New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It looks like we are dealing with a very powerful attacker who has both spoofed IPs and compromised hosts.
Analyzing a traffic dump of just 2 seconds I identified 13671 IP addresses sending UDP traffic to random ports, many coming from port 1900 (leading me to believe that compromised hosts are used) but also others that have both srcport and dstport randomized.
I think I'm going to get a kick out of this attack but I don't know how many providers here are prepared for this kind of attack.
Lol
Go ahead, make 11 posts about getting attacked
"Are you prepared for the post?"
We all know how that ended with cociu and his 140+ dedicated servers when he was raided.
Not a lot of IPs really, if there are spoofed traffic from srcport 1900
Maybe give us Gbps and Packets per second to see if the issue is just limited home internet or if its actually world grade attack that nobody can handle if you can't handle it from Romanian residential building.
Those are claims that you need to justify since you just branded every host as incompetent.
To be honest? Most. Maybe a few outliers who are single homed 1Gbps, but even little guys like them just spoke to their Cogent rep, and likely got 10Gbps for around $500/mo.
1Gbps NYC metro is $250/mo nowadays. Want 10Gbps? Just double that. Want DDoS protection? Add a proficient provider to the mix and learn prepending.
Not saying your setup is bad, it's just not a big deal. Most providers would Anycast to many locations, suck it up with fastnetmon and GRE it back. 10 years ago when I used to work at a host here it was many thousands of dollars. Now it's not as expensive for stellar protection.
I think the biggest issue here is you announced to LET that you were going single homed and low bandwidth instead of paying clients.
Someone who likely didn't get a refund, or just has too much time decided to attack you when you were down a provider. You should keep maintenance to customers, and maybe look into a mitigation provider. Path, GSL, Voxility (if you're in 2005) all come to mind.
>
Story?
CP apparently.
Your message made me thinking about this guy, considering the attack came about an hour later than my refusal.
About the other providers, at least the small ones under 1000 customers I don't think they are ready for a scenario like this, as I am not either.
When you have multiple compromised hosts and the possibility of IP spoofing your capacity is "unlimited" if you consider the fact that most don't have a whole rack rented and those that do, don't have more than 10Gbps for the whole rack. (we are talking about general rules, not exceptions)
So this is where you use the Anycast aspect. I used to sell this to companies for 4-5 figures monthly, and understand things a bit.
You announce your subnets through a DDoS mitigation provider like Path.net or alike, who has 20+ distinct locations. DDoS attacks from around the world are siphoned into 20 scrubbing / filtering centers at that place, and you pay a flat rate for clean traffic, say 1Gbps.
They often have 10+ Tbps of protection and software that can sink DDoS attacks in seconds. You get the clean traffic back on a GRE tunnel.
We were a 3 man team working with Fortune 500 companies (think Cedexis, NSOne and alike) and this was 2015.
Now you can get this for much cheaper. I personally introduced BGP to Vultr while working there after leaving that LA based ISP, as I wasn't a fan of the gatekeeping $$$ for BGP and IP announcement.
Anyway, this attack is likely blockable, and don't announce when you're running on one ISP with lower banwidth on LowEndTalk
You're so damn kind and I keep wanting to root for you.
Did you solve the issue?
Yes sure, at Switch Level, excellent choice.
Florian, that is a switch, it might know layer 3, but cannot handle layer 3 abuse, as it lacks the ASIC's for that.
Get a JUNOS MX80 / Cisco ASR1001-X Aggregation Services Router ( before buying it, check that it has the "performance pack" otherwise it will be limited at 2.5GBPS), it will be more then enough, and that can handle abuse.
Cheers
ExpectoPacketus?
The src 1900 port is a SSDP amplification attack.
Yeah, I had that in my rules but that's one of them, they're many.
Are you dropping amplification on your edge? It is quite pointless if you have only few Gbps of IP transit
That's the attacker, he posted correct information which he later deleted ("See IP x, port Y - port Y not being a common one").
Deployment to the Orange site has now started.
In the meantime, we wait to see how long our friend will continue.
If it goes on too long we'll make sure to look for him. In Romania there is a department specialized on cybercrime. It may work, it may not - but if it does, our friend will have to be visited in jail.
Yayaya , of course , a guy go to jail because downed a small web hosting company
that department you mention only works with public institutions, or large companies aka corporates , I assure you from my experience, those people don't have time for every company that has a maximum annual turnover of 50k euros, or every company whose email or facebook account was hacked or other examples
Not true at all. Cybercrime department works with anyone. I don't know where you get all that bullshit with annual turnover. From your posts, it's clear that you have had no experience with Romanian's justice system.
Being capable to detect a multi-vpn/proxied attacker... well that can be discussed. However, nowadays we have a well trained and competent cybercrime dept. of the RO police.
oh sure because your hazi.ro ip (188.241.240.3) is not visible and oh sure i can not type random port (10101) to forum when you are attacked, funny man ^^
you should not to fck with people maybe ? maybe dont allow to host crap? so you wont be ddosed ?
i aint interested in your small basement host (but its funny), i dont have the capability to ddos, so get your crap online and dont cry
edit:
now go and put them in jail too (they send you packets too)
https://tcp.ping.pe/hazi.ro:10101
https://ping.sx/check-port?t=hazi.ro
Hello! Is it possible to receive and email once the infrastructure returns to normality?
upgrade completed and DDoS mitigated.
Your ddos has been doubled.
/s
Upgrade complete.
Unfortunately, the only major difference is that instead of having ~ 2200 IPs blocked, we now have over 11000, now having the conviction that it is an IP spoofing at the base because the intensity of the attack has not decreased at all.
If it helps at all, its probly this age old SSDP script thats circulating in the internet since 2018
https://raw.githubusercontent.com/LOLSquad/DDoS-Scripts/master/SSDP.c
Someone simply compiled it and runs it from some provider which allows spoofing against a pre-scanned/filtered reflection file.
As for how to block it, I have no idea other than dropping everything from srcport 1900 UDP on edge/network/backbone level.
Carpet bombing or only single ips affected that get attack?
Dont forget this Someone also has a good list for amplify He Scanned before or purchased at some other skid
Its not just running it. Only applies to TCP ssyn. But for this you Need a list for amplify.
I think Florin says about source IPs not destination
Yeah, that would make all the IPs real rather than spoofed, so the block is definitely working.
Traffic analysis of the last 2 seconds:
Half traffic is UDP, half is ICMP (our server try to send reponse for port unreachable)
That's basically what a provider means nowadays: Users should provide solutions to the provider's issues.
So this seems to be DNS+SNMP+SSDP+RDP(???) amplification