Dear all
We are memeber on this list since many years now, but not so chatty, more listening.
But today I feel a strong necessity to contact the community, since we (ISP ZUGERNET, AS 28859) are being attacked many times over the last 24 hours with huge traffic disabling our network completely. The attack is really very damaging: to ourselves, to our customers and to their customers and partners. You can imagine...
If someone of you can give me a hint on how to track down, WHO is causing this, I would really appreciate any help and may it be very small. I know, that technically such attacks are not trackable - but what I mean is more: if someone can share some "underground knowledge" with me to possibly finding out which bot-net is used (under the control of whom etc; we can share some netflow capture with a huge amount of source-ip-addresses) and possibly has "underground-contacts" to find out more about them...?
Thank you in advance! Feel free to answer me off-list if you feel more appropriate.
Kind regards, Patrick Hofmann
___________________________________________________________________________ ZUGERNET, Hofmann Informatik AG · Grienbachstr. 17 · 6300 Zug · Switzerland http://www.zugernet.ch/ · fon +41 (0)41 766 88 22 · fax +41 (0)41 766 88 33
Hello Patrick, If you could provide us some basic informations about the nature of the DDoS attack, without disclosing any sensible information about your attackers and/or your network, we could probably help you more efficiently (especially if someone here have experienced similar issues).
On 08/07/2013 09:45 PM, ZUGERNET NOC wrote:
Dear all
We are memeber on this list since many years now, but not so chatty, more listening.
But today I feel a strong necessity to contact the community, since we (ISP ZUGERNET, AS 28859) are being attacked many times over the last 24 hours with huge traffic disabling our network completely. The attack is really very damaging: to ourselves, to our customers and to their customers and partners. You can imagine...
If someone of you can give me a hint on how to track down, WHO is causing this, I would really appreciate any help and may it be very small. I know, that technically such attacks are not trackable - but what I mean is more: if someone can share some "underground knowledge" with me to possibly finding out which bot-net is used (under the control of whom etc; we can share some netflow capture with a huge amount of source-ip-addresses) and possibly has "underground-contacts" to find out more about them...?
Thank you in advance! Feel free to answer me off-list if you feel more appropriate.
Kind regards, Patrick Hofmann
ZUGERNET, Hofmann Informatik AG · Grienbachstr. 17 · 6300 Zug · Switzerland http://www.zugernet.ch/ · fon +41 (0)41 766 88 22 · fax +41 (0)41 766 88 33
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Am Wed, 07 Aug 2013 21:45:08 +0200 schrieb ZUGERNET NOC noc@zugernet.ch:
Dear all
We are memeber on this list since many years now, but not so chatty, more listening.
But today I feel a strong necessity to contact the community, since we (ISP ZUGERNET, AS 28859) are being attacked many times over the last 24 hours with huge traffic disabling our network completely. The attack is really very damaging: to ourselves, to our customers and to their customers and partners. You can imagine...
If someone of you can give me a hint on how to track down, WHO is causing this, I would really appreciate any help and may it be very small. I know, that technically such attacks are not trackable - but what I mean is more: if someone can share some "underground knowledge" with me to possibly finding out which bot-net is used (under the control of whom etc; we can share some netflow capture with a huge amount of source-ip-addresses) and possibly has "underground-contacts" to find out more about them...?
Thank you in advance! Feel free to answer me off-list if you feel more appropriate.
If it's really distributed, then it will be pretty much impossible to track down - unless one of the zombies is on a network where you can listen to the traffic and track down the c&c host - but that will only reveal the c&c host for that zombie for that particular time - and chances are, it's in some other country at an ISP that wants to see a court-order...
AFAIK, botnets are really a "resource for hire" - just google for the word "booter" and you'll find the semi-legal ones (word is they're all passing your data straight to the FBI....). The operators of the botnet that attacks you have no qualm with you, usually.
It might be easier to locate the target in your network and move it somewhere else. From the target, you can often deduce the source much easier than vice-versa.
Popular targets: - adult hosting (incl. websites of brothels, escort-services etc.pp.) - gambling - root-servers with IRC servers or game-servers or forums - websites of political parties - websites with other "controversial" content
On 2013-08-07 21:45, ZUGERNET NOC wrote: [..]
If someone of you can give me a hint on how to track down, WHO is causing this, I would really appreciate any help and may it be very small. I know, that technically such attacks are not trackable - but what I mean is more: if someone can share some "underground knowledge" with me to possibly finding out which bot-net is used (under the control of whom etc; we can share some netflow capture with a huge amount of source-ip-addresses) and possibly has "underground-contacts" to find out more about them...?
Instead of looking at the sources which tend to be spoofed, check what the destination is, typically it will show what the attackers wants to disable from the Internet and likely it is something that you did not want on your network. Of course if they are smart they are hitting your core network instead so that you are overloaded everywhere...
To avoid affecting your other customers, make sure you and your upstreams implement BCP-38 properly and possibly, depending on the target, ask your upstream to null-route the target, that way the traffic does not affect your other customers.
NetFlow btw will be not very useful btw, it might show some pattern, but without a pcap there will be little to state about what botnet it is.
Greets, Jeroen
Hi all
Many thanks for the lot of inputs we got on- and offlist!
Altough it didn't help to find the source of the attacks, it was - besides the support from our upstreams - very helpful to mitigate the (always changeing) floods.
For a few days it is silent now, and we hope it stays...
Regards, Patrick
At 07:02 08.08.2013, Jeroen Massar wrote:
On 2013-08-07 21:45, ZUGERNET NOC wrote: [..]
If someone of you can give me a hint on how to track down, WHO is causing this, I would really appreciate any help and may it be
very small. I know,
that technically such attacks are not trackable - but what I mean
is more: if someone can
share some "underground knowledge" with me to possibly finding
out which bot-net is
used (under the control of whom etc; we can share some netflow
capture with a huge
amount of source-ip-addresses) and possibly has
"underground-contacts" to find out
more about them...?
Instead of looking at the sources which tend to be spoofed, check what the destination is, typically it will show what the attackers wants to disable from the Internet and likely it is something that you did not want on your network. Of course if they are smart they are hitting your core network instead so that you are overloaded everywhere...
To avoid affecting your other customers, make sure you and your upstreams implement BCP-38 properly and possibly, depending on the target, ask your upstream to null-route the target, that way the traffic does not affect your other customers.
NetFlow btw will be not very useful btw, it might show some pattern, but without a pcap there will be little to state about what botnet it is.
Greets, Jeroen
-
Jeroen Massar -
Nicolas Chabbey -
Rainer Duffner -
ZUGERNET NOC