Anyone have any additonal info on a DDOS attack hitting host.us?
Woke up to no email this morning and the following from their web site:
*Following an extortion attempt, HostUS is currently experiencing sustained
large-scale DDOS attacks against a number of locations. The attacks were
measured in one location at 300Gbps. In another location the attacks
temporarily knocked out the entire metropolitan POP for a Tier-1 provider.
Please be patient. We will return soon. Your understanding is appreciated.
Could it be related to the last 2 days DDoS of PokemonGO (which
failed) and some other gaming sites (Blizzard and Steam)?
And on the subject of CloudFlare, I'm sorry for that CloudFlare
person that defended their position earlier this week, but there may be
more hints (unverified) against your statements:
"One thing LeakedSource staff spotted was that the first payment
recorded in the botnet's control panel was of $1, while payments for the
same package plan were of $19.99."
( Paypal payments btw )
There is enough information, and damages, imho, to start looking for
the people responsible from a legal standpoint. And hopefully the
proper authorities are interested.
PS:
I will like to take this time to underline the lack of
participation from a vast majority of ISPs into BCP38 and the like. We
need to keep educating them at every occasion we have.
For those that actually implemented some sort of tech against
it, you are a beacon of hope in what is a ridiculous situation that has
been happening for more than 15 years.
Bcp38 is not the issue. It is only the trigger, and as long as one network
in Elbonia allows spoofs, that one network can marshall 100s of gbs of
ddos power. Years of telling people to do bcp38 has not worked.
The issue is for you and your neighbor to turn off your reflecting udp
amplifiers (open dns relay, ssdp, ntp, chargen) and generously block
obvious ddos traffic. A healthy udp policer is also smart. I suggest
taking a baseline of your normal peak udp traffic, and build a policer that
drops all udp that is 10x the baseline for bw and pps.
Bcp38 is good, but it is not the solution we need to tactically stop
attacks.
This is not pretty. But it works at keeping your network up.
At the risk of starting a "NANOG war" [1], BCP isn't a magic wand.
If I find a zero day in the nasty customised kernels that OVH run on
their clients boxes, I only need 300 compromised hosts to send 300Gbps
of traffic without spoofing the IP or using amplification attacks [2].
I can rent a server with a 10Gbps connection for 1 hour for a few
quid/dollars. I could generate hundreds of Gbps of traffic for about
£1000 from legitimate IPs, paid for with stolen card details. How will
BCP save you then? Can everyone stop praising it like it was a some
magic bullet?
James.
[1] A pathetic and futile one, so different from the rest.
[2] Subsitute OVH for any half decent provider that isn't really oversubscribed.
That sound like the CloudFlare argument: You cannot fix the DDoSs
at the source because Elbonia can do it. The only solution is to pay
for protection.
Between you and me, if only Elbonia are left DDoSing at 100Gbps, we
simply de-peer the commercial subnets from that country (leaving the
govt subnets up obviously) and see for them to deal with their trash
ISPs once for all. ( That's how we used to do it early on when the IIRC
flooding started ).
Or we keep getting DDoSed for the next 100+ years.
PS: Yes, the fictional country from the Dilbert syndicated cartoons.
That sound like the CloudFlare argument: You cannot fix the DDoSs
at the source because Elbonia can do it. The only solution is to pay
for protection.
No. I hate the idea of paying for protection from a cloud or appliance.
Elbonia just has the trigger. The loaded gun is the ddos reflector in
comcast, cox, vz, and everyone else.
Between you and me, if only Elbonia are left DDoSing at 100Gbps, we
simply de-peer the commercial subnets from that country (leaving the
govt subnets up obviously) and see for them to deal with their trash
ISPs once for all. ( That's how we used to do it early on when the IIRC
flooding started ).
There are known problematic networks. I have not seen any of them or their
facilitating upstreams depeered. I can name 4 networks that source 75% of
my attack attack traffic. Comcast was one due to their ssdp reflection,
they stopped that now. But still lots of dns attacks from them.
Or we keep getting DDoSed for the next 100+ years.
On that track.
PS: Yes, the fictional country from the Dilbert syndicated cartoons.
Swap in your favorite real world country / network that has very real abuse
source reputation.
I didn't want to pollute nanog list with my BCP38 (or other
solutions) ranting, but come on:
[1] How can insuring source IP's, coming out your network, are part of
your advertised subnets pathetic and futile?
Don't you think if the source ip are traceable back to OVH actually,
it would be easy for OVH to see and deal with it, instead of noises with
random source IP coming from the bunch of un-patched residential routers
in Latin America's (for example)?
And we're back on track with "do nothing but pay for protection" as
the only solution. Gotta love Humans.
Back on topic about HostUS, I've been following a thread on LowEndTalk
where seemingly Alexander's been updating ( https://www.lowendtalk.com/discussion/comment/1791998/#Comment_1791998) -
seems like Atlanta and LA are still down ATM based on latest reports -
nearly 10 hours now.
Doing BCP38 or blocking\shutting off known amplification vectors both require effort and both accomplish the same thing. Of course doing both is best.
One provider in "Elbonia" getting through is far more damaging to that provider in Elbonia than the rest of the world, if they were the only ones left.
Do many last mile providers implement BCP38 at their CE? Seems like it's better to stop it at the CE than the PE.
my car still gets smashed becuase mad max is on the road. I now have a
broken back.
And you are telling me to make sure to wear a seat belt. Did that. Did not
stop mad max from ruining my day. Please provide more and better advice on
avoiding injury.
Step one. Collectively work to deflate mad max's tires (stop the udp
reflectors that max uses)
As discussed a few months ago (maybe Christmas time?), Comcast is actively suspending accounts involved in DNS amplification. Certainly on a network like theirs, it's an internal issue as well.
