[nsp-sec] Recent 20 Gbps microburst DoS attack
Damian Menscher
damian at google.com
Thu Dec 21 20:56:56 EST 2017
You didn't mention the source port, but I'm fairly certain this was a
botnet attack, not amplification. For evidence, I'll note that competent
amplification would typically result in full-frame packets, but your
packets were all 1365 octets, which is a leet number when you subtract off
the 20-byte IP header and the 8-byte UDP header. ;)
Damian
On Thu, Dec 21, 2017 at 5:47 PM, J. Chambers <jchambers at ucla.edu> wrote:
> ----------- nsp-security Confidential --------
>
>
> Sharing this FWIW, the sources may be real amplifiers and not spoofed.
>
> We had a UDP DoS attack against 164.67.228.152 on 2017/12/19 at 23:49.
> The peak of the attack was from 23:49 to 23:56 and sharply decreased
> afterwards.
>
> It looks like two micro bursts with ~3100+ source attackers (see
> attached). Depending how you bin the flows it was between 11 Gbps to 24
> Gbps.
>
> 23:49:00 - 23:50:00 23.97 Gbps
> 23:53:00 - 23:57:00 11.01 Gbps
>
> This caused one of our iBGP sessions to flap, even with CoPP deployed.
> (maybe this can be tuned more)
>
>
> Timeline:
>
> 15:49 PDT -- DoS attack starts, ~11-23 Gbps
> 15:57 PDT -- attack rate reduces to ~750 Mbps
> 15:58 PDT -- attack rate reduces to ~85 Mbps
> 16:01 PDT -- attack rate reduces to ~23 Mbps
> 16:07 PDT -- attack rate drops below 0.001 Mbps
> 16:57 PDT -- attack stops
>
>
>
> A full list of sources is attached.
>
>
> Top src ASNs:
>
> 835 CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP, EC
> 392 OCN NTT Communications Corporation, JP
> 278 ROSTELECOM-AS, RU
> 173 JTCL-JP-AS Jupiter Telecommunication Co. Ltd, JP
> 149 MALFIK, UA
> 139 Telefonica del Peru S.A.A., PE
> 131 MCLAUT-AS, UA
> 108 K-OPTICOM K-Opticom Corporation, JP
> 104 GIGAINFRA Softbank BB Corp., JP
> 80 ZAQ Jupiter Telecommunications Co., Ltd., JP
>
>
>
> Regards,
>
> --Jason
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list