Hi all
Many thanks for the lot of inputs we got on- and offlist!
Altough it didn't help to find the source of the attacks, it was - besides the
support from our upstreams - very helpful to mitigate the (always
changeing) floods.
For a few days it is silent now, and we hope it stays...
Regards,
Patrick
At 07:02 08.08.2013, Jeroen Massar wrote:
On 2013-08-07 21:45, ZUGERNET NOC wrote:
[..]
> If someone of you can give me a hint on how to track down, WHO is
> causing this, I would really appreciate any help and may it be
very small. I know,
> that technically such attacks are not trackable - but what I mean
is more: if someone can
> share some "underground knowledge" with me to possibly finding
out which bot-net is
> used (under the control of whom etc; we can share some netflow
capture with a huge
> amount of source-ip-addresses) and possibly has
"underground-contacts" to find out
> more about them...?
Instead of looking at the sources which tend to be spoofed, check what
the destination is, typically it will show what the attackers wants to
disable from the Internet and likely it is something that you did not
want on your network. Of course if they are smart they are hitting your
core network instead so that you are overloaded everywhere...
To avoid affecting your other customers, make sure you and your
upstreams implement BCP-38 properly and possibly, depending on the
target, ask your upstream to null-route the target, that way the traffic
does not affect your other customers.
NetFlow btw will be not very useful btw, it might show some pattern, but
without a pcap there will be little to state about what botnet it is.
Greets,
Jeroen
_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
