Peace,
Here’s to confirm that the pattern reported before in NANOG was indeed a reflection DDoS attack. On Sunday, it also hit our customer, here’s the report:
tl;dr: basically that was a rather massive reflected SYN/ACK carpet bombing against several datacenter prefixes (no particular target was identified).
Thanks for following up, and for publishing two bits of key data:
Some additional questions, if you’re able to answer them (off-list is fine if there are things that can’t be shared broadly):
Damian
Peace,
Some additional questions, if you're able to answer them (off-list is fine if there are things that can't be shared broadly):
- Was the attack referred to law enforcement?
It is being referred to now. This would most probably get going under
the jurisdiction of the Netherlands. Whether the latter would be able
to address it properly or not remains to be seen, but honestly I'm not
quite optimistic here.
- Were any transit providers asked to trace the
source of the spoofing to either stop the attack
or facilitate the law enforcement investigation?
No.
Initially we were busy setting up the game and pushing the upstreams
to accept our new customer prefix advertisements a.s.a.p.
Afterwards we were too busy trying to understand why some of the
upstreams didn't work as expected (that part was mentioned in the
report).
Hence, tracing the source was not deemed a high priority task.
Töma, thanks for this interesting update. The best defense against this type of DDoS attacks seems idd to be relaying to sufficiently-large-bandwidth cloud/CDN, and filtering TCP traffic (received not from the relay). Such relaying should be done well - smart attacks may still be possible for `naive’ relaying.
Hi,
Same happened in Lebanon(country). Similar pattern: carpet bombing for multiple prefixes of specific ASN.
I suspect it is a new trend in DDoS-for-hire, and ISP who did not install data scrubbing appliances will feel severe pain from such attacks, since they use SYN + ACK from legit servers.
Some additional questions, if you’re able to answer them (off-list is fine if there are things that can’t be shared broadly):
- Was the attack referred to law enforcement?
It is being referred to now. This would most probably get going under
the jurisdiction of the Netherlands.
Deeper analysis and discussion indicates there were several victims: we saw brief attacks targeting some of our cloud customers with syn-ack peaks above 125 Mpps; another provider reported seeing 275Mpps sustained. So presumably there are a few law enforcement investigations under way, in various jurisdictions.
- Were any transit providers asked to trace the
source of the spoofing to either stop the attack
or facilitate the law enforcement investigation?No… tracing the source was not deemed a high priority task.
Fair enough. I just didn’t want to duplicate effort.
The source of the spoofing has been traced. The responsible hosting provider has kicked off their problem customer, and is exploring the necessary filtering to prevent a recurrence.
If anyone sees more of this style of attack please send up a flare so the community knows to track down the new source.
Damian
One of my clients suffered from such attacks.
And you know what the secondary harm is? Typical false flag issue.
Even if you have decent DDoS protection setup, it is highly likely that involuntary reflectors administrators will not puzzle what to do with this, they will simply block your subnet/ASN.
For example attacker spoof hosting operator subnets, did SYN flood to all credit card processing gateways, and sure legit hosting gets SYN+ACK.
And this hosting after suffering to block this SYN+ACK reflection will find an unpleasant thing - not a single credit card processing gateway is available from his subnets.
Good example is EAGames, Rockstar, fs.com of those, who just set static ACL