Retalitory DDoS

Is there a club for people that have been DDoSed? If so, count me in.

This one was directed at me (as opposed to one of my customers) because I got an e-mail explaining why I was getting DDoSed. Is that aspect common?

There were also some racial and sexual accusations that were made that clearly aren’t true and just speak to the intelligence of people like this.

Is it safe to assume that they completely anonymized the email they sent to me?

Is there anyone I should be reporting this to?

I thought my site was running in Cloudflare, but my individual server was still attacked, so I gotta figure out where I screwed that up.

Mike,

I’ve attached the full information we got from our DDOS protection system below.

We had a large number of ping loss and data loss tickets begin opening up for devices sharing the cabinet chi18-313. The high traffic and interference was determined to be caused by incoming traffic to the ip address [Not hard to find, but redacted anyway]. Our network engineers will be back in after 9am until 5pm CST. They have greater access to the network and may be able to give you more details.

Location : Chicago
Event Time : 2021-02-08 04:17:38 CST (-0600)
Destination IP: [Not hard to find, but redacted anyway]
Traffic : 2520 Mbps 382880 pps
Fragmentation : 11%
Top Transport Protocol:
. 99% Protocol # 17 (UDP)
TCP Flag: SYN: 100% ACK: 0% RST: 0% FIN: 0%
Top Source Port:
. 61% Port # 3702
. 38% Port # 0
Top Destination Port:
. 38% Port # 0
. 14% Port # 45934
. 9% Port # 23680
. 8% Port # 35023
. 7% Port # 25966
Top Source IP:
. 0% 112.164.127.17
Number of unique IP: 7110
Total Bytes : 1259961437
Total Packets : 1531559
Duration : 4s
Report Run Time : 151.3ms

The 30 day null route count is: 0
Number of hours to null route : 1

Location : Chicago
Event Time : 2021-02-08 04:02:38 CST (-0600)
Destination IP: [Not hard to find, but redacted anyway]
Traffic : 1817 Mbps 275483 pps
Fragmentation : 13%
Top Transport Protocol:
. 99% Protocol # 17 (UDP)
TCP Flag: SYN: 99% ACK: 0% RST: 0% FIN: 0%
Top Source Port:
. 56% Port # 3702
. 43% Port # 0
Top Destination Port:
. 43% Port # 0
. 19% Port # 25966
. 19% Port # 35023
. 17% Port # 23680
Top Source IP:
. 0% 90.49.167.239
Number of unique IP: 3577
Total Bytes : 953894831
Total Packets : 1157017
Duration : 4.199s
Report Run Time : 306.8ms

The 30 day null route count is: 0
Number of hours to null route : 1

Liam Doring
Systems Administrator

Not an official club, but the unofficial club is full of members including myself unfortunately🙁…little you can do except consider DDoS mitigation service if it continues.

It is a criminal activity, so you can report the attack to the FBI…they can’t do much to be honest, but at the very least this is good to do in case the problem continues and/or you need to file a business loss with your insurance company barring you have Cyber insurance in your policy.

https://www.ic3.gov/Media/Y2017/PSA1710172

Peace,

I got an e-mail explaining why I was getting DDoSed. Is that aspect common?

Not quite. But it happens sometimes.

Is it safe to assume that they completely anonymized the email they sent to me?

Likely, but not necessarily. Look up the message headers. Your
(accurate) description of their intelligence implies they might've
failed to anonymize that properly, or they might live in a country
that haven't signed extradiction treaties with the U.S. so they don't
bother.

Is there anyone I should be reporting this to?

You're not required to, but you can report it to the FBI so that in
case those people finally get caught (criminals sometimes make
mistakes) their sentence would be a couple years longer.

Nice report,

If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service?

Was it degraded or total service interruption?

Jean

Nice report,

If you would have to pick up just one vector out of this “multi-vector” attack, which one seems to be the one that had the bigger effect on your network or service?

Was it degraded or total service interruption?

Jean

You got RTBH?

You got RTBH?

I would not for 2.5 Gbps

So if you were down for 1 hour with 2.5 Gbps and it’s probably not a black hole.

There might be something else valuable in this report.

Maybe 2.5 Gbps is not the damaging factor here unless your server has only 1 Gbps nic, then it could explain. But, I doubt.

Peace

Jean

I would not for 2.5 Gbps

So if you were down for 1 hour with 2.5 Gbps and it’s probably not a black hole.

There might be something else valuable in this report.

Maybe 2.5 Gbps is not the damaging factor here unless your server has only 1 Gbps nic, then it could explain. But, I doubt.

Peace

Jean

I notice I often get DDoS'd when I post here, to NANOG, usually w/in
2-3 hours, so owing to this note it'll probably happen again tonight!

The typical attack is some mixture of DNS whacking from dozens or
hundreds of hosts, plus usually UDP packets being flung at basically
round-robin ports (udp port 13577, udp port 13578, ...) generating a
lot of ICMP unreachables again from hundreds of hosts no doubt all
phony.

I block it so it's not usually a big big deal other than a brief time
waste as I kick in autoblocking I wouldn't want to run all the time
but I can see it on for example MRTG, traffic spikes to as much as 10x
what I might expect at that time of day.

This is a rough neighborhood.

  "Who steals my bandwidth steals trash"
    -- William Shakespeare the XIIth