Re: BGP Monitoring
Ray mentioned precisely that he wants to monitor BGP announcements and route changes. Leak detection is kind of on a different level. You need a bit more data to effectively detect them. ( I kind of know that). It makes discussion more colorful to my taste. You can do a lot with colorful bgp data ;) On Mon, Feb 26, 2024 at 8:02 PM Elmar K. Bins wrote: > > nanog@nanog.org (Alexander Lyamin via NANOG) wrote: > > > RIPE RIS > > > https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/ > > is also good, but as Job Snijders pointed me out doesn't send emails out > > of the box. > > It does provide a filterable live feed that we use for leak detection. > > Apart from that we're using bgp.tools when we want to dig into stuff. > Oh, and most of the T1s have either routeservers or at least mostly usable > looking glasses. > > HTH, > Elmar. >
Re: BGP Monitoring
Whoa, its nice to see that Allesandro is still around. It was sad to see when Isolario.it quietly went offline. Also I would point out in CAIDA's general direction https://bgpstream.caida.org/ (should fit OP bill). CAIDA was first to show how much geeky fun might be had by monitoring (and sometimes storing) BGP updates. RIPE RIS https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/ is also good, but as Job Snijders pointed me out doesn't send emails out of the box. On Mon, Feb 26, 2024 at 7:15 PM Job Snijders via NANOG wrote: > On Mon, Feb 26, 2024 at 05:41:12PM +, Ray Orsini via NANOG wrote: > > What tools are you using to monitor BGP announcements and route changes? > > The wonderful BGP.tools already has been mentioned a few times. > > Another excellent option is https://Packetvis.com, I find their RPKI > monitoring approach to be very insightful. > > Catchpoint might be another option, https://www.catchpoint.com/bgp, > AFAIK by the same people that worked on "Isolario" a few years ago. > > Kind regards, > > Job >
Re: IoT - The end of the internet
It's not devices. It's software and what's worse protocol specifications that are implemented in this software. And we still didn't get the memo in 2022. Some colleagues think that having builtin 5x Amplification in protocols freshly out just this year "is OK". Cyberhippies On Wed, Aug 10, 2022, 05:12 Ca By wrote: > > > On Tue, Aug 9, 2022 at 7:23 PM Christopher Wolff > wrote: > >> Hi folks, >> >> Has anyone proposed that the adoption of billions of IoT devices will >> ultimately ‘break’ the Internet? >> >> It’s not a rhetorical question I promise, just looking for a journal or >> other scholarly article that implies that the Internet is doomed. >> > > In so much as IoT devices are ipv4 udp amplifiers > > > https://www.ndss-symposium.org/ndss2014/programme/amplification-hell-revisiting-network-protocols-ddos-abuse/ > > > > >> >>
Re: IoT - The end of the internet
nice one. "There is no prophet in his own motherland" On Wed, Aug 10, 2022 at 6:21 AM Fred Baker wrote: > > > > On Aug 9, 2022, at 8:06 PM, Mel Beckman wrote: > > > > Robert Metcalfe, InfoWorld columnist and the inventor of Ethernet, also > in 1995: > > “I predict the Internet will soon go spectacularly supernova and in > 1996 catastrophically collapse.” > > In 1998 I invited Mr Metcalfe to address the IETF on the collapse of the > Internet, which he renewed his prediction of. He declined.
Re: Recommended DDoS mitigation appliance?
FastNetMon is awesome, but its a detection tool with no mitigation capacity whatsoever. On Wed, Dec 4, 2019 at 7:16 PM Rabbi Rob Thomas wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hello, NANOG! > > My thanks again to all who responded with suggestions, tips, and > further considerations. I appreciate it very much! > > As promised, here is my pithy summary of your detailed suggestions. > I've included URLs for those who may wish to conduct further research. > We've not made our selection yet, and likely won't until early 2020. > At present I'm busy building out our new backbone, and thus can't yet > offer up my own recommendation. Who needs sleep? :D > > Several folks shared their architecture and deployment > recommendations, which were quite insightful. Placement of these > devices, and in particular a centralized monitoring solution for > distributed deployments, were keys to success. > > There were no support concerns for any of these suggestions. > > Folks have used open source and freeware, but generally recommended > commercial offerings. These required less manual intervention. > > It was aces to see so many folks employing techniques such as flowspec > and RTBH. > > DDoS appliance recommendations: > > . Anycast and fat pipes > - Multiple votes > > . Massive peering > - Multiple votes > - Be ready for peering requests from me :) > > . Arbor Netscout > - Multiple votes > - Consistently labeled as "expensive" > - https://www.netscout.com/arbor-ddos > > . RioRey > - Multiple votes > - http://www.riorey.com/ > > . Juniper routers MX240 or MX480 > - > https://www.juniper.net/us/en/products-services/routing/mx-series/mx240/ > - > https://www.juniper.net/us/en/products-services/routing/mx-series/mx480/ > > . NFOCUS ADS > - ADS 8000 is the scrubbing box > - ADS-m is the monitoring box > - NTS is the box which uses Netflow to find unwanted traffic > - https://nsfocusglobal.com/anti-ddos-system-ads/ > > . Wanguard+Wanfilter > - https://www.andrisoft.com/software/wanguard > - https://www.andrisoft.com/software/wanguard/ddos-mitigation-protecti > on > > . A10 Thunder ADC > - https://a10networks.optrics.com/products/application-delivery.aspx > > . FastNetMon > - Free or inexpensive > - https://fastnetmon.com/ > > Thank you! > Rob, the routing rabbi. > - -- > Rabbi Rob Thomas Team Cymru >"It is easy to believe in freedom of speech for those with whom we > agree." - Leo McKern > -BEGIN PGP SIGNATURE- > > iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3n97AACgkQQ+hhYvqF > 8o1zdA//aSCm5pVs2O6g88cqTMkOP9RMHndPv0HMSSbaGTKvLEgfO+Vb3uC//GrU > GqOVPdq2DqMk0iYnplRFqXIGD1wPT6q6m141FCm0srh6Wza4Q4+9uRoOMoNFDGu4 > +PWjKTlThUyu2GzpTEDehMU1ruN0cXtKSNa3Pz9CXTNLcDDf5d1L+Jdfci6I7kKp > 6flJG6IIuxDXKMhByywmYW2pEGfMqqgKK6maqyICwtvA4rL/rB54cwvNjE8fnhuY > qboqkYXQDFO0+8+lVeWQXVCh5NGD8HfD+pZ7h4sLEp6/6WMivQ7WBZdno7wMW73U > vexICCPq5zSfcir7ME4BIBfSRpDZZODBAe6T2EQ9X/ehy+iJEnnQV7NZ96nHLOZc > dCTY29XC4Un1kAWN0HfNP7be8SuXmFt4VcuuOVzlUuwoBIDzUX9+eDgoZN2uRYvd > ev27CL3dr1RAuWLRzauOz6nJGiKqZ2Hh1JhEaqAxC4V+zJfeGMuNiqazJ1SjDVkG > lAufVLdjsIy7AoCjkJI7diVQ6QuBR70w0p9l8rFaJ5rc/Ef9OzLR8Po4QlJHstLD > IaD9IKCoqnlucxFQmHA45Zp+h+EZvo32lg4Cy3rDv4NweoFhzgxpq6ER1IvS3k4T > zhiAsZxKPwitwxNdRUg0Qb1wFq3gwa9nDUv3Z0cy6+CE/zSg0KU= > =hYKB > -END PGP SIGNATURE- > -- Alexander Lyamin, VP & Founder Qrator <http://qrator.net/>* Labs CZ * office: +420 602 558 144 <++420+602+558+144> mob: +420 774 303 807 <++420+774+303+807> skype: melanor9 mailto: l...@qrator.net
Re: Recommended DDoS mitigation appliance?
Correct statement. You forgot one zero. On Mon, Nov 18, 2019 at 10:48 AM Denys Fedoryshchenko < nuclear...@nuclearcat.com> wrote: > On 2019-11-18 04:23, Richard wrote: > > I would say you are making some assumptions that are not fact based. > > The OP is very knowledgeable and would not mince words or waste > > bandwidth. Let us see what he has to say in regards to your remarks. > > He will be able to make this more clear once he has read what people > > have stated in other responses. > > > > Respectfully, of course, Richard Golodner > > On 11/17/19 8:12 PM, Töma Gavrichenkov wrote: > > > >> Peace, > >> > >> On Mon, Nov 18, 2019, 1:49 AM Rabbi Rob Thomas > >> wrote: > >> > >>>> I am going to assume you want it to spit out 10G clean, what > >>> size > >>>> dirty traffic are you expecting it to handle? > >>> > >>> Great question! Let's say between 6Gbps and 8Gbps dirty. > >> > >> As someone making a living as a DDoS mitigation engineer for the > >> last 10 years (minus 1 month) I should say your threat model is sort > >> of unusual. Potential miscreants today should be assumed to have > >> much more to show you even on a daily basis. > >> > >> Is it like you also have something filtering upstream for you, e.g. > >> flowspec-enabled peers? > >> > >> -- > >> Töma > >> > >>> > > AFAIK new threats (SYN+ACK amplification) can't be mitigated over > flowspec and they can reach 40+Gbps easily. > -- Alexander Lyamin, VP & Founder Qrator <http://qrator.net/>* Labs CZ * office: +420 602 558 144 <++420+602+558+144> mob: +420 774 303 807 <++420+774+303+807> skype: melanor9 mailto: l...@qrator.net
Re: Must have ISP Open Source & tools
I would chime in with tools for network analysis and planning: http://bgp.he.net/ http://isolario.it http://radar.qrator.net last one is something we work on as a community project. On Mon, Jul 8, 2019 at 2:07 AM Mehmet Akcin wrote: > Hey there > > We are a growing ISP in Colombia and Latin America. I am interested in > hearing from others regarding tools and software they recommend we must > have such as LibreNMS, Rancid etc. > > It’s greenfieldish now ;-) so feel free to recommend A-Z anything! ;-) > > Hope this thread is useful others too! > > Mehmet > -- > Mehmet > +1-424-298-1903 > -- Alexander Lyamin, VP & Founder Qrator <http://qrator.net/>* Labs CZ * office: +420 602 558 144 <++420+602+558+144> mob: +420 774 303 807 <++420+774+303+807> skype: melanor9 mailto: l...@qrator.net
Re: Internet topology resources
Geo-positioning, in general sucks. Internet topology has very little to do with geo-data, however, i would highly recommend this guys https://www.ipip.net/ On Fri, Apr 27, 2018 at 6:10 PM, Steven G. Huter wrote: > On Thu, 26 Apr 2018, Lars Prehn wrote: > > However, I'm really interested in getting an accurate snapshot of the >> current Internet's AS-level topology. The topology-related data >> ThousandEyes collects would fit my needs perfectly. If anyone may be able >> to provide similar data for academic research purposes I would really >> appreciate receiving a mail. >> > > Hello Lars > > Checking to see what this research activity produced could be helpful. > > Towards an Accurate, Geo-Aware, PoP-Level Perspective of the Internet's > Inter-AS Connectivity > > https://nsf.gov/awardsearch/showAward?AWD_ID=1320977 > > Steve > -- Alexander Lyamin, VP & Founder Qrator <http://qrator.net/>* Labs CZ * office: +420 602 558 144 <++420+602+558+144> mob: +420 774 303 807 <++420+774+303+807> skype: melanor9 mailto: l...@qrator.net
Re: Qrator Radar - Peerings
Yep. We're the ones to blame. There is known bug. Give us couple more days. Would normally take few hours to fix, but we have Peering Forum on hands. P.S. There is CONTACT US button on page to report bugs, way more reliable way to submit bugs and additional thanks to Job for pointing me up to this thread. On Wed, Dec 6, 2017 at 5:06 AM, Mike Hammett wrote: > Does anyone use this site much? Has something happened to reduce their > visibility? > > I've noticed multiple networks that had massive drops in peerings on or > around March 11, 2017. AS5650 went from 66 to 12. AS53828 went from 436 to > 19. PCH's AS3856 looking glass still reports adjacencies to both of those > ASes. AS3856 went from 183 adjacencies to 113 that same day (and didn't > bounce back). It seems rather unlikely that PCH would lose that much, given > that their goal is to collect route table information. Even more odd that > those two ASNs would also lose a ton of peers the same day. > > Thoughts? > > > > > - > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack
Whoa. Default route loop, thats definitely new ;) Protip: always do prior works research. On Thu, Dec 22, 2016 at 7:56 PM, Tom Beecher wrote: > Jean sent me details. I won't share the link or password to it based on his > request, but he hasn't found anything new, and it's not even amplification > at all. > > What he did was send 1500 byte ICMP packets with a max TTL at an IP address > that is not reachable due to a routing loop. No amplification is occurring > ; it's just the same packets hanging around longer looking for free food > because of the TTL. > > I think he _assumed_ amplification was happening because link utilization > between his lab routers doing the looping was increasing. Totally expected > when you're using --flood and in a lab environment where the TTL entering > the loop is still above 250. :) > > On Thu, Dec 22, 2016 at 11:48 AM, William Herrin wrote: > > > On Thu, Dec 22, 2016 at 11:04 AM, Ken Chase wrote: > > > Maybe he's found what's already known and posted 2 months ago (and > every > > 2 months?) > > > on nanog, the TCP 98,000x amplifier (which is a little higher than > > 100x), among > > > dozens of misbehaving devices, all >200x amp. > > > > > > https://www.usenix.org/system/files/conference/woot14/ > woot14-kuhrer.pdf > > > > Hi Ken, > > > > He said, "There is no need for spoofing " so it wouldn't be that one. > > > > > > Jean, > > > > Respectfully: you're not well known to us as having identified earth > > shattering vulnerabilities in the past. We hear about utterly > > unimportant "priority one" events every single day, so without enough > > information to assess whether you're looking at is something new, > > important or even possible within our various architectures, few of us > > will be inclined to take you seriously. > > > > We're all too familiar with the consequence of giving credence to > > people who say "believe me" instead of offering verifiable fact. > > > > I respect that you're trying to help, but "I have something important > > to tell you, please contact me off list" is not the way to do that. > > > > And if it turns out we should have listened and kept this secret as > > long as possible, well, that's on us. ;) > > > > Regards, > > Bill Herrin > > > > > > > > -- > > William Herrin her...@dirtside.com b...@herrin.us > > Owner, Dirtside Systems . Web: <http://www.dirtside.com/> > > > -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack
On Thu, Dec 22, 2016 at 4:21 PM, Tom Beecher wrote: > > In that absence of anything more than 'GUYZ THIS IS SERIOUS' , with no > technical details, you can surely understand the skepticism. > > Exactly my thought. Tingling sensation "this is some kind of fraud". -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack
I just reviewed our data at http://radar.qrator.net provided network list. I am highly skeptical. On Thu, Dec 22, 2016 at 4:51 PM, Mike Hammett wrote: > Let's wait and see if his stated message of being here to discuss > technical matters of the vulnerability with the aforementioned carriers > bears anything out. If not, don the torches. > > > > > - > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > - Original Message - > > From: "j j santanna" > To: j...@ddostest.me > Cc: nanog@nanog.org > Sent: Thursday, December 22, 2016 5:01:23 AM > Subject: Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack > > I am saying! > > As far as I understand you are offering DDoS attacks as a paid service, > right? Some people would say that you offer DDoS for hire. What is the > difference between your service and a Booter service. Only a “validation" > that your client is “stress testing” him/herself does not make you legal. > Sorry man but you can NOT claim yourself as a legal/moral acceptable stress > tester if you misuse devices on the Internet, such as amplifiers, webshell, > and botnets. > > Although you don’t consider yourself a Booter, you are one of them! > > I leave up to you the definition of stupid. > > Cheers, > > Jair Santanna > jairsantanna.com<http://jairsantanna.com> > > > > On 22 Dec 2016, at 11:45, Jean | ddostest.me<http://ddostest.me> < > j...@ddostest.me<mailto:j...@ddostest.me>> wrote: > > I admit that I have a lot of guts. > > Not sure who said that I am a booter or that I operate a booter. I fight > booter since more than 5 years and who would be stupid enough to put his > full name with full address to a respected network operators list? > Definitely not me. > > I want to help and fix things and I am not the kind of person to break > things. > > > Jean > > On 16-12-22 03:46 AM, j.j.santa...@utwente.nl j.j.santa...@utwente.nl> wrote: > Hi Jean, > > You are either naive or have a lot of guts to offer a Booter service in > one of the most respected network operators list. Man, as long as you use > amplifiers (third party services) or botnets your “service” is illegal & > immoral. In case you use your own infrastructure or rent a legal (cloud) > infrastructure to provide your "service" it will not pay your costs. Not at > least by the price that you offer your service: 0, 13, 100 bucks. Even if > you have a legal/moral acceptable attack infrastructure, if you throw those > big attacks that you advertise will possibly take down many others > third-parties on the way. > > Sometimes you folks say that (mis)use amplifiers for “testing” purpose is > not a problem because those services are open and publicly available on the > Internet. Come on… if I leave my car open with the key inside it doesn’t > give you the right to use my car to throw into a third party company. And > if you do, it is YOUR CRIME, not mine. > > I don’t need to explain why using botnets is illegal and immoral, right? > > Man, it is up to you decide between cyber crime and cyber security ( > https://www.europol.europa.eu/activities-services/public- > awareness-and-prevention-guides/cyber-crime-vs-cyber- > security-what-will-you-choose). Now, we are also looking to you on > http://booterblacklist.com<http://booterblacklist.com/>. Thanks! > > Cheers, > > Jair Santanna > > > > > On 22 Dec 2016, at 07:51, Alexander Lyamin mailto:la@ > qrator.net><mailto:l...@qrator.net>> wrote: > > I am just trying to grasp what is similarity between networks on the list > and why it doesn't include, say NTT or Cogent. > > > > On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me<http://ddostest.me/>< > http://ddostest.me/> via NANOG < > nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org>> wrote: > > Hello all, I'm a first time poster here and hope to follow all rules. > > I found a new way to amplify traffic that would generate really high > volume of traffic.+10Tbps > > ** There is no need for spoofing ** so any device in the world could > initiate a really big attack or be part of an attack. > > We talk about an amplification factor x100+. This mean that a single > computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS. > Imagine what a botnet could do? > > The list of affected business is huge and I would like to privately > disclose the details to the Tier1 ISP as they are highly vulnerable. > > XO Comm > PSINET > Level 3 > Qwest > Windstream Comm >
Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack
nice one, Edward. On Thu, Dec 22, 2016 at 12:25 PM, Edward Dore < edward.d...@freethought-internet.co.uk> wrote: > Depending on which bit of PSINET Jean is talking about, that could be > Cogent. > > Edward Dore > Freethought Internet > > On 22 Dec 2016, at 06:51, Alexander Lyamin wrote: > > I am just trying to grasp what is similarity between networks on the list > and why it doesn't include, say NTT or Cogent. > > > > On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me via NANOG < > nanog@nanog.org> wrote: > > Hello all, I'm a first time poster here and hope to follow all rules. > > I found a new way to amplify traffic that would generate really high > volume of traffic.+10Tbps > > ** There is no need for spoofing ** so any device in the world could > initiate a really big attack or be part of an attack. > > We talk about an amplification factor x100+. This mean that a single > computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS. > Imagine what a botnet could do? > > The list of affected business is huge and I would like to privately > disclose the details to the Tier1 ISP as they are highly vulnerable. > > XO Comm > PSINET > Level 3 > Qwest > Windstream Comm > Eearthlink > MCI Comm/Verizon Buss > Comcast Cable Comm > AT&T > Sprint > > I know it's Christmas time and there is no rush in disclosing this but, it > could be a nice opportunity to meditate and shed some lights on this new > DDoS threat. We could start the real work in January. > > > If you are curious and you operate/manage one of the network mentioned > above, please write to me at tornad...@ddostest.me from your job email to > confirm the identity. I will then forward you the DDoS details. > > Best regards > > Jean St-Laurent > ddostest.me > 365 boul. Sir-Wilfrid-Laurier #202 > Beloeil, QC J3G 4T2 > > > > > -- > > Alexander Lyamin > > CEO | Qrator <http://qrator.net/>* Labs* > > office: 8-800--LAB (522) > > mob: +7-916-9086122 > > skype: melanor9 > > mailto: l...@qrator.net > > > -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack
I am just trying to grasp what is similarity between networks on the list and why it doesn't include, say NTT or Cogent. On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me via NANOG < nanog@nanog.org> wrote: > Hello all, I'm a first time poster here and hope to follow all rules. > > I found a new way to amplify traffic that would generate really high > volume of traffic.+10Tbps > > ** There is no need for spoofing ** so any device in the world could > initiate a really big attack or be part of an attack. > > We talk about an amplification factor x100+. This mean that a single > computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS. > Imagine what a botnet could do? > > The list of affected business is huge and I would like to privately > disclose the details to the Tier1 ISP as they are highly vulnerable. > > XO Comm > PSINET > Level 3 > Qwest > Windstream Comm > Eearthlink > MCI Comm/Verizon Buss > Comcast Cable Comm > AT&T > Sprint > > I know it's Christmas time and there is no rush in disclosing this but, it > could be a nice opportunity to meditate and shed some lights on this new > DDoS threat. We could start the real work in January. > > > If you are curious and you operate/manage one of the network mentioned > above, please write to me at tornad...@ddostest.me from your job email to > confirm the identity. I will then forward you the DDoS details. > > Best regards > > Jean St-Laurent > ddostest.me > 365 boul. Sir-Wilfrid-Laurier #202 > Beloeil, QC J3G 4T2 > -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack
care to do a demo ? On Wed, Dec 21, 2016 at 7:05 PM, Jean | ddostest.me via NANOG < nanog@nanog.org> wrote: > Hello all, I'm a first time poster here and hope to follow all rules. > > I found a new way to amplify traffic that would generate really high > volume of traffic.+10Tbps > > ** There is no need for spoofing ** so any device in the world could > initiate a really big attack or be part of an attack. > > We talk about an amplification factor x100+. This mean that a single > computer with 1 Gbps outgoing bandwidth would generate a 100 Gbps DDoS. > Imagine what a botnet could do? > > The list of affected business is huge and I would like to privately > disclose the details to the Tier1 ISP as they are highly vulnerable. > > XO Comm > PSINET > Level 3 > Qwest > Windstream Comm > Eearthlink > MCI Comm/Verizon Buss > Comcast Cable Comm > AT&T > Sprint > > I know it's Christmas time and there is no rush in disclosing this but, it > could be a nice opportunity to meditate and shed some lights on this new > DDoS threat. We could start the real work in January. > > > If you are curious and you operate/manage one of the network mentioned > above, please write to me at tornad...@ddostest.me from your job email to > confirm the identity. I will then forward you the DDoS details. > > Best regards > > Jean St-Laurent > ddostest.me > 365 boul. Sir-Wilfrid-Laurier #202 > Beloeil, QC J3G 4T2 > -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
Re: Dyn DDoS this AM?
Yeah, it sucked to be a Dyn customer that day. However, if you had a backup dns provider, it wasnt that bad. You do realize that collateral effect scale is a property of a target and not attack? My point was that implementing MANRS, while isn't covering all of the spectrum of the attacks that made news this autumn will make at least some of them if not impossible, but harder to execute. And as I said - its work in progress. P.S. Jared Mauch notes regarding uRPF underperformance are correct, but it only shows how rarely its actually used in a real life. uRPF is more then feasible in terms of algorithmical complexity, and this means that bugs can be dealed with. On Tue, Oct 25, 2016 at 7:30 AM, Ronald F. Guilmette wrote: > > In message gmail.com>, > Alexander Lyamin wrote: > > >Its not a first time we have and large scale DDoS incident. > >Its not a first time we have (a kind of) knee-jerk reaction. > > I could be wrong, but I think its the first time I've turned > on CNN and seen a "heat map" of the incident showing the entire > NorthEast / New England area, all the way down to Washington, > and parts of California all blanketed in red. > > So that part, at least, was, ya know, novel. > > > Regards, > rfg > -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
Re: Dyn DDoS this AM?
Its not a first time we have and large scale DDoS incident. Its not a first time we have (a kind of) knee-jerk reaction. I think its a right time to direct community attention to this document https://www.routingmanifesto.org/manrs/ It's work in progress. But its a good start. On Fri, Oct 21, 2016 at 5:48 PM, Patrick W. Gilmore wrote: > I cannot give additional info other than what’s been on “public media”. > > However, I would very much like to say that this is a horrific trend on > the Internet. The idea that someone can mention a DDoS then get DDoS’ed Can > Not Stand. See Krebs’ on the Democratization of Censorship. See lots of > other things. > > To Dyn and everyone else being attacked: > The community is behind you. There are problems, but if we stick together, > we can beat these miscreants. > > To the miscreants: > You will not succeed. Search "churchill on the beaches”. It’s a bit > melodramatic, but it’s how I feel at this moment. > > To the rest of the community: > If you can help, please do. I know a lot of you are thinking “what can I > do?" There is a lot you can do. BCP38 & BCP84 instantly come to mind. Sure, > that doesn’t help Mirai, but it still helps. There are many other things > you can do as well. > > But a lot of it is just willingness to help. When someone asks you to help > trace an attack, do not let the request sit for a while. Damage is being > done. Help your neighbor. When someone’s house is burning, your current > project, your lunch break, whatever else you are doing is almost certainly > less important. If we stick together and help each other, we can - we WILL > - win this war. If we are apathetic, we have already lost. > > > OK, enough motivational speaking for today. But take this to heart. Our > biggest problem is people thinking they cannot or do not want to help. > > -- > TTFN, > patrick > > > On Oct 21, 2016, at 10:55 AM, Chris Grundemann > wrote: > > > > Does anyone have any additional details? Seems to be over now, but I'm > very > > curious about the specifics of such a highly impactful attack (and it's > > timing following NANOG 68)... > > > > https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts- > twitter-spotify-reddit/ > > > > -- > > @ChrisGrundemann > > http://chrisgrundemann.com > > -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
This time around its not about spoofing. I presume this is development of the same botnet/worm that we seen day2 of Shellshock public disclosure - its was pretty hightech - golang, arm/mips/x86 support, multiple attack vectors - inlcuding (surprisingly) very effective password guessing. It counted ~100k heads on day2, and i suppose they did grew quite a bit. Thats part of a problem why cause that much havoc - they do have real IP addresses and reasonably well conected - so they can wreck a havoc in bandwidth and tcp stack. They most likely do not have enough resources to do Full Browser Stack, thats why I think L7 capabilities of the botnet will be very basic. On Sun, Sep 25, 2016 at 7:00 PM, John Kristoff wrote: > On Sun, 25 Sep 2016 14:36:18 + > Ca By wrote: > > > As long as their is one spoof capable network on the net, the problem > will > > not be solved. > > This is not strictly true. If it could be determined where a large > bulk of the spoofing came from, public pressure could be applied. This > may not have been the issue in this case, but in many amplification and > reflection attacks, the originating spoof-enabled networks were from a > limited set of networks. De-peering, service termination, shaming, etc > could have an effect. > > John > -- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800--LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: l...@qrator.net
