[nsp-sec] Persistent and escalating DDoS against the Norwegian academic library system provider

[Rune Sydskjør]

Hi Roland,

On 08/04/15 11:54, Roland Dobbins wrote:
> ----------- nsp-security Confidential --------
> 
> 
> On 8 Apr 2015, at 16:26, Rune Sydskjor wrote:
> 
>> Even more rate limiting against 129.241.16.62
> 
> Aggregate rate-limiting during an attack is the worst thing you can do -
> it simply ensures that the programmatically-generated attack traffic
> crowds out the legitimate traffic.
> 
> Putting some basic tACLs in place based on the protocols/ports actually
> being used will keep out-of-policy stuff like the SSDP off the site.

As of now, the services that are under attack and rate limited/filtered
is almost only used within Norway (our AS or other Norwegian ISP where
traffic is peered over NIX which is not affected by these filters), so
it they are not available from outside of Norway it is not a huge problem.

> Since what you're describing doesn't involve spoofed sources at the
> target end, posting a list of source IPs by ASN would be helpful.

Yes we plan to do this.

> For the layer-7 stuff, start with a reverse-proxy farm in front of the
> Web servers, and some log analysis to block traffic easily identified as
> illegitimate.

I will give a hint to Bibsys if it's okay for you that I forward the
information?

> For the more complex stuff, there are commercial solutions/services
> which can be used to deal with that [full disclosure, I'm employed by a
> vendor of such solutions].
> 
> But if you start with the above, you'll be able to deal with the bulk of
> the attack traffic, which will make things easier.
> 
> Have a look at the recommendations in this preso:
> 
> <https://app.box.com/s/r7an1moswtc7ce58f8gg>
> 
> Again, the key to getting assistance from other operators is to post
> source IPs with ASNs for the non-spoofed traffic (from the target end;
> i.e., the SSDP flooding and the http stuff).

Thanks for the feedback! :)

Regards,
Rune Sydskjør, UNINETT CERT