A DDoS Ransom Incident

Recently, I’ve come across a set of discussion happened on the NANOG mailing list about a DDoS ransom incident. I find it rather interesting, and summarized a few notes about this incident.

What happened?

  • A small company has received a ransom note from a very well-known group for potential DDoS attacks.
  • The magnitude could be several hundred Gbps.
  • Asked on NANOG mailing list for help.
  • The attack group could most likely to be Armada Collective
    • Primarily DNS and NTP amplicafication
    • Web requests of 80 million per hour

Suggestions from NANOG members

  • Roland Dobbins from Arbor:
    • Upstream ACL (access control list)
  • Nick:
    • If they pay the ransom:
      • the attackers can come back at any time for more.
      • making the ransom a bigger business and aflicting more companies.
  • Patrick Darden from p66:
    • Contact FBI or other law enforcement agencies
    • Contact EFF (Electronic Frontier Foundation)
  • John Kristoff from Cymru:
  • Bill Herrin from Dirtside Systems:
    • Whoever announces the prefix through BGP should be responsible for the defense
    • Cloudflare can filter web-based attacks, incapsula can take care of IP-based filtering

Summary

  • Most admins agree that there is nothing much this company can do but to ask for help from its upstream Internet provider
  • Defense attacks with such maginitude (hundreds of Gbps) at the victim side is not effective
  • There are BGP-based methods, such as RTBH (remotely-triggered black hole filtering), that can work on prefix-level filtering or redirection.
    • But this method can incur high collateral damage depends on the size of the prefixes.
    • It also requires high level of trust of this kind of collaboration (filtering traffic to downstream is not usually ecnomically benefitial to the ASes)