Dyn DDoS this AM?

Does anyone have any additional details? Seems to be over now, but I'm very
curious about the specifics of such a highly impactful attack (and it's
timing following NANOG 68)...


I cannot give additional info other than what’s been on “public media”.

However, I would very much like to say that this is a horrific trend on the Internet. The idea that someone can mention a DDoS then get DDoS’ed Can Not Stand. See Krebs’ on the Democratization of Censorship. See lots of other things.

To Dyn and everyone else being attacked:
The community is behind you. There are problems, but if we stick together, we can beat these miscreants.

To the miscreants:
You will not succeed. Search "churchill on the beaches”. It’s a bit melodramatic, but it’s how I feel at this moment.

To the rest of the community:
If you can help, please do. I know a lot of you are thinking “what can I do?" There is a lot you can do. BCP38 & BCP84 instantly come to mind. Sure, that doesn’t help Mirai, but it still helps. There are many other things you can do as well.

But a lot of it is just willingness to help. When someone asks you to help trace an attack, do not let the request sit for a while. Damage is being done. Help your neighbor. When someone’s house is burning, your current project, your lunch break, whatever else you are doing is almost certainly less important. If we stick together and help each other, we can - we WILL - win this war. If we are apathetic, we have already lost.

OK, enough motivational speaking for today. But take this to heart. Our biggest problem is people thinking they cannot or do not want to help.


Well said, Patrick.


Anyone want a quick consulting gig helping us configure BCP38 and BCP84?

Configurations is all cisco
Edge routers connect to Verizon, Level 3 Fiber
Each Edge router talks to two BGP routers.

$150/hour, I'm guessing it is only an hour for somebody to explain, and guide us through the configuration, but OK if longer.


Bob Roswell
410-771-5544 ext 4336

Computer Museum Highlights

Are there sites that can test your BCP38\84 compliance? I'm okay, but interested in what I can share to raise awareness.

LA Times: Why sites like Twitter and Spotify were down for East Coast users this morning


Attack has re-started. This is the time, folks. Rally the troops, offer help, watch your flow.



I actually can't resolve twitter.com this morning and I'm west coast. None of the four listed DNS servers are responding.

twitter.com. 172800 IN NS ns1.p34.dynect.net.
twitter.com. 172800 IN NS ns2.p34.dynect.net.
twitter.com. 172800 IN NS ns3.p34.dynect.net.
twitter.com. 172800 IN NS ns4.p34.dynect.net.

Trace routes seem to point towards San Jose or Palo Alto or Los Angeles.



    Yeah good luck with that... 15+ years later and most of the actors
that could fix that, for the planete, still refuses to do anything.

    Now you can start the usual circular discussion that goes nowhere
after 3 days...

    PS: yeah usual BCP38 rant... but its friday.

Sure, we'll do it.

That rate is quite a bit less than our normal retail rate, but in the spirit that Patrick posted about, Network Utility Force will be happy to provide you or any other operator resources at that rate to help configure BCP38 and BCP84.

Anyone serious about that, email me privately at bross@netuf.net and we'll put paperwork together.

Do we know the attack destinations so we can watch transit traffic destined for it to help sources that may be unaware?


My guess is you should track anything to as33517.

Quick note: If anyone has this installed already on OSX, bring up the
console and see if it's still running. I discovered (while watching the
NANOG preso) that mine had an issue and was failing silently. Re-installing
the new version fixed the issue.

The funny part of the story, looking through the logs to see which networks
I roamed on that were spoofable, the only positive hit was for the NANOG
conference network in Chicago :slight_smile:


Just a FYI,

    That "horrific trend" has been happening since some techie got
dissed on an IRC channel over 20 years ago.

    He used a bunch of hosted putters to ICMP flood the IRC server.

    Whatever the community is behind, until the carriers decide to wise
up this will keep happening, that is without talking about the
industries being developed around DDoSes events.

    Enjoy your weekend. ( I ain't on call anymore anyway =D )

anyone who relies on a single dns provider is just asking for stuff such
as this.


The brutal reality in todays world is that anyone that relies on the
Internet is just asking for stuff like this. No service is safe.


Andrew Fried


I'd love to hear how others are handling the overhead of managing two dns
providers. Every time we brainstorm on it, we see it as blackhole of eng
effort WRT to keeping them in sync and and then waiting for TTLs to cut an
entire delegation over.