Re: backtracking forged packets?

I believe that Oculus blocked the RST and not the SYN/ACK. It sounds the same but, it's not. I see 2 options here: 1. Continue to be DDoS and abuse. The result is maybe they will move on, but I doubt. 2. Try to block the malformed SYN/ACK and it will probably solve your issue. You have

Re: backtracking forged packets?

Herrin wrote: On Sat, Mar 14, 2020 at 4:02 AM Jean | ddostest.me via NANOG wrote: can you post some forged packets please? You can send them offlist if you prefer. Hi Jean, Here are a couple examples (PDT this morning): 08:22:43.413250 IP (tos 0x0, ttl 55, id 10108, offset 0, flags [none], proto

Re: backtracking forged packets?

Hi Bill, can you post some forged packets please? You can send them offlist if you prefer. It seems to be similar to what Octopus experience few weeks ago on this list. Thanks Jean St-Laurent | CISSP #634103

Re: TCP-AMP DDoS Attack - Fake abuse reports problem

It doesn't sound to be a real amplification.. If it is, can anyone provide the amplification factor? 1x? It sounds more like a TCP spoofing. Jean On 2020-02-20 18:22, Töma Gavrichenkov wrote: Peace, On Fri, Feb 21, 2020, 1:57 AM Filip Hruska > wrote: [..] OVH

Re: CISCO 0-day exploits

believe me so I showed them the netflows. We were very surprised to see that. We thought that drop means drop. On 2020-02-10 08:40, Saku Ytti wrote: On Mon, 10 Feb 2020 at 13:52, Jean | ddostest.me via NANOG wrote: I really thought that more Cisco devices were deployed among NANOG. I guess

Re: CISCO 0-day exploits

I really thought that more Cisco devices were deployed among NANOG. I guess that these devices are not used anymore or maybe that I understood wrong the severity of this CVE. Happy NANOG #78 Cheers Jean On 2020-02-07 09:21, Jean | ddostest.me via NANOG wrote: CDPwn: 5 new zero-day Cisco

CISCO 0-day exploits

CDPwn: 5 new zero-day Cisco exploits https://www.armis.com/cdpwn/ What's the impact on your network? Everything is under control? Jean

Re: Jenkins amplification

https://en.wikipedia.org/wiki/PfSense In November 2017, a World Intellectual Property Organization panel found that Netgate, the copyright holder of pfSense, had been using the domain opnsense.com in bad faith to

Re: Jenkins amplification

Netgate bought Pfsense and they already started to destroy it. You should consider to switch to Opnsense. On 2020-02-03 14:34, Matt Harris wrote: fSense on a VM with relatively minimal resources running your VPNs works very well

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

is not even exposed to the internet, services will blacklist us. Even if we don't respond, and block every request from the internet incoming & outgoing. On 28.01.2020 22:36:18, "Jean | ddostest.me via NANOG" wrote: But you do receive the SYN/ACK? The way to open a TCP socke

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

But you do receive the SYN/ACK? The way to open a TCP socket is the 3 way handshake. Sorry to write that here... I feel it's useless. 1. SYN 2. SYN/ACK 3. ACK Step 1: So hackers spoof the original SYN with your source IP of your network. Step 2: You should then receive those SYN/ACK

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

Maybe we're looking at the wrong place when dealing with TCP amp. I believe there is a much easier way to solve this. @OP: can you post the tcp flags of the SYN/CK you are receiving from Sony? Thanks Jean On 2020-01-27 20:49, Damian Menscher via NANOG wrote: On Mon, Jan 27, 2020 at 5:43 PM

Re: DDoS Mitigation Survey

Exactly, so one of the best option to fight DDoS is not available through public information. @Lumin: You should start your investigation with uRPF loose. Best regards, Jean On 2020-01-20 11:31, Dobbins, Roland wrote: On 20 Jan 2020, at 22:49, Jean | ddostest.me wrote: uRPF loose or

Re: DDoS Mitigation Survey

uRPF loose or strict. Which ISP supports it? So far, I found none through public information. On 2020-01-20 10:38, Dobbins, Roland wrote: On 20 Jan 2020, at 19:59, Jean | ddostest.me via NANOG wrote: Where can we find public information on how to use S/RTBH This .pdf preso on mitigation

Re: DDoS Mitigation Survey

Where can we find public information on how to use S/RTBH and which providers support it. Thanks Jean On 2020-01-14 17:31, Dobbins, Roland wrote: There are literally decades of information on these topics available publicly. Router and switch ACLs (both static and dynamically-updated via

Re: DDoS attack

On which UDP port? On 2019-12-09 15:07, ahmed.dala...@hrins.net wrote: Dear All, My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is

Re: Viability of GNS3 network simulation for testing features/configurations.

I heard good stuff about Cisco Virl. It's like an ESX for network devices. On 2019-10-16 15:23, Jason Kuehl wrote: I use the server version of GNS and I love it.  I just need to VPN into my DC and use my client to connect to GNS. On Wed, Oct 16, 2019 at 2:22 PM Mike Bolitho

Re: Any Gmail Admins on here?

Expired certificate, confirmation email delivered in SPAM. I agree that it looks phishy even if it's probably not. When you read the email In gmail, you can click on the 3 little dots, which will expand a menu and then on "Show original" You should see 3 important email attributes for

Re: IPv6 faster/better proof? was Re: Need /24 (arin) asap

From an Apple device point of view, ipv6 should be faster than ipv4 where both are available. Because, Apple adds a 25 ms artifical penalty to ipv4 dns resolution. https://ma.ttias.be/apple-favours-ipv6-gives-ipv4-a-25ms-penalty/ So if you test facebook from a Mac/iPhone/iPad, it will

Re: Attacks on BGP Routing Ranges

Maybe we are missing a key item here. Ryan, is the attack on the BGP peering range killing your router or is it an attack saturating the link? Do you have some netflow samples of one of these attacks or any kind of hints of what happened? Jean St-Laurent On 04/18/2018 11:01 PM, Roland

Re: NG Firewalls & IPv6

If by NextGen you meant performance, then I recommend to have a look at kipfw over Netmap driver on a FreeBSD 11 box. You buy a couple of Chelsio 40 Gbps or 100 Gbps NIC and you are in business. It was mentioned here in NANOG couple of years ago. Very good stuff, but you will need to invest a

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

I ran a full scan of the internet with zmap to find vulnerable memcached servers from an AWS server. AWS received an abuse report and forwarded it to me. I deleted the VM and the case was close... LOL OVH Is not dumb. Do you know how easy it is to deploy a VM today with all the automated

Re: Opensource SNMP Trap Receivers ???

People often brag that snmp is super easy. You soon find out that it's not always the case. Some vendors do it better than others. Whataver the tool you will use, it's important to keep in mind to start small. My biggest advice is to start with 1 small example. One that is needed for you

Re: Blockchain and Networking

BTC miners use asics. Big switches/routers use 100Gb asics. Some switches have multiple 100 Gb asics and sometimes only half is use or even less. I guess it could be nice for some smaller telcos to generate some profit during off peak period. I don't know how feasible and I fully understand that

Spectre/Meltdown impact on network devices

Hello, I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws. I know that some Arista devices seem to use AMD chips and some say that they might be immune to one of these vulnerability. Still, it's possible to

Re: Suggestions for a more privacy conscious email provider

If you plan to use it for a small group of people, you should consider hosting it yourself. You could set it up with SPF, dkim, dmarc, ipv6. It could be seen as a personal challenge to achieve. Then if you need real privacy, you will need to encrypt with public keys like PGP or S/MIME. You can

Re: Alternatives to ISE?

I'm about to try this one. https://packetfence.org/ Not sure if it covers all the features you need though, but it seems promising. In case you give it a try, could you share your experience please? Thanks Jean On 17-12-03 09:48 AM, segs wrote: > Forescout but if you want something simpler

Re: Spoofer Project

Is it me or NANOG's AS allowing spoofing? https://spoofer.caida.org/as.php?asn=19230 On 17-08-03 09:19 PM, Matthew Luckie wrote: > Hi, > > The CAIDA Spoofer project has been collecting and publicly sharing > data on the deployment of source address validation since March 2016. > We've built up

Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack

n the wild whilst 3 months into a position at a company that sells 'self-DDoS' services for testing purposes. In that absence of anything more than 'GUYZ THIS IS SERIOUS' , with no technical details, you can surely understand the skepticism. On Thu, Dec 22, 2016 at 5:45 AM, Jean | ddostest.me

Re: [Tier1 ISP]: Vulnerable to a new DDoS amplification attack

I admit that I have a lot of guts. Not sure who said that I am a booter or that I operate a booter. I fight booter since more than 5 years and who would be stupid enough to put his full name with full address to a respected network operators list? Definitely not me. I want to help and fix

[Tier1 ISP]: Vulnerable to a new DDoS amplification attack

Hello all, I'm a first time poster here and hope to follow all rules. I found a new way to amplify traffic that would generate really high volume of traffic.+10Tbps ** There is no need for spoofing ** so any device in the world could initiate a really big attack or be part of an attack. We