Re: Retalitory DDoS
I notice I often get DDoS'd when I post here, to NANOG, usually w/in 2-3 hours, so owing to this note it'll probably happen again tonight! The typical attack is some mixture of DNS whacking from dozens or hundreds of hosts, plus usually UDP packets being flung at basically round-robin ports (udp port 13577, udp port 13578, ...) generating a lot of ICMP unreachables again from hundreds of hosts no doubt all phony. I block it so it's not usually a big big deal other than a brief time waste as I kick in autoblocking I wouldn't want to run all the time but I can see it on for example MRTG, traffic spikes to as much as 10x what I might expect at that time of day. This is a rough neighborhood. "Who steals my bandwidth steals trash" -- William Shakespeare the XIIth -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
RE: [EXTERNAL] Re: Retalitory DDoS
Good analyze Hugo, I believe that all of this volumetric attack is just noise to hide the real attack that really killed your webserver. TCP Flag: SYN: 100% I would start with this line and I agree that Roland’s deck might have something about SYN flood. Jean From: Hugo Slabbert Sent: February 8, 2021 2:19 PM To: Compton, Rich A Cc: Mike Hammett ; Jean St-Laurent ; NANOG list Subject: Re: [EXTERNAL] Re: Retalitory DDoS Was gonna come to add that. That and maybe some UDP frags. You may want to have your hosting provider block all inbound traffic from reaching your server IP except TCP port 443 (or 80 or whatever port you actually use) somewhere upstream. Can also consider dropping by UDP source port on that 3072 and other common reflection vectors if you've got UDP-based destinations to deal with. The SYN floods are a different beast; though probably not volumetric, needs enough capacity (TCP reverse proxies / LBs / etc) to handle that and possibly things like SYN cookies. I'll let folks more versed than myself answer there, though. Roland probably has a deck ready to link ;) -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com <mailto:h...@slabnet.com> pgp key: B178313E | also on Signal On Mon, Feb 8, 2021 at 10:10 AM Compton, Rich A mailto:rich.comp...@charter.com> > wrote: FYI, that looks like a Web Services Dynamic Discovery UDP amplification DDoS attack. https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html Very easily executed by a booter service. You may want to have your hosting provider block all inbound traffic from reaching your server IP except TCP port 443 (or 80 or whatever port you actually use) somewhere upstream. This can help reduce the impact of DDoS attacks on your server. -Rich From: NANOG mailto:charter@nanog.org> > on behalf of Mike Hammett mailto:na...@ics-il.net> > Date: Monday, February 8, 2021 at 10:58 AM To: Jean St-Laurent mailto:j...@ddostest.me> > Cc: NANOG list mailto:nanog@nanog.org> > Subject: [EXTERNAL] Re: Retalitory DDoS CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. I don't have RTBH, no. It's just a web server. Now how my hosting provider handled it, I'm not sure. I don't know if they just dropped me internally, or if they used RTBH with their upstreams and peers. Only being 2.5 gigs, that should be well within their ability to handle internally, but I guess why would you if you didn't have to? - Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> Midwest Internet Exchange The Brothers WISP _ From: "Jean St-Laurent" To: "Mike Hammett" Cc: "NANOG list" Sent: Monday, February 8, 2021 11:53:43 AM Subject: RE: Retalitory DDoS You got RTBH? From: Mike Hammett Sent: February 8, 2021 12:50 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP _ From: "Jean St-Laurent" To: "Mike Hammett" , "NANOG list" Sent: Monday, February 8, 2021 11:42:12 AM Subject: RE: Retalitory DDoS Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent: February 8, 2021 8:43 AM To: NANOG list Subject: Re: Retalitory DDoS Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7% Port # 25966 Top Source IP:
Re: [EXTERNAL] Re: Retalitory DDoS
Was gonna come to add that. That and maybe some UDP frags. You may want to have your hosting provider block all inbound traffic from > reaching your server IP except TCP port 443 (or 80 or whatever port you > actually use) somewhere upstream. Can also consider dropping by UDP source port on that 3072 and other common reflection vectors if you've got UDP-based destinations to deal with. The SYN floods are a different beast; though probably not volumetric, needs enough capacity (TCP reverse proxies / LBs / etc) to handle that and possibly things like SYN cookies. I'll let folks more versed than myself answer there, though. Roland probably has a deck ready to link ;) -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal On Mon, Feb 8, 2021 at 10:10 AM Compton, Rich A wrote: > FYI, that looks like a Web Services Dynamic Discovery UDP amplification > DDoS attack. > https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html > Very easily executed by a booter service. > > You may want to have your hosting provider block all inbound traffic from > reaching your server IP except TCP port 443 (or 80 or whatever port you > actually use) somewhere upstream. This can help reduce the impact of DDoS > attacks on your server. > > > > -Rich > > > > *From: *NANOG on > behalf of Mike Hammett > *Date: *Monday, February 8, 2021 at 10:58 AM > *To: *Jean St-Laurent > *Cc: *NANOG list > *Subject: *[EXTERNAL] Re: Retalitory DDoS > > > > *CAUTION:* The e-mail below is from an external source. Please exercise > caution before opening attachments, clicking links, or following guidance. > > I don't have RTBH, no. It's just a web server. > > Now how my hosting provider handled it, I'm not sure. I don't know if they > just dropped me internally, or if they used RTBH with their upstreams and > peers. Only being 2.5 gigs, that should be well within their ability to > handle internally, but I guess why would you if you didn't have to? > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image: > Image removed by sender.] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > Image removed by sender.] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > Image removed by sender.] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image: > Image removed by sender.] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: Image > removed by sender.] <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: Image removed by sender.] > <https://www.facebook.com/thebrotherswisp>[image: Image removed by > sender.] <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > > *From: *"Jean St-Laurent" > *To: *"Mike Hammett" > *Cc: *"NANOG list" > *Sent: *Monday, February 8, 2021 11:53:43 AM > *Subject: *RE: Retalitory DDoS > > You got RTBH? > > > > *From:* Mike Hammett > *Sent:* February 8, 2021 12:50 PM > *To:* Jean St-Laurent > *Cc:* NANOG list > *Subject:* Re: Retalitory DDoS > > > > In my case, it was against a server not on my own network, so my impact > was a blackhole for an hour at 4 AM local time. I likely wouldn't have even > noticed it, had I not received the threat email, nor the ticket my web > host's NOC opened. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > [image: Image removed by sender.] <https://www.facebook.com/ICSIL>[image: > Image removed by sender.] > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[image: > Image removed by sender.] > <https://www.linkedin.com/company/intelligent-computing-solutions>[image: > Image removed by sender.] <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > [image: Image removed by sender.] <https://www.facebook.com/mdwestix>[image: > Image removed by sender.] > <https://www.linkedin.com/company/midwest-internet-exchange>[image: Image > removed by sender.] <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > [image: Image removed by sender.] > <https://www.facebook.com/thebrotherswisp>[image: Image removed by > sender.] <https://www.youtube.com/c
Re: [EXTERNAL] Re: Retalitory DDoS
FYI, that looks like a Web Services Dynamic Discovery UDP amplification DDoS attack. https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html Very easily executed by a booter service. You may want to have your hosting provider block all inbound traffic from reaching your server IP except TCP port 443 (or 80 or whatever port you actually use) somewhere upstream. This can help reduce the impact of DDoS attacks on your server. -Rich From: NANOG on behalf of Mike Hammett Date: Monday, February 8, 2021 at 10:58 AM To: Jean St-Laurent Cc: NANOG list Subject: [EXTERNAL] Re: Retalitory DDoS CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. I don't have RTBH, no. It's just a web server. Now how my hosting provider handled it, I'm not sure. I don't know if they just dropped me internally, or if they used RTBH with their upstreams and peers. Only being 2.5 gigs, that should be well within their ability to handle internally, but I guess why would you if you didn't have to? - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [Image removed by sender.]<https://www.facebook.com/ICSIL>[Image removed by sender.]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[Image removed by sender.]<https://www.linkedin.com/company/intelligent-computing-solutions>[Image removed by sender.]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [Image removed by sender.]<https://www.facebook.com/mdwestix>[Image removed by sender.]<https://www.linkedin.com/company/midwest-internet-exchange>[Image removed by sender.]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [Image removed by sender.]<https://www.facebook.com/thebrotherswisp>[Image removed by sender.]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> From: "Jean St-Laurent" To: "Mike Hammett" Cc: "NANOG list" Sent: Monday, February 8, 2021 11:53:43 AM Subject: RE: Retalitory DDoS You got RTBH? From: Mike Hammett Sent: February 8, 2021 12:50 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [Image removed by sender.]<https://www.facebook.com/ICSIL>[Image removed by sender.]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[Image removed by sender.]<https://www.linkedin.com/company/intelligent-computing-solutions>[Image removed by sender.]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [Image removed by sender.]<https://www.facebook.com/mdwestix>[Image removed by sender.]<https://www.linkedin.com/company/midwest-internet-exchange>[Image removed by sender.]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [Image removed by sender.]<https://www.facebook.com/thebrotherswisp>[Image removed by sender.]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> From: "Jean St-Laurent" To: "Mike Hammett" , "NANOG list" Sent: Monday, February 8, 2021 11:42:12 AM Subject: RE: Retalitory DDoS Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent: February 8, 2021 8:43 AM To: NANOG list Subject: Re: Retalitory DDoS Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7%
Re: Retalitory DDoS
It would only be a 1G NIC. They did say it was impacting other users in that rack. No clue how hot or what they run to each rack. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Jean St-Laurent" To: "Mike Hammett" Cc: "NANOG list" Sent: Monday, February 8, 2021 11:59:32 AM Subject: RE: Retalitory DDoS I would not for 2.5 Gbps So if you were down for 1 hour with 2.5 Gbps and it’s probably not a black hole. There might be something else valuable in this report. Maybe 2.5 Gbps is not the damaging factor here unless your server has only 1 Gbps nic, then it could explain. But, I doubt. Peace Jean From: Mike Hammett Sent: February 8, 2021 12:56 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS I don't have RTBH, no. It's just a web server. Now how my hosting provider handled it, I'm not sure. I don't know if they just dropped me internally, or if they used RTBH with their upstreams and peers. Only being 2.5 gigs, that should be well within their ability to handle internally, but I guess why would you if you didn't have to? - Mike Hammett Intelligent Computing Solutions Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender. Midwest Internet Exchange Image removed by sender.Image removed by sender.Image removed by sender. The Brothers WISP Image removed by sender.Image removed by sender. - Original Message - From: "Jean St-Laurent" To: "Mike Hammett" Cc: "NANOG list" Sent: Monday, February 8, 2021 11:53:43 AM Subject: RE: Retalitory DDoS You got RTBH? From: Mike Hammett Sent: February 8, 2021 12:50 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. - Mike Hammett Intelligent Computing Solutions Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender. Midwest Internet Exchange Image removed by sender.Image removed by sender.Image removed by sender. The Brothers WISP Image removed by sender.Image removed by sender. From: "Jean St-Laurent" To: "Mike Hammett" , "NANOG list" Sent: Monday, February 8, 2021 11:42:12 AM Subject: RE: Retalitory DDoS Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent: February 8, 2021 8:43 AM To: NANOG list Subject: Re: Retalitory DDoS Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7% Port # 25966 Top Source IP: . 0% 112.164.127.17 Number of unique IP: 7110 Total Bytes : 1259961437 Total Packets : 1531559 Duration : 4s Report Run Time : 151.3ms The 30 day null route count is: 0 Number of hours to null route : 1 Location : Chicago Event Time : 2021-02-08 04:02:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 1817 Mbps 275483 pps Fragmentation : 13% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 56% Port # 3702 . 43% Port # 0 Top Destination Port: . 43% Port # 0 . 19% Port # 25966 . 19% Port # 35023 . 17% Port # 23680 Top Source IP: . 0% 90.49.167.239 Number of unique IP: 3577 Total Bytes : 953894831 Total Packets : 1157017 Duration : 4.199s Report Run Time : 306.8ms The 30 day null route count is: 0 Number of hours to null route : 1 Liam Doring Systems Administrator - Mike Hammett Intelligent Computing Solutions Image removed by sender.Image removed by sender.Image removed by sender.Image removed b
RE: Retalitory DDoS
I would not for 2.5 Gbps So if you were down for 1 hour with 2.5 Gbps and it’s probably not a black hole. There might be something else valuable in this report. Maybe 2.5 Gbps is not the damaging factor here unless your server has only 1 Gbps nic, then it could explain. But, I doubt. Peace Jean From: Mike Hammett Sent: February 8, 2021 12:56 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS I don't have RTBH, no. It's just a web server. Now how my hosting provider handled it, I'm not sure. I don't know if they just dropped me internally, or if they used RTBH with their upstreams and peers. Only being 2.5 gigs, that should be well within their ability to handle internally, but I guess why would you if you didn't have to? - Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _ From: "Jean St-Laurent" To: "Mike Hammett" Cc: "NANOG list" Sent: Monday, February 8, 2021 11:53:43 AM Subject: RE: Retalitory DDoS You got RTBH? From: Mike Hammett Sent: February 8, 2021 12:50 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. - Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _ From: "Jean St-Laurent" To: "Mike Hammett" , "NANOG list" Sent: Monday, February 8, 2021 11:42:12 AM Subject: RE: Retalitory DDoS Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent: February 8, 2021 8:43 AM To: NANOG list Subject: Re: Retalitory DDoS Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7% Port # 25966 Top Source IP: . 0% 112.164.127.17 Number of unique IP: 7110 Total Bytes : 1259961437 Total Packets : 1531559 Duration : 4s Report Run Time : 151.3ms The 30 day null route count is: 0 Number of hours to null route : 1 Location : Chicago Event Time : 2021-02-08 04:02:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 1817 Mbps 275483 pps Fragmentation : 13% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 56% Port # 3702 . 43% Port # 0 Top Destination Port: . 43% Port # 0 . 19% Port # 25966 . 19% Port # 35023 . 17% Port # 23680 Top Source IP: . 0% 90.49.167.239 Number of unique IP: 3577 Total Bytes : 953894831 Total Packets : 1157017 Duration : 4.199s Report Run Time : 306.8ms The 30
Re: Retalitory DDoS
I don't have RTBH, no. It's just a web server. Now how my hosting provider handled it, I'm not sure. I don't know if they just dropped me internally, or if they used RTBH with their upstreams and peers. Only being 2.5 gigs, that should be well within their ability to handle internally, but I guess why would you if you didn't have to? - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Jean St-Laurent" To: "Mike Hammett" Cc: "NANOG list" Sent: Monday, February 8, 2021 11:53:43 AM Subject: RE: Retalitory DDoS You got RTBH? From: Mike Hammett Sent: February 8, 2021 12:50 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. - Mike Hammett Intelligent Computing Solutions Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender. Midwest Internet Exchange Image removed by sender.Image removed by sender.Image removed by sender. The Brothers WISP Image removed by sender.Image removed by sender. - Original Message - From: "Jean St-Laurent" To: "Mike Hammett" , "NANOG list" Sent: Monday, February 8, 2021 11:42:12 AM Subject: RE: Retalitory DDoS Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent: February 8, 2021 8:43 AM To: NANOG list Subject: Re: Retalitory DDoS Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7% Port # 25966 Top Source IP: . 0% 112.164.127.17 Number of unique IP: 7110 Total Bytes : 1259961437 Total Packets : 1531559 Duration : 4s Report Run Time : 151.3ms The 30 day null route count is: 0 Number of hours to null route : 1 Location : Chicago Event Time : 2021-02-08 04:02:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 1817 Mbps 275483 pps Fragmentation : 13% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 56% Port # 3702 . 43% Port # 0 Top Destination Port: . 43% Port # 0 . 19% Port # 25966 . 19% Port # 35023 . 17% Port # 23680 Top Source IP: . 0% 90.49.167.239 Number of unique IP: 3577 Total Bytes : 953894831 Total Packets : 1157017 Duration : 4.199s Report Run Time : 306.8ms The 30 day null route count is: 0 Number of hours to null route : 1 Liam Doring Systems Administrator - Mike Hammett Intelligent Computing Solutions Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender. Midwest Internet Exchange Image removed by sender.Image removed by sender.Image removed by sender. The Brothers WISP Image removed by sender.Image removed by sender. From: "Mike Hammett" To: "NANOG list" Sent: Monday, February 8, 2021 5:46:26 AM Subject: Retalitory DDoS Is there a club for people that have been DDoSed? If so, count me in. This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this. Is it safe to assume that they completely anonymized the email they sent to me? Is there anyone I should be reporting this to? I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up. https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0 - Mike Hammett Intell
RE: Retalitory DDoS
You got RTBH? From: Mike Hammett Sent: February 8, 2021 12:50 PM To: Jean St-Laurent Cc: NANOG list Subject: Re: Retalitory DDoS In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. - Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _ From: "Jean St-Laurent" To: "Mike Hammett" , "NANOG list" Sent: Monday, February 8, 2021 11:42:12 AM Subject: RE: Retalitory DDoS Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent: February 8, 2021 8:43 AM To: NANOG list Subject: Re: Retalitory DDoS Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7% Port # 25966 Top Source IP: . 0% 112.164.127.17 Number of unique IP: 7110 Total Bytes : 1259961437 Total Packets : 1531559 Duration : 4s Report Run Time : 151.3ms The 30 day null route count is: 0 Number of hours to null route : 1 Location : Chicago Event Time : 2021-02-08 04:02:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 1817 Mbps 275483 pps Fragmentation : 13% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 56% Port # 3702 . 43% Port # 0 Top Destination Port: . 43% Port # 0 . 19% Port # 25966 . 19% Port # 35023 . 17% Port # 23680 Top Source IP: . 0% 90.49.167.239 Number of unique IP: 3577 Total Bytes : 953894831 Total Packets : 1157017 Duration : 4.199s Report Run Time : 306.8ms The 30 day null route count is: 0 Number of hours to null route : 1 Liam Doring Systems Administrator - Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _ From: "Mike Hammett" To: "NANOG list" Sent: Monday, February 8, 2021 5:46:26 AM Subject: Retalitory DDoS Is there a club for people that have been DDoSed? If so, count me in. This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this. Is it safe to assume that they completely anonymized the email they sent to me? Is there anyone I should be reporting this to? I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up. https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.pn
Re: Retalitory DDoS
In my case, it was against a server not on my own network, so my impact was a blackhole for an hour at 4 AM local time. I likely wouldn't have even noticed it, had I not received the threat email, nor the ticket my web host's NOC opened. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Jean St-Laurent" To: "Mike Hammett" , "NANOG list" Sent: Monday, February 8, 2021 11:42:12 AM Subject: RE: Retalitory DDoS Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent: February 8, 2021 8:43 AM To: NANOG list Subject: Re: Retalitory DDoS Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7% Port # 25966 Top Source IP: . 0% 112.164.127.17 Number of unique IP: 7110 Total Bytes : 1259961437 Total Packets : 1531559 Duration : 4s Report Run Time : 151.3ms The 30 day null route count is: 0 Number of hours to null route : 1 Location : Chicago Event Time : 2021-02-08 04:02:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 1817 Mbps 275483 pps Fragmentation : 13% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 56% Port # 3702 . 43% Port # 0 Top Destination Port: . 43% Port # 0 . 19% Port # 25966 . 19% Port # 35023 . 17% Port # 23680 Top Source IP: . 0% 90.49.167.239 Number of unique IP: 3577 Total Bytes : 953894831 Total Packets : 1157017 Duration : 4.199s Report Run Time : 306.8ms The 30 day null route count is: 0 Number of hours to null route : 1 Liam Doring Systems Administrator - Mike Hammett Intelligent Computing Solutions Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender. Midwest Internet Exchange Image removed by sender.Image removed by sender.Image removed by sender. The Brothers WISP Image removed by sender.Image removed by sender. - Original Message - From: "Mike Hammett" To: "NANOG list" Sent: Monday, February 8, 2021 5:46:26 AM Subject: Retalitory DDoS Is there a club for people that have been DDoSed? If so, count me in. This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this. Is it safe to assume that they completely anonymized the email they sent to me? Is there anyone I should be reporting this to? I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up. https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0 - Mike Hammett Intelligent Computing Solutions Image removed by sender.Image removed by sender.Image removed by sender.Image removed by sender. Midwest Internet Exchange Image removed by sender.Image removed by sender.Image removed by sender. The Brothers WISP Image removed by sender.Image removed by sender.
RE: Retalitory DDoS
Nice report, If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service? Was it degraded or total service interruption? Jean From: NANOG On Behalf Of Mike Hammett Sent: February 8, 2021 8:43 AM To: NANOG list Subject: Re: Retalitory DDoS Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7% Port # 25966 Top Source IP: . 0% 112.164.127.17 Number of unique IP: 7110 Total Bytes : 1259961437 Total Packets : 1531559 Duration : 4s Report Run Time : 151.3ms The 30 day null route count is: 0 Number of hours to null route : 1 Location : Chicago Event Time : 2021-02-08 04:02:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 1817 Mbps 275483 pps Fragmentation : 13% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 56% Port # 3702 . 43% Port # 0 Top Destination Port: . 43% Port # 0 . 19% Port # 25966 . 19% Port # 35023 . 17% Port # 23680 Top Source IP: . 0% 90.49.167.239 Number of unique IP: 3577 Total Bytes : 953894831 Total Packets : 1157017 Duration : 4.199s Report Run Time : 306.8ms The 30 day null route count is: 0 Number of hours to null route : 1 Liam Doring Systems Administrator - Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _ From: "Mike Hammett" To: "NANOG list" Sent: Monday, February 8, 2021 5:46:26 AM Subject: Retalitory DDoS Is there a club for people that have been DDoSed? If so, count me in. This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this. Is it safe to assume that they completely anonymized the email they sent to me? Is there anyone I should be reporting this to? I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up. https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0 - Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
Re: Retalitory DDoS
Peace, On Mon, Feb 8, 2021 at 2:48 PM Mike Hammett wrote: > I got an e-mail explaining why I was getting DDoSed. Is that aspect common? Not quite. But it happens sometimes. > Is it safe to assume that they completely anonymized the email they sent to > me? Likely, but not necessarily. Look up the message headers. Your (accurate) description of their intelligence implies they might've failed to anonymize that properly, or they might live in a country that haven't signed extradiction treaties with the U.S. so they don't bother. > Is there anyone I should be reporting this to? You're not required to, but you can report it to the FBI so that in case those people finally get caught (criminals sometimes make mistakes) their sentence would be a couple years longer. -- Töma
Re: Retalitory DDoS
Not an official club, but the unofficial club is full of members including myself unfortunately...little you can do except consider DDoS mitigation service if it continues. It is a criminal activity, so you can report the attack to the FBI...they can't do much to be honest, but at the very least this is good to do in case the problem continues and/or you need to file a business loss with your insurance company barring you have Cyber insurance in your policy. https://www.ic3.gov/Media/Y2017/PSA1710172 Internet Crime Complaint Center (IC3) | Booter and Stresser Services Increase the Scale and Frequency of Distributed Denial of Service Attacks<https://www.ic3.gov/Media/Y2017/PSA1710172> Booter and Stresser Services Increase the Scale and Frequency of Distributed Denial of Service Attacks Criminal actors offer distributed denial of service (DDoS)-for-hire services in criminal forums and marketplaces. www.ic3.gov From: NANOG on behalf of Mike Hammett Sent: Monday, February 8, 2021 6:46 AM To: NANOG list Subject: Retalitory DDoS Is there a club for people that have been DDoSed? If so, count me in. This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this. Is it safe to assume that they completely anonymized the email they sent to me? Is there anyone I should be reporting this to? I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up. https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0 - Mike Hammett Intelligent Computing Solutions<http://www.ics-il.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL> Midwest Internet Exchange<http://www.midwest-ix.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix> The Brothers WISP<http://www.thebrotherswisp.com/> [http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
Re: Retalitory DDoS
Mike, I've attached the full information we got from our DDOS protection system below. We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details. Location : Chicago Event Time : 2021-02-08 04:17:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 2520 Mbps 382880 pps Fragmentation : 11% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 61% Port # 3702 . 38% Port # 0 Top Destination Port: . 38% Port # 0 . 14% Port # 45934 . 9% Port # 23680 . 8% Port # 35023 . 7% Port # 25966 Top Source IP: . 0% 112.164.127.17 Number of unique IP: 7110 Total Bytes : 1259961437 Total Packets : 1531559 Duration : 4s Report Run Time : 151.3ms The 30 day null route count is: 0 Number of hours to null route : 1 Location : Chicago Event Time : 2021-02-08 04:02:38 CST (-0600) Destination IP: [Not hard to find, but redacted anyway] Traffic : 1817 Mbps 275483 pps Fragmentation : 13% Top Transport Protocol: . 99% Protocol # 17 (UDP) TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0% Top Source Port: . 56% Port # 3702 . 43% Port # 0 Top Destination Port: . 43% Port # 0 . 19% Port # 25966 . 19% Port # 35023 . 17% Port # 23680 Top Source IP: . 0% 90.49.167.239 Number of unique IP: 3577 Total Bytes : 953894831 Total Packets : 1157017 Duration : 4.199s Report Run Time : 306.8ms The 30 day null route count is: 0 Number of hours to null route : 1 Liam Doring Systems Administrator - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Mike Hammett" To: "NANOG list" Sent: Monday, February 8, 2021 5:46:26 AM Subject: Retalitory DDoS Is there a club for people that have been DDoSed? If so, count me in. This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this. Is it safe to assume that they completely anonymized the email they sent to me? Is there anyone I should be reporting this to? I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up. https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0 - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP
Retalitory DDoS
Is there a club for people that have been DDoSed? If so, count me in. This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common? There were also some racial and sexual accusations that were made that clearly aren't true and just speak to the intelligence of people like this. Is it safe to assume that they completely anonymized the email they sent to me? Is there anyone I should be reporting this to? I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up. https://www.dropbox.com/s/rrrx90jvy09h26s/ICS%20DDoS.png?dl=0 - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP