Re: Staring Down the Armada Collective

2015-12-04 Thread dennis



I agree Protonmail took a stance and believe many others can learn from their 
experience. But let's not over simplify the problem. According to their blogs 
the attacks were over 100G and went on for hours at a time over several days.  
Attacks can go on for days and months.  Protonmail found themselves up against 
varying attack tactics and ultimately  took a defense in depth approach to 
mitigate the attack. 
Null routing original ip completes the attack, game over , sever is down. 
Granted this can help prevent colateral damages.  Combined with proxies can 
work well for dns redirect to route through cloud scrubbing but these solutions 
can add latency and impact legitimate traffic also. With redirection there is 
also the complexity of TLS/SSL (certificate management,  privacy, etc.) And 
then you must also consider ip based (non proxied) targets.   These dns 
redirect/proxy methods don't handle ip based attack targets and cause the need 
to swing ip prefixes via bgp. Bottom line, attackers can impact the 
infrastructure by varying their tactics and the approach should be well thought 
out and multilayered.


Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone

 Original message 
From: Lyndon Nerenberg <lyn...@orthanc.ca> 
Date: 12/4/2015  12:14 AM  (GMT-05:00) 
To: North American Network Operators' Group <nanog@nanog.org> 
Subject: Re: Staring Down the Armada Collective 


On Dec 3, 2015, at 6:28 PM, Lyndon Nerenberg <lyn...@orthanc.ca> wrote:

> Are we perhaps, finally, reaching the cusp where everyone has realized that 
> if we all, collectively, tell the rodents to f*** off, they just might?

I should also mention that, despite their bluster, they can't keep it up for 
more than half an hour.

By then, the upstream networks have figured it out and have null routed 
anything of consequence - far upstream.  Meanwhile, back haul your traffic in 
via a private network and they won't be able to do shit to you. (E.g. the 
standard Cloudflare model.)

They are not as smart as they make themselves out to be.  Don't let fear drive 
your decisions.

--lyndon



Re: Staring Down the Armada Collective

2015-12-03 Thread Roland Dobbins

On 4 Dec 2015, at 9:28, Lyndon Nerenberg wrote:

Are we perhaps, finally, reaching the cusp where everyone has realized 
that if we all, collectively, tell the rodents to f*** off, they just 
might?


By my very rough and subjective guesstimate, extortion is the motivation 
behind ~15% of all DDoS attacks, FYI.


---
Roland Dobbins 


Re: Staring Down the Armada Collective

2015-12-03 Thread Lyndon Nerenberg

On Dec 3, 2015, at 6:28 PM, Lyndon Nerenberg  wrote:

> Are we perhaps, finally, reaching the cusp where everyone has realized that 
> if we all, collectively, tell the rodents to f*** off, they just might?

I should also mention that, despite their bluster, they can't keep it up for 
more than half an hour.

By then, the upstream networks have figured it out and have null routed 
anything of consequence - far upstream.  Meanwhile, back haul your traffic in 
via a private network and they won't be able to do shit to you. (E.g. the 
standard Cloudflare model.)

They are not as smart as they make themselves out to be.  Don't let fear drive 
your decisions.

--lyndon



signature.asc
Description: Message signed with OpenPGP using GPGMail


Re: Staring Down the Armada Collective

2015-12-03 Thread Lyndon Nerenberg

On Dec 3, 2015, at 9:14 PM, Lyndon Nerenberg  wrote:

> I should also mention that, despite their bluster, they can't keep it up for 
> more than half an hour.

The mailing list has been quiet. All step forward who are scared to say "me 
too" on account of Armada.

--lyndon



signature.asc
Description: Message signed with OpenPGP using GPGMail


Staring Down the Armada Collective

2015-12-03 Thread Lyndon Nerenberg
Typically, businesses hide from admitting they've been hit by drive-by attacks 
like Armada is trying to pull off. It has been interesting to see the public 
reaction from the post-Protonmail targets, many of whom are being very visible 
about 1) admitting they have been hit by the attacks, and 2) making it very 
clear the Armada crew can f*** right off as far as collecting ransom is 
concerned. (Also, 3) the amazing support from customers who understand why we 
are working on putting up defences instead of just paying, and therefore put up 
with the inevitable downtime as we reconfigure sometimes large chunks of our 
networks.)

The money asked for was a pittance (around USD$6K) for the attacks I'm 
personally aware of.  The targeted were willing to spend far in excess of that 
to deploy the necessary wall of DDoS protection to keep their services running. 
 If they didn't have it there, already.

What does that say for the business model of the botnet handlers?  They can't 
up their ransom demands, because nobody is paying at the current rates.  And 
they can't lower them, for the same reason.  And if they change their targets 
to sites than might potentially pay a few hundred dollars at best, those sites 
will just shut down anyway.

Are we perhaps, finally, reaching the cusp where everyone has realized that if 
we all, collectively, tell the rodents to f*** off, they just might?

Happy Holidays!

--lyndon



signature.asc
Description: Message signed with OpenPGP using GPGMail