Re: Host.us DDOS attack

[Jason Canady]

Strange that they cannot send a BGP blackhole upstream to keep everyone 
else online within their advertised route.


On 8/3/16 5:27 PM, Tony Wicks wrote:

Further to that, and I would suggest it should be part of the overall 
discussion here. It appears the IPv4 IP block my VM is in is not currently 
advertised on the world route table. I assume hostus.us's transit provider has 
dropped their ipv4 BGP to save themselves. This is really the ultimate reward 
for the extortionists as they don't even need to sustain the DDOS to attack 
their target. While I see the transit providers point of view, it’s a pretty 
shitty situation for their customer, and their customers/customers.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Tony Wicks
Sent: Thursday, 4 August 2016 9:10 AM
To: 'NANOG list' 
Subject: RE: Host.us DDOS attack

Interestingly my VM (LA) with them has been effectively down for half a day as 
far as IPv4 is concerned. IPv6 traffic seems unaffected.

RE: Host.us DDOS attack

[Tony Wicks]

Further to that, and I would suggest it should be part of the overall 
discussion here. It appears the IPv4 IP block my VM is in is not currently 
advertised on the world route table. I assume hostus.us's transit provider has 
dropped their ipv4 BGP to save themselves. This is really the ultimate reward 
for the extortionists as they don't even need to sustain the DDOS to attack 
their target. While I see the transit providers point of view, it’s a pretty 
shitty situation for their customer, and their customers/customers.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Tony Wicks
Sent: Thursday, 4 August 2016 9:10 AM
To: 'NANOG list' 
Subject: RE: Host.us DDOS attack

Interestingly my VM (LA) with them has been effectively down for half a day as 
far as IPv4 is concerned. IPv6 traffic seems unaffected. 

RE: Host.us DDOS attack

[Tony Wicks]

Interestingly my VM (LA) with them has been effectively down for half a day as 
far as IPv4 is concerned. IPv6 traffic seems unaffected. 




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Robert Webb
Sent: Thursday, 4 August 2016 1:42 AM
To: NANOG list 
Subject: Host.us DDOS attack

Anyone have any additonal info on a DDOS attack hitting host.us?

Woke up to no email this morning and the following from their web site:

Re: Host.us DDOS attack -and- related conversations

[Christopher Morrow]

it's good that there aren't any easy solutions to this sort of problem...

wait... that's wrong, there are.

On Wed, Aug 3, 2016 at 12:04 PM, Robert Webb  wrote:

> Thanks for that link. My host is sitting in Atlanta and I believe that
> Atlanta hosts their main infrastructure.
>
> I am seeing around a 12 or 13 hour outage at this point.
>
> Robert
>
> On Wed, Aug 3, 2016 at 11:08 AM, Soon Keat Neo  wrote:
>
> > Back on topic about HostUS, I've been following a thread on LowEndTalk
> > where seemingly Alexander's been updating (
> > https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998)
> -
> > seems like Atlanta and LA are still down ATM based on latest reports -
> > nearly 10 hours now.
> >
> > Tks.
> >
> > Regards,
> > Neo Soon Keat
> >
> >
> >
> > 2016-08-03 22:28 GMT+08:00 Robert Webb :
> >
> >> Apologies to all as the hostname in my subject is incorrect.
> >>
> >> It should be hostus.us...
> >>
> >>
> >>
> >> On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb 
> >> wrote:
> >>
> >> > Not sure if it is related to the PokemonGO or not. This started around
> >> > 23:00 EDT last night per my monitoring.
> >> >
> >> > Seems like a pretty big attack at 300Gbps and to also temporarily
> take a
> >> > down a Tier 1 POP in a major city.
> >> >
> >> > I was interested as to if this might be a botnet or some type of
> >> > reflection attack.
> >> >
> >> >
> >> > Robert
> >> >
> >> > On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert 
> >> wrote:
> >> >
> >> >> Well,
> >> >>
> >> >>
> >> >> Could it be related to the last 2 days DDoS of PokemonGO (which
> >> >> failed) and some other gaming sites (Blizzard and Steam)?
> >> >>
> >> >>
> >> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare
> >> >> person that defended their position earlier this week, but there may
> be
> >> >> more hints (unverified) against your statements:
> >> >>
> >> >> https://twitter.com/xotehpoodle/status/756850023896322048
> >> >>
> >> >> That could be explored.
> >> >>
> >> >>
> >> >> On top of which there is hints (unverified) on which is the real
> >> bad
> >> >> actor behind that new DDoS service:
> >> >>
> >> >>
> >> >>
> >> >>
> >>
> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
> >> >>
> >> >>
> >> >> And I quote:
> >> >>
> >> >> "One thing LeakedSource staff spotted was that the first
> >> payment
> >> >> recorded in the botnet's control panel was of $1, while payments for
> >> the
> >> >> same package plan were of $19.99."
> >> >>
> >> >> ( Paypal payments btw )
> >> >>
> >> >>
> >> >> There is enough information, and damages, imho, to start looking
> >> for
> >> >> the people responsible from a legal standpoint.  And hopefully the
> >> >> proper authorities are interested.
> >> >>
> >> >> PS:
> >> >>
> >> >> I will like to take this time to underline the lack of
> >> >> participation from a vast majority of ISPs into BCP38 and the like.
> We
> >> >> need to keep educating them at every occasion we have.
> >> >>
> >> >> For those that actually implemented some sort of tech against
> >> >> it, you are a beacon of hope in what is a ridiculous situation that
> has
> >> >> been happening for more than 15 years.
> >> >>
> >> >> -
> >> >> Alain Hebertaheb...@pubnix.net
> >> >> PubNIX Inc.
> >> >> 50 boul. St-Charles
> >> >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> >> >> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
> >> >>
> >> >> On 08/03/16 09:41, Robert Webb wrote:
> >> >> > Anyone have any additonal info on a DDOS attack hitting host.us?
> >> >> >
> >> >> > Woke up to no email this morning and the following from their web
> >> site:
> >> >> >
> >> >> >
> >> >> >
> >> >> > *Following an extortion attempt, HostUS is currently experiencing
> >> >> sustained
> >> >> > large-scale DDOS attacks against a number of locations. The attacks
> >> were
> >> >> > measured in one location at 300Gbps. In another location the
> attacks
> >> >> > temporarily knocked out the entire metropolitan POP for a Tier-1
> >> >> provider.
> >> >> > Please be patient. We will return soon. Your understanding is
> >> >> appreciated.
> >> >> >   *
> >> >> >
> >> >> >
> >> >> > >From my monitoring system, looks like my VPS went unavailable
> around
> >> >> 23:00
> >> >> > EDT last night.
> >> >> >
> >> >> > Robert
> >> >> >
> >> >>
> >> >>
> >> >
> >>
> >
> >
>

Re: Host.us DDOS attack -and- related conversations

[Valdis . Kletnieks]

On Wed, 03 Aug 2016 10:53:22 -0400, Alain Hebert said:

> Between you and me, if only Elbonia are left DDoSing at 100Gbps, we
> simply de-peer the commercial subnets from that country (leaving the
> govt subnets up obviously)

Explain why, for those of us who don't see it as obvious.



pgpYJVAQCAqJD.pgp
Description: PGP signature

Re: Host.us DDOS attack -and- related conversations

[Soon Keat Neo]

Back on topic about HostUS, I've been following a thread on LowEndTalk
where seemingly Alexander's been updating (
https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) -
seems like Atlanta and LA are still down ATM based on latest reports -
nearly 10 hours now.

Tks.

Regards,
Neo Soon Keat



2016-08-03 22:28 GMT+08:00 Robert Webb :

> Apologies to all as the hostname in my subject is incorrect.
>
> It should be hostus.us...
>
>
>
> On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb  wrote:
>
> > Not sure if it is related to the PokemonGO or not. This started around
> > 23:00 EDT last night per my monitoring.
> >
> > Seems like a pretty big attack at 300Gbps and to also temporarily take a
> > down a Tier 1 POP in a major city.
> >
> > I was interested as to if this might be a botnet or some type of
> > reflection attack.
> >
> >
> > Robert
> >
> > On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert 
> wrote:
> >
> >> Well,
> >>
> >>
> >> Could it be related to the last 2 days DDoS of PokemonGO (which
> >> failed) and some other gaming sites (Blizzard and Steam)?
> >>
> >>
> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare
> >> person that defended their position earlier this week, but there may be
> >> more hints (unverified) against your statements:
> >>
> >> https://twitter.com/xotehpoodle/status/756850023896322048
> >>
> >> That could be explored.
> >>
> >>
> >> On top of which there is hints (unverified) on which is the real bad
> >> actor behind that new DDoS service:
> >>
> >>
> >>
> >>
> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
> >>
> >>
> >> And I quote:
> >>
> >> "One thing LeakedSource staff spotted was that the first payment
> >> recorded in the botnet's control panel was of $1, while payments for the
> >> same package plan were of $19.99."
> >>
> >> ( Paypal payments btw )
> >>
> >>
> >> There is enough information, and damages, imho, to start looking for
> >> the people responsible from a legal standpoint.  And hopefully the
> >> proper authorities are interested.
> >>
> >> PS:
> >>
> >> I will like to take this time to underline the lack of
> >> participation from a vast majority of ISPs into BCP38 and the like.  We
> >> need to keep educating them at every occasion we have.
> >>
> >> For those that actually implemented some sort of tech against
> >> it, you are a beacon of hope in what is a ridiculous situation that has
> >> been happening for more than 15 years.
> >>
> >> -
> >> Alain Hebertaheb...@pubnix.net
> >> PubNIX Inc.
> >> 50 boul. St-Charles
> >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> >> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
> >>
> >> On 08/03/16 09:41, Robert Webb wrote:
> >> > Anyone have any additonal info on a DDOS attack hitting host.us?
> >> >
> >> > Woke up to no email this morning and the following from their web
> site:
> >> >
> >> >
> >> >
> >> > *Following an extortion attempt, HostUS is currently experiencing
> >> sustained
> >> > large-scale DDOS attacks against a number of locations. The attacks
> were
> >> > measured in one location at 300Gbps. In another location the attacks
> >> > temporarily knocked out the entire metropolitan POP for a Tier-1
> >> provider.
> >> > Please be patient. We will return soon. Your understanding is
> >> appreciated.
> >> >   *
> >> >
> >> >
> >> > >From my monitoring system, looks like my VPS went unavailable around
> >> 23:00
> >> > EDT last night.
> >> >
> >> > Robert
> >> >
> >>
> >>
> >
>

Re: Nexus 9k, packet loss through switch on vlan without SVI

[Anthony Critelli]

I'd also be inclined toward quirky 9k internals. I believe a colleague of
mine troubleshot an issue with latency/slowness through some Nexus switches
(I can't recall if they were 9ks). After engaging TAC, they noticed that
"no ip redirects" was applied to the VLAN 1 SVI but none of the other SVIs.
While it theoretically shouldn't have made any difference, they applied "no
ip redirects" to the rest of the SVIs and everything started working just
fine.

Sincerely,

Anthony Critelli
B.S. Applied Networking and Systems Administration, 2014
www.acritelli.com
(845) 283-4117

On Sun, Jul 24, 2016 at 12:32 PM, Jeremy  wrote:

> Running into some weird issues with a Cisco Nexus9k.
>
> We have a Cisco 3750X pair stacked, port channel (2x 1G) to a two different
> blades on a Nexus9k. Isolating the links of the port channel , on one link
> we can consistently get 800mbps (using iperf), or the other link we
> consistently get ~34mbps.
>
> we have seen this across multiple 3750X stacks.
>
> The vlan we were on is just layer2 through the n9k, there are no IP
> addresses. We were able to (apparently) resolve this issue by creating an
> SVI on the n9k, with an empty config.
>
> Now, even isolating links we can get ~800mbps across the n9k, through the
> various 3750X stacks.
>
> I am confused why creating the SVI would have an impact on this, and why it
> wouldn't be consistent across both links. If the lack of SVI were at fault,
> I would be less surprised if it just flat out didn't work, but this partial
> working state feels very odd.
>
> Anyone else seen this? Thoughts? Could traffic be hitting the CPU while
> going across modules? This feels like quirky n9k internals...
>
> Thanks!
> Jeremy
>
> PS: no CRC errors found on interfaces, all looked clean
>

Re: NFV Solution Evaluation Methodology

[jim deleskie]

I struggled with this whole SDN/NVF/insert marketing term for a while at
first, until I sat down and actually though about.  When I strip away all
the foo, what I'm left with is breaking things down to pieces and and
putting logo blocks together in a way that best suits what I'm doing.  It
is really going back to the way things were a long time ago in the days of
12/2400 baud models and 56k frame relay.  It doesn't help vendors vendors
that want to sell you over priced foo for features you don't really need.
It lets you, if you have clue build your own right bits. It will see some
vendors evolve, new vendors of their brand of foo appear and some vendors
die, but end of day, its no different then most of were doing back in the
"good ol days"

-jim

On Wed, Aug 3, 2016 at 11:27 AM, Christopher Morrow  wrote:

> On Wed, Aug 3, 2016 at 8:20 AM, Ca By  wrote:
>
> >
> >
> > On Wednesday, August 3, 2016, Randy Bush  wrote:
> >
> >> > but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built
> >> > appliance garbage that can't scale in a cost effective manner and
> >> > replacing it with some software solution on 'many' commodity
> >> > unix-like-hosts that can scale horizontally.
> >>
> >> my main worry about nfv is when they need more forwarding horsepower
> >> than the household appliance  has, and the data plan is is moved
> >>
> >
> this is a scaling problem, and one which points to the need to not do 'all
> of one thing' ('all nfv will solve us!') you may still need other methods
> to load balance or deal with loads which are higher than the nfv
> platform(s) can deal with properly.
>
> In some sense this is the same problem as trying to push too many pps
> through a linecard which you know has a limit lower than line-rate.
>
>
> > out of the control plane and they are not congruent.  we've had too many
> >> lessons debugging this situation (datakit, atm, ...).
> >>
> >>
> seperation of data/control plane ... does require knowledge about what you
> are doing and has clear implications on toolling, troubleshooting, etc.
>
> To some extent this mirrors anycast dns deployment problems. "I made a much
> more complex system, though from the outside perhaps it doesn't appear any
> different." be prepared for interesting times.
>
>
> > Sdn is like authoritarianism and divine creation rolled up into one and
> > sold at 20% premium to easily duped telco types that want to travel to
> > endless conferences
> >
> >
> Sure, you have to know what you are doing/buying... magic doesn't exist in
> this space.
>
>
> >
> >
> >> beyond that, i am not sure i see that much difference whether it's a
> >> YFRV or a SuperMicro.  but i sure wish bird and quagga had solid is-is,
> >> supported communities, ...
> >>
> >> randy
> >>
> >
>

Re: Clueful BGP from TW-Telecom/L3

[Mel Beckman]

We recently had a similar case and had to solve the problem by working with IO 
and another provider outside of Level3. We got the same Level3 instruction to 
install various community strings, and when that didn’t work their response was 
basically “oh, well.” We have jury rigged a fix by trial and error, and Level3 
says they will converge the Level3 and TWTelecom networks in a couple months. 
Whether that means an ASN change I don’t know.

 -mel

> On Aug 3, 2016, at 7:32 AM, Scott Morris  wrote:
> 
> Yeah, considering that I STILL haven’t managed to get anyone in their 
> supposed “Tier 3” group to call back on the open case is just completely 
> baffling to me.  And with the Level 3 side, I’ve tried all sorts of different 
> communities they supposedly use only to find that other policies override how 
> those are treated along the way.   I just don’t understand how customer 
> support can be such a difficult thing.
> 
> Scott
> 
> From: Micah Croff 
> Date: Tuesday, July 26, 2016 at 6:21 PM
> To: Scott Morris 
> Cc: "nanog@nanog.org" 
> Subject: Re: Clueful BGP from TW-Telecom/L3
> 
> Last I dealt with TW Telecom and BGP we had to explain to them that putting 
> in a static route on both routers on top of BGP was not desired.  Then they 
> reconfigured a circuit 30 miles away when trying to turn it up again causing 
> an outage in our data center.  
> 
> Sorry, not super hopeful when it comes to TW Telecom.
> 
> Micah
> 
> On Mon, Jul 25, 2016 at 8:51 PM, Scott Morris  wrote:
> Is there per chance anyone hanging on here who is clueful about BGP working 
> with TW-Telecom and the recent integration with Level3
> 
> I have a client that I consult with whose route is not getting sent from TW 
> to L3 and the techs on the case are convinced we need to put different BGP 
> communities in (both to TW link and other provider link) which of course we 
> are putting in to satisfy them, but magically it is not working.  This SHOULD 
> be an easy thing to figure out using the Looking Glass servers within both TW 
> and Level3, but this concept is lost on techs we are dealing with.
> 
> Anyone internal there who can contact me off-list would be greatly 
> appreciated!
> 
> Scott
> s...@emanon.com
> 
> 
> 
> 
> 
> 

Re: Host.us DDOS attack -and- related conversations

[Robert Webb]

Thanks for that link. My host is sitting in Atlanta and I believe that
Atlanta hosts their main infrastructure.

I am seeing around a 12 or 13 hour outage at this point.

Robert

On Wed, Aug 3, 2016 at 11:08 AM, Soon Keat Neo  wrote:

> Back on topic about HostUS, I've been following a thread on LowEndTalk
> where seemingly Alexander's been updating (
> https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) -
> seems like Atlanta and LA are still down ATM based on latest reports -
> nearly 10 hours now.
>
> Tks.
>
> Regards,
> Neo Soon Keat
>
>
>
> 2016-08-03 22:28 GMT+08:00 Robert Webb :
>
>> Apologies to all as the hostname in my subject is incorrect.
>>
>> It should be hostus.us...
>>
>>
>>
>> On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb 
>> wrote:
>>
>> > Not sure if it is related to the PokemonGO or not. This started around
>> > 23:00 EDT last night per my monitoring.
>> >
>> > Seems like a pretty big attack at 300Gbps and to also temporarily take a
>> > down a Tier 1 POP in a major city.
>> >
>> > I was interested as to if this might be a botnet or some type of
>> > reflection attack.
>> >
>> >
>> > Robert
>> >
>> > On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert 
>> wrote:
>> >
>> >> Well,
>> >>
>> >>
>> >> Could it be related to the last 2 days DDoS of PokemonGO (which
>> >> failed) and some other gaming sites (Blizzard and Steam)?
>> >>
>> >>
>> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare
>> >> person that defended their position earlier this week, but there may be
>> >> more hints (unverified) against your statements:
>> >>
>> >> https://twitter.com/xotehpoodle/status/756850023896322048
>> >>
>> >> That could be explored.
>> >>
>> >>
>> >> On top of which there is hints (unverified) on which is the real
>> bad
>> >> actor behind that new DDoS service:
>> >>
>> >>
>> >>
>> >>
>> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
>> >>
>> >>
>> >> And I quote:
>> >>
>> >> "One thing LeakedSource staff spotted was that the first
>> payment
>> >> recorded in the botnet's control panel was of $1, while payments for
>> the
>> >> same package plan were of $19.99."
>> >>
>> >> ( Paypal payments btw )
>> >>
>> >>
>> >> There is enough information, and damages, imho, to start looking
>> for
>> >> the people responsible from a legal standpoint.  And hopefully the
>> >> proper authorities are interested.
>> >>
>> >> PS:
>> >>
>> >> I will like to take this time to underline the lack of
>> >> participation from a vast majority of ISPs into BCP38 and the like.  We
>> >> need to keep educating them at every occasion we have.
>> >>
>> >> For those that actually implemented some sort of tech against
>> >> it, you are a beacon of hope in what is a ridiculous situation that has
>> >> been happening for more than 15 years.
>> >>
>> >> -
>> >> Alain Hebertaheb...@pubnix.net
>> >> PubNIX Inc.
>> >> 50 boul. St-Charles
>> >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
>> >> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>> >>
>> >> On 08/03/16 09:41, Robert Webb wrote:
>> >> > Anyone have any additonal info on a DDOS attack hitting host.us?
>> >> >
>> >> > Woke up to no email this morning and the following from their web
>> site:
>> >> >
>> >> >
>> >> >
>> >> > *Following an extortion attempt, HostUS is currently experiencing
>> >> sustained
>> >> > large-scale DDOS attacks against a number of locations. The attacks
>> were
>> >> > measured in one location at 300Gbps. In another location the attacks
>> >> > temporarily knocked out the entire metropolitan POP for a Tier-1
>> >> provider.
>> >> > Please be patient. We will return soon. Your understanding is
>> >> appreciated.
>> >> >   *
>> >> >
>> >> >
>> >> > >From my monitoring system, looks like my VPS went unavailable around
>> >> 23:00
>> >> > EDT last night.
>> >> >
>> >> > Robert
>> >> >
>> >>
>> >>
>> >
>>
>
>

Re: Host.us DDOS attack -and- related conversations

[Mike Hammett]

As discussed a few months ago (maybe Christmas time?), Comcast is actively 
suspending accounts involved in DNS amplification. Certainly on a network like 
theirs, it's an internal issue as well. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Ca By"  
To: aheb...@pubnix.net 
Cc: nanog@nanog.org 
Sent: Wednesday, August 3, 2016 10:05:04 AM 
Subject: Re: Host.us DDOS attack -and- related conversations 

On Wednesday, August 3, 2016, Alain Hebert  wrote: 

> Well, 
> 
> I'm sorry. 
> 
> That sound like the CloudFlare argument: You cannot fix the DDoSs 
> at the source because Elbonia can do it. The only solution is to pay 
> for protection. 
> 
> 
No. I hate the idea of paying for protection from a cloud or appliance. 

Elbonia just has the trigger. The loaded gun is the ddos reflector in 
comcast, cox, vz, and everyone else. 


> Between you and me, if only Elbonia are left DDoSing at 100Gbps, we 
> simply de-peer the commercial subnets from that country (leaving the 
> govt subnets up obviously) and see for them to deal with their trash 
> ISPs once for all. ( That's how we used to do it early on when the IIRC 
> flooding started ). 
> 
> 
There are known problematic networks. I have not seen any of them or their 
facilitating upstreams depeered. I can name 4 networks that source 75% of 
my attack attack traffic. Comcast was one due to their ssdp reflection, 
they stopped that now. But still lots of dns attacks from them. 

Or we keep getting DDoSed for the next 100+ years. 
> 
> 
On that track. 


> PS: Yes, the fictional country from the Dilbert syndicated cartoons. 
> 
> 
> 
Swap in your favorite real world country / network that has very real abuse 
source reputation. 


> On a humorous note: 
> 
> The DDoS protection lobby is our NRA. 
> 
> - 
> Alain Hebert aheb...@pubnix.net 
>  
> PubNIX Inc. 
> 50 boul. St-Charles 
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 
> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 
> 
> On 08/03/16 10:36, Ca By wrote: 
> > On Wednesday, August 3, 2016, Alain Hebert  > wrote: 
> > 
> >> Well, 
> >> 
> >> 
> >> Could it be related to the last 2 days DDoS of PokemonGO (which 
> >> failed) and some other gaming sites (Blizzard and Steam)? 
> >> 
> >> 
> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare 
> >> person that defended their position earlier this week, but there may be 
> >> more hints (unverified) against your statements: 
> >> 
> >> https://twitter.com/xotehpoodle/status/756850023896322048 
> >> 
> >> That could be explored. 
> >> 
> >> 
> >> On top of which there is hints (unverified) on which is the real bad 
> >> actor behind that new DDoS service: 
> >> 
> >> 
> >> 
> >> 
> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
>  
> >> 
> >> 
> >> And I quote: 
> >> 
> >> "One thing LeakedSource staff spotted was that the first payment 
> >> recorded in the botnet's control panel was of $1, while payments for the 
> >> same package plan were of $19.99." 
> >> 
> >> ( Paypal payments btw ) 
> >> 
> >> 
> >> There is enough information, and damages, imho, to start looking for 
> >> the people responsible from a legal standpoint. And hopefully the 
> >> proper authorities are interested. 
> >> 
> >> PS: 
> >> 
> >> I will like to take this time to underline the lack of 
> >> participation from a vast majority of ISPs into BCP38 and the like. We 
> >> need to keep educating them at every occasion we have. 
> >> 
> >> For those that actually implemented some sort of tech against 
> >> it, you are a beacon of hope in what is a ridiculous situation that has 
> >> been happening for more than 15 years. 
> >> 
> >> 
> > Bcp38 is not the issue. It is only the trigger, and as long as one 
> network 
> > in Elbonia allows spoofs, that one network can marshall 100s of gbs of 
> > ddos power. Years of telling people to do bcp38 has not worked. 
> > 
> > The issue is for you and your neighbor to turn off your reflecting udp 
> > amplifiers (open dns relay, ssdp, ntp, chargen) and generously block 
> > obvious ddos traffic. A healthy udp policer is also smart. I suggest 
> > taking a baseline of your normal peak udp traffic, and build a policer 
> that 
> > drops all udp that is 10x the baseline for bw and pps. 
> > 
> > Bcp38 is good, but it is not the solution we need to tactically stop 
> > attacks. 
> > 
> > This is not pretty. But it works at keeping your network up. 
> > 
> > CB 
> > 
> > 
> > - 
> >> Alain Hebert aheb...@pubnix.net 
>  
> >>  
> >> PubNIX Inc. 
> >> 50 boul. St-Charles 
> >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 
> >> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 
> >> 
> >> On 08/03/16 09:41, Robert 

Re: Host.us DDOS attack -and- related conversations

[Mike Hammett]

Stopping one vector that makes up the largest of DDoSes certainly isn't a bad 
thing. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "James Bensley"  
To: nanog@nanog.org 
Sent: Wednesday, August 3, 2016 9:40:17 AM 
Subject: Re: Host.us DDOS attack -and- related conversations 

On 3 August 2016 at 15:16, Alain Hebert  wrote: 
> PS: 
> 
> I will like to take this time to underline the lack of 
> participation from a vast majority of ISPs into BCP38 and the like. We 
> need to keep educating them at every occasion we have. 
> 
> For those that actually implemented some sort of tech against 
> it, you are a beacon of hope in what is a ridiculous situation that has 
> been happening for more than 15 years. 


At the risk of starting a "NANOG war" [1], BCP isn't a magic wand. 

If I find a zero day in the nasty customised kernels that OVH run on 
their clients boxes, I only need 300 compromised hosts to send 300Gbps 
of traffic without spoofing the IP or using amplification attacks [2]. 

I can rent a server with a 10Gbps connection for 1 hour for a few 
quid/dollars. I could generate hundreds of Gbps of traffic for about 
£1000 from legitimate IPs, paid for with stolen card details. How will 
BCP save you then? Can everyone stop praising it like it was a some 
magic bullet? 

James. 


[1] A pathetic and futile one, so different from the rest. 

[2] Subsitute OVH for any half decent provider that isn't really 
oversubscribed. 

Re: Host.us DDOS attack -and- related conversations

[Ca By]

On Wednesday, August 3, 2016, Christopher Morrow 
wrote:

> On Wed, Aug 3, 2016 at 10:40 AM, James Bensley  > wrote:
>
> > How will
> > BCP save you then? Can everyone stop praising it like it was a some
> > magic bullet?
> >
>
> aren't you making a 'perfect is the enemy of good' argument here?
>
> 'seatbelts don't solve all car crash deaths, so let's just go mad-max!'
>

The point is, i have my seat belt on.

I am doing the right thing.

 my car still gets smashed becuase mad max is on the road. I now have a
broken back.

And you are telling me to make sure to wear a seat belt. Did that. Did not
stop mad max from ruining my day. Please provide more and better advice on
avoiding injury.

Step one. Collectively work to deflate mad max's tires  (stop the udp
reflectors that max uses)

Re: Host.us DDOS attack -and- related conversations

[Mike Hammett]

Doing BCP38 or blocking\shutting off known amplification vectors both require 
effort and both accomplish the same thing. Of course doing both is best. :-) 

One provider in "Elbonia" getting through is far more damaging to that provider 
in Elbonia than the rest of the world, if they were the only ones left. 

Do many last mile providers implement BCP38 at their CE? Seems like it's better 
to stop it at the CE than the PE. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Ca By"  
To: aheb...@pubnix.net 
Cc: nanog@nanog.org 
Sent: Wednesday, August 3, 2016 9:36:09 AM 
Subject: Re: Host.us DDOS attack -and- related conversations 

On Wednesday, August 3, 2016, Alain Hebert  wrote: 

> Well, 
> 
> 
> Could it be related to the last 2 days DDoS of PokemonGO (which 
> failed) and some other gaming sites (Blizzard and Steam)? 
> 
> 
> And on the subject of CloudFlare, I'm sorry for that CloudFlare 
> person that defended their position earlier this week, but there may be 
> more hints (unverified) against your statements: 
> 
> https://twitter.com/xotehpoodle/status/756850023896322048 
> 
> That could be explored. 
> 
> 
> On top of which there is hints (unverified) on which is the real bad 
> actor behind that new DDoS service: 
> 
> 
> 
> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
>  
> 
> 
> And I quote: 
> 
> "One thing LeakedSource staff spotted was that the first payment 
> recorded in the botnet's control panel was of $1, while payments for the 
> same package plan were of $19.99." 
> 
> ( Paypal payments btw ) 
> 
> 
> There is enough information, and damages, imho, to start looking for 
> the people responsible from a legal standpoint. And hopefully the 
> proper authorities are interested. 
> 
> PS: 
> 
> I will like to take this time to underline the lack of 
> participation from a vast majority of ISPs into BCP38 and the like. We 
> need to keep educating them at every occasion we have. 
> 
> For those that actually implemented some sort of tech against 
> it, you are a beacon of hope in what is a ridiculous situation that has 
> been happening for more than 15 years. 
> 
> 
Bcp38 is not the issue. It is only the trigger, and as long as one network 
in Elbonia allows spoofs, that one network can marshall 100s of gbs of 
ddos power. Years of telling people to do bcp38 has not worked. 

The issue is for you and your neighbor to turn off your reflecting udp 
amplifiers (open dns relay, ssdp, ntp, chargen) and generously block 
obvious ddos traffic. A healthy udp policer is also smart. I suggest 
taking a baseline of your normal peak udp traffic, and build a policer that 
drops all udp that is 10x the baseline for bw and pps. 

Bcp38 is good, but it is not the solution we need to tactically stop 
attacks. 

This is not pretty. But it works at keeping your network up. 

CB 


- 
> Alain Hebert aheb...@pubnix.net 
>  
> PubNIX Inc. 
> 50 boul. St-Charles 
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 
> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 
> 
> On 08/03/16 09:41, Robert Webb wrote: 
> > Anyone have any additonal info on a DDOS attack hitting host.us? 
> > 
> > Woke up to no email this morning and the following from their web site: 
> > 
> > 
> > 
> > *Following an extortion attempt, HostUS is currently experiencing 
> sustained 
> > large-scale DDOS attacks against a number of locations. The attacks were 
> > measured in one location at 300Gbps. In another location the attacks 
> > temporarily knocked out the entire metropolitan POP for a Tier-1 
> provider. 
> > Please be patient. We will return soon. Your understanding is 
> appreciated. 
> > * 
> > 
> > 
> > >From my monitoring system, looks like my VPS went unavailable around 
> 23:00 
> > EDT last night. 
> > 
> > Robert 
> > 
> 
> 

Re: Host.us DDOS attack -and- related conversations

[Alain Hebert]

Well,

I didn't want to pollute nanog list with my BCP38 (or other
solutions) ranting, but come on:

[1] How can insuring source IP's, coming out your network, are part of
your advertised subnets pathetic and futile?

Don't you think if the source ip are traceable back to OVH actually,
it would be easy for OVH to see and deal with it, instead of noises with
random source IP coming from the bunch of un-patched residential routers
in Latin America's (for example)?

And we're back on track with "do nothing but pay for protection" as
the only solution.  Gotta love Humans.

-
Alain Hebertaheb...@pubnix.net   
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 08/03/16 10:40, James Bensley wrote:
> On 3 August 2016 at 15:16, Alain Hebert  wrote:
>> PS:
>>
>> I will like to take this time to underline the lack of
>> participation from a vast majority of ISPs into BCP38 and the like.  We
>> need to keep educating them at every occasion we have.
>>
>> For those that actually implemented some sort of tech against
>> it, you are a beacon of hope in what is a ridiculous situation that has
>> been happening for more than 15 years.
>
> At the risk of starting a "NANOG war" [1], BCP isn't a magic wand.
>
> If I find a zero day in the nasty customised kernels that OVH run on
> their clients boxes, I only need 300 compromised hosts to send 300Gbps
> of traffic without spoofing the IP or using amplification attacks [2].
>
> I can rent a server with a 10Gbps connection for 1 hour for a few
> quid/dollars. I could generate hundreds of Gbps of traffic for about
> £1000 from legitimate IPs, paid for with stolen card details. How will
> BCP save you then? Can everyone stop praising it like it was a some
> magic bullet?
>
> James.
>
>
> [1] A pathetic and futile one, so different from the rest.
>
> [2] Subsitute OVH for any half decent provider that isn't really 
> oversubscribed.
>

Re: Host.us DDOS attack -and- related conversations

[Ca By]

On Wednesday, August 3, 2016, Alain Hebert  wrote:

> Well,
>
> I'm sorry.
>
> That sound like the CloudFlare argument:  You cannot fix the DDoSs
> at the source because Elbonia can do it.  The only solution is to pay
> for protection.
>
>
No. I hate the idea of paying for protection from a cloud or appliance.

Elbonia just has the trigger. The loaded gun is the ddos reflector in
comcast, cox, vz, and everyone else.


> Between you and me, if only Elbonia are left DDoSing at 100Gbps, we
> simply de-peer the commercial subnets from that country (leaving the
> govt subnets up obviously) and see for them to deal with their trash
> ISPs once for all.  ( That's how we used to do it early on when the IIRC
> flooding started ).
>
>
There are known problematic networks. I have not seen any of them or their
facilitating upstreams depeered.  I can name 4 networks that source 75% of
my attack attack traffic. Comcast was one due to their ssdp reflection,
they stopped that now. But still lots of dns attacks from them.

Or we keep getting DDoSed for the next 100+ years.
>
>
On that track.


> PS: Yes, the fictional country from the Dilbert syndicated cartoons.
>
>
>
Swap in your favorite real world country / network that has very real abuse
source reputation.


> On a humorous note:
>
> The DDoS protection lobby is our NRA.
>
> -
> Alain Hebertaheb...@pubnix.net
> 
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>
> On 08/03/16 10:36, Ca By wrote:
> > On Wednesday, August 3, 2016, Alain Hebert  > wrote:
> >
> >> Well,
> >>
> >>
> >> Could it be related to the last 2 days DDoS of PokemonGO (which
> >> failed) and some other gaming sites (Blizzard and Steam)?
> >>
> >>
> >> And on the subject of CloudFlare, I'm sorry for that CloudFlare
> >> person that defended their position earlier this week, but there may be
> >> more hints (unverified) against your statements:
> >>
> >> https://twitter.com/xotehpoodle/status/756850023896322048
> >>
> >> That could be explored.
> >>
> >>
> >> On top of which there is hints (unverified) on which is the real bad
> >> actor behind that new DDoS service:
> >>
> >>
> >>
> >>
> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
> >>
> >>
> >> And I quote:
> >>
> >> "One thing LeakedSource staff spotted was that the first payment
> >> recorded in the botnet's control panel was of $1, while payments for the
> >> same package plan were of $19.99."
> >>
> >> ( Paypal payments btw )
> >>
> >>
> >> There is enough information, and damages, imho, to start looking for
> >> the people responsible from a legal standpoint.  And hopefully the
> >> proper authorities are interested.
> >>
> >> PS:
> >>
> >> I will like to take this time to underline the lack of
> >> participation from a vast majority of ISPs into BCP38 and the like.  We
> >> need to keep educating them at every occasion we have.
> >>
> >> For those that actually implemented some sort of tech against
> >> it, you are a beacon of hope in what is a ridiculous situation that has
> >> been happening for more than 15 years.
> >>
> >>
> > Bcp38 is not the issue. It is only the trigger, and as long as one
> network
> > in Elbonia allows spoofs, that one network can marshall  100s of gbs of
> > ddos power.  Years of telling people to do bcp38 has not worked.
> >
> > The issue is for you and your neighbor to turn off your reflecting udp
> > amplifiers (open dns relay, ssdp, ntp, chargen) and generously block
> > obvious ddos traffic.  A healthy udp policer is also smart.  I suggest
> > taking a baseline of your normal peak udp traffic, and build a policer
> that
> > drops all udp that is 10x the baseline for bw and pps.
> >
> > Bcp38 is good, but it is not the solution we need to tactically stop
> > attacks.
> >
> > This is not pretty. But it works at keeping your network up.
> >
> > CB
> >
> >
> > -
> >> Alain Hebertaheb...@pubnix.net
> 
> >> 
> >> PubNIX Inc.
> >> 50 boul. St-Charles
> >> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> >> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
> >>
> >> On 08/03/16 09:41, Robert Webb wrote:
> >>> Anyone have any additonal info on a DDOS attack hitting host.us?
> >>>
> >>> Woke up to no email this morning and the following from their web site:
> >>>
> >>>
> >>>
> >>> *Following an extortion attempt, HostUS is currently experiencing
> >> sustained
> >>> large-scale DDOS attacks against a number of locations. The attacks
> were
> >>> measured in one location at 300Gbps. In another location the attacks
> >>> temporarily knocked out the entire 

Re: Host.us DDOS attack -and- related conversations

[Christopher Morrow]

On Wed, Aug 3, 2016 at 10:40 AM, James Bensley  wrote:

> How will
> BCP save you then? Can everyone stop praising it like it was a some
> magic bullet?
>

aren't you making a 'perfect is the enemy of good' argument here?

'seatbelts don't solve all car crash deaths, so let's just go mad-max!'

Re: Host.us DDOS attack -and- related conversations

[Alain Hebert]

Well,

I'm sorry.

That sound like the CloudFlare argument:  You cannot fix the DDoSs
at the source because Elbonia can do it.  The only solution is to pay
for protection.

Between you and me, if only Elbonia are left DDoSing at 100Gbps, we
simply de-peer the commercial subnets from that country (leaving the
govt subnets up obviously) and see for them to deal with their trash
ISPs once for all.  ( That's how we used to do it early on when the IIRC
flooding started ).

Or we keep getting DDoSed for the next 100+ years.

PS: Yes, the fictional country from the Dilbert syndicated cartoons.


On a humorous note:

The DDoS protection lobby is our NRA.

-
Alain Hebertaheb...@pubnix.net   
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 08/03/16 10:36, Ca By wrote:
> On Wednesday, August 3, 2016, Alain Hebert  wrote:
>
>> Well,
>>
>>
>> Could it be related to the last 2 days DDoS of PokemonGO (which
>> failed) and some other gaming sites (Blizzard and Steam)?
>>
>>
>> And on the subject of CloudFlare, I'm sorry for that CloudFlare
>> person that defended their position earlier this week, but there may be
>> more hints (unverified) against your statements:
>>
>> https://twitter.com/xotehpoodle/status/756850023896322048
>>
>> That could be explored.
>>
>>
>> On top of which there is hints (unverified) on which is the real bad
>> actor behind that new DDoS service:
>>
>>
>>
>> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
>>
>>
>> And I quote:
>>
>> "One thing LeakedSource staff spotted was that the first payment
>> recorded in the botnet's control panel was of $1, while payments for the
>> same package plan were of $19.99."
>>
>> ( Paypal payments btw )
>>
>>
>> There is enough information, and damages, imho, to start looking for
>> the people responsible from a legal standpoint.  And hopefully the
>> proper authorities are interested.
>>
>> PS:
>>
>> I will like to take this time to underline the lack of
>> participation from a vast majority of ISPs into BCP38 and the like.  We
>> need to keep educating them at every occasion we have.
>>
>> For those that actually implemented some sort of tech against
>> it, you are a beacon of hope in what is a ridiculous situation that has
>> been happening for more than 15 years.
>>
>>
> Bcp38 is not the issue. It is only the trigger, and as long as one network
> in Elbonia allows spoofs, that one network can marshall  100s of gbs of
> ddos power.  Years of telling people to do bcp38 has not worked.
>
> The issue is for you and your neighbor to turn off your reflecting udp
> amplifiers (open dns relay, ssdp, ntp, chargen) and generously block
> obvious ddos traffic.  A healthy udp policer is also smart.  I suggest
> taking a baseline of your normal peak udp traffic, and build a policer that
> drops all udp that is 10x the baseline for bw and pps.
>
> Bcp38 is good, but it is not the solution we need to tactically stop
> attacks.
>
> This is not pretty. But it works at keeping your network up.
>
> CB
>
>
> -
>> Alain Hebertaheb...@pubnix.net
>> 
>> PubNIX Inc.
>> 50 boul. St-Charles
>> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
>> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>>
>> On 08/03/16 09:41, Robert Webb wrote:
>>> Anyone have any additonal info on a DDOS attack hitting host.us?
>>>
>>> Woke up to no email this morning and the following from their web site:
>>>
>>>
>>>
>>> *Following an extortion attempt, HostUS is currently experiencing
>> sustained
>>> large-scale DDOS attacks against a number of locations. The attacks were
>>> measured in one location at 300Gbps. In another location the attacks
>>> temporarily knocked out the entire metropolitan POP for a Tier-1
>> provider.
>>> Please be patient. We will return soon. Your understanding is
>> appreciated.
>>>   *
>>>
>>>
>>> >From my monitoring system, looks like my VPS went unavailable around
>> 23:00
>>> EDT last night.
>>>
>>> Robert
>>>
>>

Re: Host.us DDOS attack -and- related conversations

[James Bensley]

On 3 August 2016 at 15:16, Alain Hebert  wrote:
> PS:
>
> I will like to take this time to underline the lack of
> participation from a vast majority of ISPs into BCP38 and the like.  We
> need to keep educating them at every occasion we have.
>
> For those that actually implemented some sort of tech against
> it, you are a beacon of hope in what is a ridiculous situation that has
> been happening for more than 15 years.


At the risk of starting a "NANOG war" [1], BCP isn't a magic wand.

If I find a zero day in the nasty customised kernels that OVH run on
their clients boxes, I only need 300 compromised hosts to send 300Gbps
of traffic without spoofing the IP or using amplification attacks [2].

I can rent a server with a 10Gbps connection for 1 hour for a few
quid/dollars. I could generate hundreds of Gbps of traffic for about
£1000 from legitimate IPs, paid for with stolen card details. How will
BCP save you then? Can everyone stop praising it like it was a some
magic bullet?

James.


[1] A pathetic and futile one, so different from the rest.

[2] Subsitute OVH for any half decent provider that isn't really oversubscribed.

Re: Host.us DDOS attack -and- related conversations

[Ca By]

On Wednesday, August 3, 2016, Alain Hebert  wrote:

> Well,
>
>
> Could it be related to the last 2 days DDoS of PokemonGO (which
> failed) and some other gaming sites (Blizzard and Steam)?
>
>
> And on the subject of CloudFlare, I'm sorry for that CloudFlare
> person that defended their position earlier this week, but there may be
> more hints (unverified) against your statements:
>
> https://twitter.com/xotehpoodle/status/756850023896322048
>
> That could be explored.
>
>
> On top of which there is hints (unverified) on which is the real bad
> actor behind that new DDoS service:
>
>
>
> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
>
>
> And I quote:
>
> "One thing LeakedSource staff spotted was that the first payment
> recorded in the botnet's control panel was of $1, while payments for the
> same package plan were of $19.99."
>
> ( Paypal payments btw )
>
>
> There is enough information, and damages, imho, to start looking for
> the people responsible from a legal standpoint.  And hopefully the
> proper authorities are interested.
>
> PS:
>
> I will like to take this time to underline the lack of
> participation from a vast majority of ISPs into BCP38 and the like.  We
> need to keep educating them at every occasion we have.
>
> For those that actually implemented some sort of tech against
> it, you are a beacon of hope in what is a ridiculous situation that has
> been happening for more than 15 years.
>
>
Bcp38 is not the issue. It is only the trigger, and as long as one network
in Elbonia allows spoofs, that one network can marshall  100s of gbs of
ddos power.  Years of telling people to do bcp38 has not worked.

The issue is for you and your neighbor to turn off your reflecting udp
amplifiers (open dns relay, ssdp, ntp, chargen) and generously block
obvious ddos traffic.  A healthy udp policer is also smart.  I suggest
taking a baseline of your normal peak udp traffic, and build a policer that
drops all udp that is 10x the baseline for bw and pps.

Bcp38 is good, but it is not the solution we need to tactically stop
attacks.

This is not pretty. But it works at keeping your network up.

CB


-
> Alain Hebertaheb...@pubnix.net
> 
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>
> On 08/03/16 09:41, Robert Webb wrote:
> > Anyone have any additonal info on a DDOS attack hitting host.us?
> >
> > Woke up to no email this morning and the following from their web site:
> >
> >
> >
> > *Following an extortion attempt, HostUS is currently experiencing
> sustained
> > large-scale DDOS attacks against a number of locations. The attacks were
> > measured in one location at 300Gbps. In another location the attacks
> > temporarily knocked out the entire metropolitan POP for a Tier-1
> provider.
> > Please be patient. We will return soon. Your understanding is
> appreciated.
> >   *
> >
> >
> > >From my monitoring system, looks like my VPS went unavailable around
> 23:00
> > EDT last night.
> >
> > Robert
> >
>
>

Re: Clueful BGP from TW-Telecom/L3

[Scott Morris]

Yeah, considering that I STILL haven’t managed to get anyone in their supposed 
“Tier 3” group to call back on the open case is just completely baffling to me. 
 And with the Level 3 side, I’ve tried all sorts of different communities they 
supposedly use only to find that other policies override how those are treated 
along the way.   I just don’t understand how customer support can be such a 
difficult thing.

Scott

From: Micah Croff 
Date: Tuesday, July 26, 2016 at 6:21 PM
To: Scott Morris 
Cc: "nanog@nanog.org" 
Subject: Re: Clueful BGP from TW-Telecom/L3

Last I dealt with TW Telecom and BGP we had to explain to them that putting in 
a static route on both routers on top of BGP was not desired.  Then they 
reconfigured a circuit 30 miles away when trying to turn it up again causing an 
outage in our data center.  

Sorry, not super hopeful when it comes to TW Telecom.

Micah

On Mon, Jul 25, 2016 at 8:51 PM, Scott Morris  wrote:
Is there per chance anyone hanging on here who is clueful about BGP working 
with TW-Telecom and the recent integration with Level3

I have a client that I consult with whose route is not getting sent from TW to 
L3 and the techs on the case are convinced we need to put different BGP 
communities in (both to TW link and other provider link) which of course we are 
putting in to satisfy them, but magically it is not working.  This SHOULD be an 
easy thing to figure out using the Looking Glass servers within both TW and 
Level3, but this concept is lost on techs we are dealing with.

Anyone internal there who can contact me off-list would be greatly appreciated!

Scott
s...@emanon.com

Re: Host.us DDOS attack -and- related conversations

[Robert Webb]

Not sure if it is related to the PokemonGO or not. This started around
23:00 EDT last night per my monitoring.

Seems like a pretty big attack at 300Gbps and to also temporarily take a
down a Tier 1 POP in a major city.

I was interested as to if this might be a botnet or some type of reflection
attack.


Robert

On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert  wrote:

> Well,
>
>
> Could it be related to the last 2 days DDoS of PokemonGO (which
> failed) and some other gaming sites (Blizzard and Steam)?
>
>
> And on the subject of CloudFlare, I'm sorry for that CloudFlare
> person that defended their position earlier this week, but there may be
> more hints (unverified) against your statements:
>
> https://twitter.com/xotehpoodle/status/756850023896322048
>
> That could be explored.
>
>
> On top of which there is hints (unverified) on which is the real bad
> actor behind that new DDoS service:
>
>
>
> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
>
>
> And I quote:
>
> "One thing LeakedSource staff spotted was that the first payment
> recorded in the botnet's control panel was of $1, while payments for the
> same package plan were of $19.99."
>
> ( Paypal payments btw )
>
>
> There is enough information, and damages, imho, to start looking for
> the people responsible from a legal standpoint.  And hopefully the
> proper authorities are interested.
>
> PS:
>
> I will like to take this time to underline the lack of
> participation from a vast majority of ISPs into BCP38 and the like.  We
> need to keep educating them at every occasion we have.
>
> For those that actually implemented some sort of tech against
> it, you are a beacon of hope in what is a ridiculous situation that has
> been happening for more than 15 years.
>
> -
> Alain Hebertaheb...@pubnix.net
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>
> On 08/03/16 09:41, Robert Webb wrote:
> > Anyone have any additonal info on a DDOS attack hitting host.us?
> >
> > Woke up to no email this morning and the following from their web site:
> >
> >
> >
> > *Following an extortion attempt, HostUS is currently experiencing
> sustained
> > large-scale DDOS attacks against a number of locations. The attacks were
> > measured in one location at 300Gbps. In another location the attacks
> > temporarily knocked out the entire metropolitan POP for a Tier-1
> provider.
> > Please be patient. We will return soon. Your understanding is
> appreciated.
> >   *
> >
> >
> > >From my monitoring system, looks like my VPS went unavailable around
> 23:00
> > EDT last night.
> >
> > Robert
> >
>
>

Re: Host.us DDOS attack -and- related conversations

[Robert Webb]

Apologies to all as the hostname in my subject is incorrect.

It should be hostus.us...



On Wed, Aug 3, 2016 at 10:25 AM, Robert Webb  wrote:

> Not sure if it is related to the PokemonGO or not. This started around
> 23:00 EDT last night per my monitoring.
>
> Seems like a pretty big attack at 300Gbps and to also temporarily take a
> down a Tier 1 POP in a major city.
>
> I was interested as to if this might be a botnet or some type of
> reflection attack.
>
>
> Robert
>
> On Wed, Aug 3, 2016 at 10:16 AM, Alain Hebert  wrote:
>
>> Well,
>>
>>
>> Could it be related to the last 2 days DDoS of PokemonGO (which
>> failed) and some other gaming sites (Blizzard and Steam)?
>>
>>
>> And on the subject of CloudFlare, I'm sorry for that CloudFlare
>> person that defended their position earlier this week, but there may be
>> more hints (unverified) against your statements:
>>
>> https://twitter.com/xotehpoodle/status/756850023896322048
>>
>> That could be explored.
>>
>>
>> On top of which there is hints (unverified) on which is the real bad
>> actor behind that new DDoS service:
>>
>>
>>
>> http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml
>>
>>
>> And I quote:
>>
>> "One thing LeakedSource staff spotted was that the first payment
>> recorded in the botnet's control panel was of $1, while payments for the
>> same package plan were of $19.99."
>>
>> ( Paypal payments btw )
>>
>>
>> There is enough information, and damages, imho, to start looking for
>> the people responsible from a legal standpoint.  And hopefully the
>> proper authorities are interested.
>>
>> PS:
>>
>> I will like to take this time to underline the lack of
>> participation from a vast majority of ISPs into BCP38 and the like.  We
>> need to keep educating them at every occasion we have.
>>
>> For those that actually implemented some sort of tech against
>> it, you are a beacon of hope in what is a ridiculous situation that has
>> been happening for more than 15 years.
>>
>> -
>> Alain Hebertaheb...@pubnix.net
>> PubNIX Inc.
>> 50 boul. St-Charles
>> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
>> Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
>>
>> On 08/03/16 09:41, Robert Webb wrote:
>> > Anyone have any additonal info on a DDOS attack hitting host.us?
>> >
>> > Woke up to no email this morning and the following from their web site:
>> >
>> >
>> >
>> > *Following an extortion attempt, HostUS is currently experiencing
>> sustained
>> > large-scale DDOS attacks against a number of locations. The attacks were
>> > measured in one location at 300Gbps. In another location the attacks
>> > temporarily knocked out the entire metropolitan POP for a Tier-1
>> provider.
>> > Please be patient. We will return soon. Your understanding is
>> appreciated.
>> >   *
>> >
>> >
>> > >From my monitoring system, looks like my VPS went unavailable around
>> 23:00
>> > EDT last night.
>> >
>> > Robert
>> >
>>
>>
>

Re: NFV Solution Evaluation Methodology

[Christopher Morrow]

On Wed, Aug 3, 2016 at 8:20 AM, Ca By  wrote:

>
>
> On Wednesday, August 3, 2016, Randy Bush  wrote:
>
>> > but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built
>> > appliance garbage that can't scale in a cost effective manner and
>> > replacing it with some software solution on 'many' commodity
>> > unix-like-hosts that can scale horizontally.
>>
>> my main worry about nfv is when they need more forwarding horsepower
>> than the household appliance  has, and the data plan is is moved
>>
>
this is a scaling problem, and one which points to the need to not do 'all
of one thing' ('all nfv will solve us!') you may still need other methods
to load balance or deal with loads which are higher than the nfv
platform(s) can deal with properly.

In some sense this is the same problem as trying to push too many pps
through a linecard which you know has a limit lower than line-rate.


> out of the control plane and they are not congruent.  we've had too many
>> lessons debugging this situation (datakit, atm, ...).
>>
>>
seperation of data/control plane ... does require knowledge about what you
are doing and has clear implications on toolling, troubleshooting, etc.

To some extent this mirrors anycast dns deployment problems. "I made a much
more complex system, though from the outside perhaps it doesn't appear any
different." be prepared for interesting times.


> Sdn is like authoritarianism and divine creation rolled up into one and
> sold at 20% premium to easily duped telco types that want to travel to
> endless conferences
>
>
Sure, you have to know what you are doing/buying... magic doesn't exist in
this space.


>
>
>> beyond that, i am not sure i see that much difference whether it's a
>> YFRV or a SuperMicro.  but i sure wish bird and quagga had solid is-is,
>> supported communities, ...
>>
>> randy
>>
>

Re: Host.us DDOS attack -and- related conversations

[Alain Hebert]

Well,


Could it be related to the last 2 days DDoS of PokemonGO (which
failed) and some other gaming sites (Blizzard and Steam)?


And on the subject of CloudFlare, I'm sorry for that CloudFlare
person that defended their position earlier this week, but there may be
more hints (unverified) against your statements:

https://twitter.com/xotehpoodle/status/756850023896322048

That could be explored.


On top of which there is hints (unverified) on which is the real bad
actor behind that new DDoS service:

   
http://news.softpedia.com/news/pokemon-go-ddos-attacks-postponed-as-poodlecorp-botnet-suffers-security-breach-506910.shtml


And I quote:

"One thing LeakedSource staff spotted was that the first payment
recorded in the botnet's control panel was of $1, while payments for the
same package plan were of $19.99."

( Paypal payments btw )


There is enough information, and damages, imho, to start looking for
the people responsible from a legal standpoint.  And hopefully the
proper authorities are interested.

PS:

I will like to take this time to underline the lack of
participation from a vast majority of ISPs into BCP38 and the like.  We
need to keep educating them at every occasion we have.

For those that actually implemented some sort of tech against
it, you are a beacon of hope in what is a ridiculous situation that has
been happening for more than 15 years.

-
Alain Hebertaheb...@pubnix.net   
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 08/03/16 09:41, Robert Webb wrote:
> Anyone have any additonal info on a DDOS attack hitting host.us?
>
> Woke up to no email this morning and the following from their web site:
>
>
>
> *Following an extortion attempt, HostUS is currently experiencing sustained
> large-scale DDOS attacks against a number of locations. The attacks were
> measured in one location at 300Gbps. In another location the attacks
> temporarily knocked out the entire metropolitan POP for a Tier-1 provider.
> Please be patient. We will return soon. Your understanding is appreciated.
>   *
>
>
> >From my monitoring system, looks like my VPS went unavailable around 23:00
> EDT last night.
>
> Robert
>

Host.us DDOS attack

[Robert Webb]

Anyone have any additonal info on a DDOS attack hitting host.us?

Woke up to no email this morning and the following from their web site:



*Following an extortion attempt, HostUS is currently experiencing sustained
large-scale DDOS attacks against a number of locations. The attacks were
measured in one location at 300Gbps. In another location the attacks
temporarily knocked out the entire metropolitan POP for a Tier-1 provider.
Please be patient. We will return soon. Your understanding is appreciated.
  *


>From my monitoring system, looks like my VPS went unavailable around 23:00
EDT last night.

Robert

Re: NFV Solution Evaluation Methodology

[Ca By]

On Wednesday, August 3, 2016, Randy Bush  wrote:

> > but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built
> > appliance garbage that can't scale in a cost effective manner and
> > replacing it with some software solution on 'many' commodity
> > unix-like-hosts that can scale horizontally.
>
> my main worry about nfv is when they need more forwarding horsepower
> than the household appliance  has, and the data plan is is moved
> out of the control plane and they are not congruent.  we've had too many
> lessons debugging this situation (datakit, atm, ...).
>
>

YES!  This 1,000x.

The internet is a very interesting place when viewed from the lense of
Automata theory, greedy self optimizing nodes very similar to
biological systems (including economics ). Very robust since each node is
greedy and self optimizing in its decision making power.  This a
fundamental component of the Internet's suceess.

Some folks talk about sdn controllers and seperating control plane and
forwarding plane. This breaks the ability for nodes to self optimize and
thus undermines a key component of the robustness. It also diverts of the
parallels of biological systems.  Control and forwarding had beeb separate
on the node for almost 20 years now.

Sdn is like authoritarianism and divine creation rolled up into one and
sold at 20% premium to easily duped telco types that want to travel to
endless conferences



> beyond that, i am not sure i see that much difference whether it's a
> YFRV or a SuperMicro.  but i sure wish bird and quagga had solid is-is,
> supported communities, ...
>
> randy
>

Re: NFV Solution Evaluation Methodology

[Randy Bush]

> but, NFV isn't necessarily 'cloud'... It CAN BE taking purpose built
> appliance garbage that can't scale in a cost effective manner and
> replacing it with some software solution on 'many' commodity
> unix-like-hosts that can scale horizontally.

my main worry about nfv is when they need more forwarding horsepower
than the household appliance  has, and the data plan is is moved
out of the control plane and they are not congruent.  we've had too many
lessons debugging this situation (datakit, atm, ...).

beyond that, i am not sure i see that much difference whether it's a
YFRV or a SuperMicro.  but i sure wish bird and quagga had solid is-is,
supported communities, ...

randy