[nsp-sec] Persistent and escalating DDoS against the Norwegian academic library system provider

Rune Sydskjor rune.sydskjor at uninett.no
Wed Apr 8 05:26:32 EDT 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi teams,

BIBSYS, the Norwegian academic library and information system provider,
is currently targeted by a persistent and escalating DDOS attack.

The attacks started before Easter, and were countered by rate limiting
traffic to the initially targeted host. BIBSYS is part of NTNU, the
Norwegian polytechnical university. We (UNINETT, the Norwegian NREN) are
their ISP and provide peering with other Norwegian ISPs. Our upstream
provider is NORDUnet, the "umbrella" ISP for the Nordic NRENs which
provides global peering. The rate limiting is implemented at the links
between UNINETT and NORDUnet, so that the services are generally not
degraded from within Norway.

The attacks ceased the weekend before Easter, but immediately after
Easter, the attack returned, escalated, diversified and spread to other
and more important hosts.

Any information which might help understand the attack is appreciated. A
possible lead might be that BIBSYS is currently in the process of
migrating to systems from the Ex Libris Group, which though very
international and widespread has Israeli origins and ownership.


Timeline:

Time: 2015-03-19 13:35 UTC
Target: 129.241.16.59
Type of attack: D(R)DOS UDP SSDP reflection with destination port 80 and
some backscatter ICMP destination port unreachable.

Time: 2015-03-23 07:30 UTC
Target: 129.241.16.59
Type of attack: D(R)DOS UDP SSDP reflection with destination port 80 and
some backscatter ICMP destination port unreachable.

Rate limiting against 129.241.16.59
Due to misunderstandings BIBSYS changed the IP address during that
evening, and the attack quickly moved to the new unprotected IP address.

Time: 2015-03-24 11:10 UTC
Target: 129.241.16.62
Type of attack: D(R)DOS UDP SSDP reflection with destination port 80.
TCP SYN flooding with destination port 80. Some backscatter ICMP
destination port unreachable.

Rate limiting against 129.241.16.62

The attack is ongoing for the whole week with a combination of DRDOS,
TCP SYN flooding and heavy search queries against the BIBSYS search
engine. On friday 2015-03-27 the attack stops gradually from 14:20 UTC -
16:00 UTC. In Norway, many people take a prolonged Easter holiday from
the Palm Sunday weekend to the Monday after Easter Sunday. Nothing
happens during this period.

After the holidays the attackers are back.

Time: Starts at 2015-04-07 08:15 UTC and last during the day.
Target: 129.241.16.62
Type of attack: D(R)DOS UDP SSDP reflection with destination port 80 and
heavy search queries against the BIBSYS search engine. TCP SYN flooding
with destination port 80 and some backscatter icmp destination port
unreachable.

Even more rate limiting against 129.241.16.62

The attackers probably now know about the rate limiting and moves the
attack to a new destination today:

Time: 2015-04-08 08:15 UTC
Target: 129.241.16.36
Type of attack: D(R)DOS UDP SSDP reflection with destination port 80.
TCP SYN flooding with destination port 80 and some backscatter icmp
destination port unreachable. Here also with heavy searces on this
library search engine.

Today we implemented rate limiting against 129.241.16.36 also.

While writing this mail the attack moved to www.bibsys.no (129.241.16.93
)
The magnitude of the attack is currently at 2.5 million packets per
seconds, or 6 Gbit/s.

Regards,
Rune Sydskjør, UNINETT CERT

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVJPRCRY0ei6C6y0kRAm//AKCg2Qgn9eBMr5VSaDy31IvmrdQazQCghx7u
mJN1CPuX0alPuxfwCp1VriY=
=1A+a
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list