On 3/13/14, 14:04 , Richard Laager wrote:
Last night, we got hit by a ~3 Gbps DDoS attack. It's been a while since this has happened to us, so I'd like to make sure I'm still up on the state of the art.
Is there anything more to be done than the following? 1. Identify the victim. 2. Null route the victim. 3. Propagate the null route to your upstreams (via BGP, if supported, otherwise a phone call to their NOC). 4. Move the victim to a new IP.
3a. Notify your (MICE) peer if they are participating in the attack. We for one want to respond and deal with issues to the extent possible. FYI, specifically for us abuse@umn.edu, sometimes we are not the quickest, but we really don't just ignore issues reported to us.
To avoid participating in at least some classes of DDoS attacks, we: * long ago implemented uRPF (and/or similar ACLs) to block spoofed outbound packets, as recommended by BCP 38 (RFC 2827).
Yes, please implement BGP38 to the extent possible, we do. Yes, not everyone realistically can, but if everyone that can did, the world would have a better Internet.
* ensured our NTP servers (and any NTP servers of our customers) are not responding to monlist queries. The openntpproject.org website is useful here. They list vulnerable NTP servers by IP range, or you can get all NTP servers by AS (replace YOUR_AS with your AS, and optionally, add &csv=1) and then query with ntpdc -n -c monlist IP:
We addressed this in January for our authoritative public NTP servers. But, there were a lot of other NTP servers on campus, this took us a while to mitigate. We think we have this squelched now, but let us know if you see moles that need whacking, especially if the mole is bothering you.
http://openntpproject.org/searchby-asn.cgi?search_asn=YOUR_AS * just this week started addressing customers with open DNS resolvers, which can also be used in amplification attacks: http://openresolverproject.org/searchby-asn.cgi?search_asn=YOUR_AS
A continual battle for years, if not a decade. Again, let us know if you see moles that need whacking, especially if the mole is bothering you. :(
Is there anything else we should be doing?
If you don't already, block other UDP ports that probably shouldn't talk to the Internet because they are also targets of UDP amplification attacks too, SNMP, Chargen, SSDP, QOTD, etc... https://www.us-cert.gov/ncas/alerts/TA14-017A -- ================================================ David Farmer Email: farmer@umn.edu Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 1-612-626-0815 Minneapolis, MN 55414-3029 Cell: 1-612-812-9952 ================================================ ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1