[nsp-sec] Recent 20 Gbps microburst DoS attack

Barry Raveendran Greene bgreene at senki.org
Fri Dec 22 00:14:51 EST 2017 

TLP?

Can I share with our TLP:RED team in Akamai? I think we might be able to see something.

> On Dec 21, 2017, at 17:47, J. Chambers <jchambers at ucla.edu> wrote:
> 
> ----------- nsp-security Confidential --------
> 
> Sharing this FWIW, the sources may be real amplifiers and not spoofed.
> 
> We had a UDP DoS attack against 164.67.228.152 on 2017/12/19 at 23:49.
> The peak of the attack was from 23:49 to 23:56 and sharply decreased
> afterwards.
> 
> It looks like two micro bursts with ~3100+ source attackers (see
> attached).  Depending how you bin the flows it was between 11 Gbps to 24
> Gbps.
> 
> 23:49:00 - 23:50:00 23.97 Gbps
> 23:53:00 - 23:57:00 11.01 Gbps
> 
> This caused one of our iBGP sessions to flap, even with CoPP deployed.
> (maybe this can be tuned more)
> 
> 
> Timeline:
> 
> 15:49 PDT -- DoS attack starts, ~11-23 Gbps
> 15:57 PDT -- attack rate reduces to ~750 Mbps
> 15:58 PDT -- attack rate reduces to ~85 Mbps
> 16:01 PDT -- attack rate reduces to ~23 Mbps
> 16:07 PDT -- attack rate drops below 0.001 Mbps
> 16:57 PDT -- attack stops
> 
> 
> 
> A full list of sources is attached.
> 
> 
> Top src ASNs:
> 
> 835  CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP, EC
> 392  OCN NTT Communications Corporation, JP
> 278  ROSTELECOM-AS, RU
> 173  JTCL-JP-AS Jupiter Telecommunication Co. Ltd, JP
> 149  MALFIK, UA
> 139  Telefonica del Peru S.A.A., PE
> 131  MCLAUT-AS, UA
> 108  K-OPTICOM K-Opticom Corporation, JP
> 104  GIGAINFRA Softbank BB Corp., JP
>  80  ZAQ Jupiter Telecommunications Co., Ltd., JP
> 
> 
> 
> Regards,
> 
> --Jason
> <UDP_DoS_2017-12-18T23__rate_per_60s_uniq_src_cnt.txt>
> <UDP_DoS_2017-12-18T23.txt>
> <UDP_DoS_2017-12-18T23_asn.txt>
> <UDP_DoS_2017-12-18T23_asn_summary.txt>
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list