace consumer-standard batteries
during his quarterly cleaning rounds.

Answering machines have replaceable batteries. Modems do not.

-- 
Henry YenAegis Information Systems, Inc.
Senior Systems Programmer   Hicksville, New York
(800) AEGIS-00 x949 1-800-AEGIS-00 (800-234-4700)

Re: IEEE OUI regauth (search ?) site

[Royce Williams]

On Wed, Dec 9, 2015 at 6:32 AM, Brandon Applegate  wrote:

> They’ve made some changes recently - I had a perl script that would do the
> lookup and scrape live - it was great.  It broke a week or so ago.
>
> This seems to be the page to search for OUI:
>
> https://regauth.standards.ieee.org/standards-ra-web/pub/view.html <
> https://regauth.standards.ieee.org/standards-ra-web/pub/view.html>
>
> I’ve tried 4 Browsers across 2 OS’s - and that page pops up a “Loading”
> sub window - flashes and reloads (loop).
>
> Anyone have any insight on how one can look up an OUI (yes I know about
> oui.txt, but I’m asking about a live query site).
>
> Thanks in advance.
>

I know that you've asked about using it live, but IMO, you should
reconsider.

Given the latency between the creation of a new OUI and it showing up in a
given environment, live scraping is significant overkill.  Platforms like
Forescout pull it about once a quarter, IIRC.

Pulling the text file is also probably significantly more reliable than any
given web interface, as you've already discovered.

And if you cache the whole text file locally, there's no way that anyone
external to your organization -- even IEEE -- can tell which OUIs you are
looking up.

Royce

Re: IEEE OUI regauth (search ?) site

[Jens Link]

Brandon Applegate  writes:

Hi,

> Anyone have any insight on how one can look up an OUI (yes I know about
> oui.txt, but I’m asking about a live query site).

https://www.wireshark.org/tools/oui-lookup.html  ?

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

IEEE OUI regauth (search ?) site

[Brandon Applegate]

They’ve made some changes recently - I had a perl script that would do the 
lookup and scrape live - it was great.  It broke a week or so ago.

This seems to be the page to search for OUI:

https://regauth.standards.ieee.org/standards-ra-web/pub/view.html 


I’ve tried 4 Browsers across 2 OS’s - and that page pops up a “Loading” sub 
window - flashes and reloads (loop).

Anyone have any insight on how one can look up an OUI (yes I know about 
oui.txt, but I’m asking about a live query site).

Thanks in advance.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
830B 4802 1DD4 F4F9 63FE  B966 C0A7 189E 9EC0 3A74
"SH1-0151.  This is the serial number, of our orbital gun."



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Ransom DDoS attack - need help!

[alvin nanog]

hi jean-f

On 12/08/15 at 11:46pm, Jean-Francois Mezei wrote:
> Since the OP mentioned a "ransom" demand (aka: extortion), should law
> enforcement be contacted in such cases ?

simply saying "these bozo's are attempting to extort $100 from me"
with their email demands probably will not get the law enforcements attention

yes ... only after you have done everything you can and ready to take
the attackers to court but need law enforcement to haul them into court
and/or seize their computers for evidence

- (ntpdate/ntpd) sync your clock so that your logs have accurate time 

- check the ip# of the email servers and routers it came thru

  you may or may not need to worry about spoof'ed ip# since they 
  want you to get hold of them to give um the $$

- contact the abuse@-the-ISP  for each of those routers and servers
- traceroute the IP# of the mail servers 
- "whois IP#" and contact each of the ISPs

- contact the ISPs that provide connectivity to your "drop off point"
  of where you "supposed to pay up" ... we're assuming that the
  dropoff point is NOT controlled/owned by the ddos attackers

- since you know what time/date/etc that they threaten to attack,
  you should verify your data on the backup systems
  ( build a clone and keep it offline )

  everybody ( you, the ISP, cops, etc ) can all be watching the 
  DDoS attacks and tracing it back to the originating script kiddie
  or the entire extortion network

  you should also get secondary connectivity to watch the DDoS attacks
  in progress and trace it back to the originating source

  let them attack ( the honeypot ) so you can trace it back...

  tarpit all the tcp-based services so that you have 2minutes to 
  trace the attacks back to them ... they cannot "hang up" until 
  the tcp connection attempts times out

- when everything is setup ... tell the DDoS attackers the $$$
  is ready for pickup and watch the DDoS attackers attempt to
  collect the $$$ that doesn't really exist

> Is there any experience doing this ? 

yup...

> Are they any help ?

nope if you don't have the info they want see .. 

you should make it easy for them to take action to get court orders 
to haul them in

yup ... if the cops are trying to collect evidence "on the DDoS attackers"
you'd be in luck

yup ... if the DDoS attackers are large enough and/or if they're attacking 
the high profile victims

> In North america, would that mean FBI in USA and RCMP in Canada, or
> local police force which then escalates to proper law enforcement agency ?

escalation starts with you to provide all the necessary info ...
nobody else will be doing that work for you

get hold of the security dept of your ISP  and any other ISP
along the traceroute and whois iP# way back to the DDoS attackers 

ISPs probably have their favorite agents they like to work with
to chase down the xxx-most-wanted DDoS attackers

magic pixie dust
alvin
# DDoS-Mitigator.net