One of my customers, a host at 64.8.105.15, is feeling a "bonus" ~130kpps from 88.191.63.28. I've null-routed the source, though our Engine2 GE cards don't seem to be doing a proper job of that, unfortunately. The attack is a solid 300% more pps than our aggregate traffic levels.
It's coming in via 6461, but they don't appear to have any ability to backtrack it. Their only offer is to blackhole the destination until the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS that has little if any information publicly visible.
Any pointers on what to do next?
Thanks,
Pete
role: Technical Contact for ProXad
address: Free SAS / ProXad
address: 8, rue de la Ville L'Eveque
address: 75008 Paris
phone: +33 1 73 50 20 00
fax-no: +33 1 73 92 25 69
remarks: trouble: Information: http://www.proxad.net/
remarks: trouble: Spam/Abuse requests: mailto:abuse@proxad.net
admin-c: RA999-RIPE
tech-c: FG4214-RIPE
nic-hdl: TCP8-RIPE
mnt-by: PROXAD-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@proxad.net
Do you really call this "little if any information publically visible"?
Pete Templin wrote:
One of my customers, a host at 64.8.105.15, is feeling a "bonus"
~130kpps from 88.191.63.28. I've null-routed the source, though our
Engine2 GE cards don't seem to be doing a proper job of that,
unfortunately. The attack is a solid 300% more pps than our aggregate
traffic levels.
It's coming in via 6461, but they don't appear to have any ability to
backtrack it. Their only offer is to blackhole the destination until
the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS
that has little if any information publicly visible.
Any pointers on what to do next?
If it's all coming from that single IP 88.191.63.28, just request that
your upstream block it. Usually if you explain the situation to them
they'll oblige.
Otherwise you'll want to look at mitigation gear (Toplayer, Cisco, etc)
there are loads out there or you can look into a DDoS mitigation service.
The Contacts I can see for that ASN are
role: Technical Contact for ProXad
address: Free SAS / ProXad
address: 8, rue de la Ville L'Eveque
address: 75008 Paris
phone: +33 1 73 50 20 00
fax-no: +33 1 73 92 25 69
remarks: trouble: Information: http://www.proxad.net/
remarks: trouble: Spam/Abuse requests: mailto:abuse@proxad.net
admin-c: RA999-RIPE
tech-c: FG4214-RIPE
nic-hdl: TCP8-RIPE
mnt-by: PROXAD-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@proxad.net
Hope that helps!
- --J
Hello,
One of my customers, a host at 64.8.105.15, is feeling a "bonus"
~130kpps from 88.191.63.28. I've null-routed the source, though our
Engine2 GE cards don't seem to be doing a proper job of that,
unfortunately. The attack is a solid 300% more pps than our aggregate
traffic levels.
It's coming in via 6461, but they don't appear to have any ability to
backtrack it. Their only offer is to blackhole the destination until
the attack subsides. BGP tells me the source is in AS 12322, a RIPE AS
that has little if any information publicly visible.
12322 is Free, a DSL (and now FTTH) provider in France. They also have
a dedicated server hosting service.
88.191.63.28 is one of these dedicated server that is hosted in one of their
DC :
traceroute to 88.191.63.28 (88.191.63.28), 30 hops max, 60 byte packets
...
7 10ge-1-50.bzn-swr5.dedibox.fr (88.191.2.37) 353.946 ms 334.180 ms 336.400 ms
8 sd-11899.dedibox.fr (88.191.63.28) 338.403 ms 374.956 ms 376.837 ms
I thought these were supposed to be connected at 100MBps, but if you see
more than that, then it is possible that they are now connected thru a GBps
port.
You can try to contact the dedibox NOC, and Free :
noc@free.fr
can be a nice place to start...
Paul
Mikael Abrahamsson wrote:
Do you really call this "little if any information publically visible"?
Nope, I was wrong about that. My search-fu on RIPE isn't up to snuff, apparently; hence the request for assistance.
pt
One of my customers, a host at 64.8.105.15, is feeling a "bonus"
~130kpps from 88.191.63.28. I've null-routed the source, though our
Engine2 GE cards don't seem to be doing a proper job of that,
unfortunately. The attack is a solid 300% more pps than our aggregate
traffic levels.
Null routing the source isn't going to stop the inbound packets from reaching the target of
the attack. All that's going to do is blackhole packets back to the attacker from anyone hopping
through the router carrying the null route.
- Darrell
Hi,
Please look for proxad.fr <-- Free
Free is an ADSL provider based in France and proxad is a hosting
company (please give a look at the "dig -x" below)
dig -x 88.191.63.28
; <<>> DiG 9.5.0b2 <<>> -x 88.191.63.28
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;28.63.191.88.in-addr.arpa. IN PTR
;; ANSWER SECTION:
28.63.191.88.in-addr.arpa. 86400 IN PTR sd-11899.dedibox.fr.
;; AUTHORITY SECTION:
63.191.88.in-addr.arpa. 86400 IN NS dns2.dedibox.fr.
63.191.88.in-addr.arpa. 86400 IN NS dns1.dedibox.fr.
;; Query time: 390 msec
;; SERVER: 200.80.96.100#53(200.80.96.100)
;; WHEN: Wed Nov 26 08:46:38 2008
;; MSG SIZE rcvd: 114
Null routing the source isn't going to stop
<snip>
Except when doing source based blackholing, see
draft-kumari-blackhole-urpf-02 section #4
Dave.