[Outages-discussion] What Dyn IPs to look for in netflow?

Andrew Smith andrew.william.smith at gmail.com
Mon Oct 24 15:34:38 EDT 2016


I'd caution against assuming that a significant spike in requests per
second to affected Dyn servers was definitely part of the attack. As long
as resolvers were receiving SERVFAILs and timeouts, they'll be generating
an abnormally large amount of retries.

Andrew

On Mon, Oct 24, 2016 at 12:04 PM, Outages <virendra.rode at outages.org> wrote:

> See if this helps,
>
> https://labs.ripe.net/Members/massimo_candela/a-quick-look-
> at-the-attack-on-dyn
>
> --
> regards,
> /vrode
>
> On Oct 22, 2016, at 6:48 PM, Charles Sprickman <spork at bway.net> wrote:
>
> I wanted to poke through our netflow data from Friday to see if any
> customers were involved.  Do we have any idea which Dyn IPs were being hit
> in the east coast attack?
>
> I’ve been poking around with sorting by packet count to UDP 53, but I’m
> not even sure this was an application level or volumetric attack.   Nothing
> is standing out (yet)…
>
> Thanks,
>
> Charles
> --
> Charles Sprickman
> NetEng/SysAdmin
> Bway.net - New York's Best Internet www.bway.net
> spork at bway.net - 212.982.9800
>
>
>
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
>
>
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages-discussion/attachments/20161024/552971ee/attachment.html>


More information about the Outages-discussion mailing list