<div dir="ltr">Great information you have provided, the attacks have subsided since last week but has illustrated how venerable our upstream network is.<div><br></div><div>Andrew</div><div> </div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, Apr 16, 2014 at 10:59 AM, James Braunegg <span dir="ltr"><<a href="mailto:james.braunegg@micron21.com" target="_blank">james.braunegg@micron21.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Dear Andrew<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">In short as long as your running BGP along with your own AS we can protect your network for free as part of our AusNOG trial.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Being single homed we would create a GRE tunnel (Between our domestic and international networks) directly to your router via your current upstream provider which allows us to advertise your IP ranges and essentially become an on demand second upstream provider for your network. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Downside to a GRE is you still only have one upstream provider, and if your upstream interface gets targeted directly this can stop the GRE tunnel from being established, which can get tricky to mitigate.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">As for preventing your network connection from becoming saturated it is all about timing and getting real time information from your network which can be done manually or automatically.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Automatically you can send netflow/sflow/jflow or even SNMP information from your routers to our DDoS Mitigation platform which can inspect these flows continuously looking for attack traffic and automatically re advertise more specifically the affected IP ranges across our network (Soak) which would then allow us to inspect the traffic and separate the good traffic from the bad (Scrub) where we then transparently forward this traffic back to your network via the established GRE tunnel.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Manually you would want to establish as quickly as possible what IP ranges are being targeted and then via BGP more specifically advertise the affected ranges onto our network which would relieve the stress on your network which we would then allow us to Soak and Scrub your traffic and return it via the established GRE tunnel.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I have to admit however a GRE tunnel is not as nice as being directly connected (ie a direct physical cross connection or say a Megaport VCX virtual cross connection) which gives you a lot more flexibility, alternatively using a connection less likely to be affected with attack traffic ie PIPE IX or IX peering also works extremely well. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I believe DDoS Mitigation is not a “on / off” type of service you really need to evaluate the entire network which needs protection and brainstorm the best way to protect it ! <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hope this answers your questions<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Kindest Regards<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"">James Braunegg<br></span></b><b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">P:</span></b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616</span><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><u></u><u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">E:</span></b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:james.braunegg@micron21.com" target="_blank"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">james.braunegg@micron21.com</span></a></span><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""> | <b>ABN:</b> <a href="tel:12%20109%20977%20666" value="+12109977666" target="_blank">12 109 977 666</a> <br>
<b>W:</b> <a href="http://www.micron21.com/ddos-protection" target="_blank"><span style>www.micron21.com/ddos-protection</span></a> <b>T:</b> @micron21<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><br><img border="0" width="250" height="39" src="cid:image001.jpg@01CF595C.371E2720" alt="Description: Description: Description: Description: M21.jpg"><br>
</span><span lang="EN-AU" style="font-size:8.0pt;font-family:"Verdana","sans-serif"">This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.</span><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Andrew Tschudi [mailto:<a href="mailto:andrewtschudi@gmail.com" target="_blank">andrewtschudi@gmail.com</a>] <br>
<b>Sent:</b> Wednesday, April 16, 2014 9:49 AM<br><b>To:</b> James Braunegg<br><b>Cc:</b> Mark Tees; John Wooler; <a href="mailto:ausnog@ausnog.net" target="_blank">ausnog@ausnog.net</a><br><b>Subject:</b> Re: [AusNOG] Stopping unwanted random NTP traffic<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">James thanks for the information on NTP attacks very interesting informative. With your free DDoS protection can you protect a remote network which is single homed and how do you get around the issue of our uplink connection being saturated.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Andrew<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">On Tue, Apr 15, 2014 at 5:21 PM, James Braunegg <<a href="mailto:james.braunegg@micron21.com" target="_blank">james.braunegg@micron21.com</a>> wrote:<u></u><u></u></p>
<div><div><p>Dear All<u></u><u></u></p><p> <u></u><u></u></p><p>Thanks for the great feedback and comments. Our team has been having lots of fun helping Australian networks mitigate DDoS attacks over the last few months. In fact - in case you did not know - AusNOG members (everyone reading this) has access to our services for free via a trial period. If you’re interested please let me know. Furthermore, I'll be presenting all the results and information specifically with reference to DDoS attacks within Australia at AusNOG this year in September.<u></u><u></u></p>
<p> <u></u><u></u></p><p>I’ve also written a small blog article on NTP attacks which can be found here: <a href="http://www.micron21.com/ddos-ntp.php" target="_blank">http://www.micron21.com/ddos-ntp.php</a> which explains some ways we to provide protection against inbound requests towards your network. This information has been co-compiled by Roland Dobbins and me.<u></u><u></u></p>
<p> <u></u><u></u></p><p>Kindest Regards<u></u><u></u></p><p> <u></u><u></u></p><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal"><b><span style="font-family:"Verdana","sans-serif"">James Braunegg<br>
</span></b><b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">P:</span></b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616</span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">E:</span></b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""> </span><a href="mailto:james.braunegg@micron21.com" target="_blank"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif"">james.braunegg@micron21.com</span></a><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""> | <b>ABN:</b> <a href="tel:12%20109%20977%20666" target="_blank">12 109 977 666</a> <br>
<b>W:</b> <a href="http://www.micron21.com/ddos-protection" target="_blank">www.micron21.com/ddos-protection</a> <b>T:</b> @micron21</span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Verdana","sans-serif""><br><img border="0" width="250" height="39" src="cid:image001.jpg@01CF595C.371E2720" alt="Description: Description: Description: Description: M21.jpg"><br>
</span><span lang="EN-AU" style="font-size:8.0pt;font-family:"Verdana","sans-serif"">This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p><p> <u></u><u></u></p><p> <u></u><u></u></p><p>-----Original Message-----<br>From: AusNOG [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Mark Tees<br>
Sent: Tuesday, April 15, 2014 4:16 PM<br>To: John Wooler<br>Cc: <a href="mailto:ausnog@ausnog.net" target="_blank">ausnog@ausnog.net</a><br>Subject: Re: [AusNOG] Stopping unwanted random NTP traffic<u></u><u></u></p><p> <u></u><u></u></p>
<p>+1 For Micron21. Service works as advertised and their staff have been very helpful in every aspect. Bonus points for getting access to the attack monitoring platform and flow data interface.<u></u><u></u></p><p> <u></u><u></u></p>
<p>On 15 Apr 2014, at 4:00 pm, John Wooler <<a href="mailto:john.wooler@exigent.com.au" target="_blank">john.wooler@exigent.com.au</a>> wrote:<u></u><u></u></p><p> <u></u><u></u></p><p>> Hi Andrew<u></u><u></u></p>
<p>> <u></u><u></u></p><p>> My personal recommendation and professional recommendation would honestly be Micron21 (based in Melbourne). <u></u><u></u></p><p>> <u></u><u></u></p><p>> Over the past month or 2 we have been using them for DDoS protection on our network in Melbourne, Brisbane & Sydney over the Megaport VCX service and by far these guys have hit the nail on the coffin when it comes to this sort of network protection. We’ve actually seen a number of DDoS attacks coming in on NTP ourselves, DNS attacks, random attacks on port 80 etc and these guys mitigate any type of attack when it comes to this type of stuff.<u></u><u></u></p>
<p>> <u></u><u></u></p><p>> There’s a few good points to list<u></u><u></u></p><p>> - All traffic stays here in Australia so no re-routing traffic to America or elsewhere around the globe…. This helps with not having to add latency for your end clients to experience & complain about.<u></u><u></u></p>
<p>> - Once an attack starts, they’re quick on the ball to detect it and alert you of the attack + monitor it as well.<u></u><u></u></p><p>> - They have the capacity to handle large attacks.<u></u><u></u></p>
<p>> - They own the equipment and have in-house certified engineers who know what they’re doing and always willing to help out in anyway.<u></u><u></u></p><p>> <u></u><u></u></p><p>> We’re using them and we’re going to continue using them for a very long time to come (probably forever to be real honest) and I couldn’t recommend them enough.<u></u><u></u></p>
<p>> <u></u><u></u></p><p>> Check out their DDoS site as well.<u></u><u></u></p><p>> <a href="http://www.micron21.com/ddos-protection.php" target="_blank">http://www.micron21.com/ddos-protection.php</a><u></u><u></u></p>
<p>> <u></u><u></u></p><p>> <u></u><u></u></p><p>> Kindest Regards,<u></u><u></u></p><p>> <u></u><u></u></p><p>> John Wooler <u></u><u></u></p><p>> Exigent Enterprise<u></u><u></u></p><p>> <u></u><u></u></p>
<p>> From: AusNOG [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Andrew Tschudi<u></u><u></u></p><p>> Sent: Tuesday, 15 April 2014 2:09 PM<u></u><u></u></p>
<p>> To: <a href="mailto:ausnog@ausnog.net" target="_blank">ausnog@ausnog.net</a><u></u><u></u></p><p>> Subject: [AusNOG] Stopping unwanted random NTP traffic<u></u><u></u></p><p>> <u></u><u></u></p><p>> We have been receiving unwanted inbound NTP traffic towards multiple different servers within our network. This has been creating days of pain and after liaising with our upstream provider it turns out that they have no BGP communities. Had they had BGP Communities, this would then allow me to block the traffic from reaching my routers, which are continuously being flooded. I figure, it’s now time for me to attempt to source some external help.<u></u><u></u></p>
<p>> <u></u><u></u></p><p>> Can anyone on provide any recommendations for sourcing professional services that would be trusted in advising the best way to protect and secure our network?<u></u><u></u></p><p>> <u></u><u></u></p>
<p>> Andrew<u></u><u></u></p><p>> _______________________________________________<u></u><u></u></p><p>> AusNOG mailing list<u></u><u></u></p><p>> <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><u></u><u></u></p>
<p>> <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><u></u><u></u></p><p> <u></u><u></u></p><p>_______________________________________________<u></u><u></u></p>
<p>AusNOG mailing list<u></u><u></u></p><p><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><u></u><u></u></p><p><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><u></u><u></u></p>
</div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><u></u><u></u></p></div><p class="MsoNormal"><u></u> <u></u></p></div></div></div></blockquote></div>
<br></div>