<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Speaking of cleaning it close to the
source.<br>
Generally this stuff is coming from end users. Perhaps ISP's
should take up some role in this fight, carrying attack traffic
does them no favours either.<br>
How many have implemented rfc2827 or similar?<br>
Perhaps some automated method of reporting compromised hosts or
hosts participating in attacks, get enough reports and the ISP
might do something.<br>
<br>
Really what it all boils down to is at some point there needs to
be a mechanism to get broken devices off the internet, and ISP's
are the only group with the power to do that short of government.<br>
Govt could create a dept who received reports, worked with ISP's
to ID compromised hosts while maintaining every-bodies privacy and
generally being a smoothly run operation.<br>
That won't happen though, they will try and pass the buck onto
ISP's to do the whole thing, mandating deep packet inspection and
all and generally make a mess of it I'd bet.<br>
<br>
On 27/10/16 20:57, James Braunegg wrote:<br>
</div>
<blockquote
cite="mid:21b94555ecb54dc68dd713afc16703c0@EX-01.m21.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.m8981336766756662619hoenzb
{mso-style-name:m_8981336766756662619hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">3). Business model's will likely need to
change or volumes will need to be better supported; there are
various ways to solve this from routing most services through
ddos protection or perhaps just outstripping ddos volumes by
having so much surplus capacity it isn't a concern (whilst
this may not often be feasible or economical) it seems that is
the way things are moving. Buy Scale, Build Scale, or eat the
ddos.<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US">Yum….
Yum… Yum Packets for Dinner anyone ??<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US">With
the price of international IP transit from major carriers
around the world below $0.40 cents per mbit the cost of
bandwidth has dropped a lot….The only costly part to the
equation is brining unwanted dirty traffic back to
Australia.. (but why do that) much easier to clean unwanted
traffic as close to the source as possible if you have the
technology.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US">On
a side note….What I do find interesting is I saw no abnormal
traffic on large global peering exchange graphs during this
attack….. ie <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"><a
moz-do-not-send="true"
href="https://ams-ix.net/technical/statistics">https://ams-ix.net/technical/statistics</a>
and
<a moz-do-not-send="true"
href="https://www.de-cix.net/en/locations/germany/frankfurt/statistics">https://www.de-cix.net/en/locations/germany/frankfurt/statistics</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US">So
where did the traffic come from……<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US">Kindest
Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US">James Braunegg<br>
</span></b><b><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US">P:</span></b><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US"> 1300 769 972 |
<b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US">E:</span></b><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US">
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><a moz-do-not-send="true"
href="mailto:james.braunegg@micron21.com"><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black">james.braunegg@micron21.com</span></a></span><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US"> | <b>ABN:</b> 12 109 977 666 <br>
<b>W:</b> <a moz-do-not-send="true"
href="http://www.micron21.com/ddos-protection"><span
style="color:black">www.micron21.com/ddos-protection</span></a>
<b>T:</b> @micron21<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US">Follow us on
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a
moz-do-not-send="true"
href="http://www.twitter.com/micron21"><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US">Twitter</span></a></span><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"></span><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US">for important service and system updates.<br>
<br>
</span><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"><img
id="Picture_x0020_1"
src="cid:part6.A9F15044.0BE6011E@vapourforge.com"
alt="M21.jpg" border="0" height="39" width="250"></span><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black"
lang="EN-US"><br>
</span><span
style="font-size:8.0pt;font-family:"Verdana",sans-serif;color:black">This
message is intended for the addressee named above. It may
contain privileged or confidential information. If you are
not the intended recipient of this message you must not use,
copy, distribute or disclose it to anyone other than the
addressee. If you have received this message in error please
return the message to the sender by replying to it and then
delete the message from your computer.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> AusNOG
[<a class="moz-txt-link-freetext" href="mailto:ausnog-bounces@lists.ausnog.net">mailto:ausnog-bounces@lists.ausnog.net</a>]
<b>On Behalf Of </b>Phillip Grasso<br>
<b>Sent:</b> Thursday, 27 October 2016 6:58 PM<br>
<b>To:</b> Peter Tiggerdine <a class="moz-txt-link-rfc2396E" href="mailto:ptiggerdine@gmail.com"><ptiggerdine@gmail.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG] The shape of DDoS to come<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I am guessing (e.g. no real analysis done
here) if we 'normalize' the size of this attack, it probably
isn't too dissimilar to previous DDoS volume to backbone
sizes. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We'll probably need a multilateral
approach to solving or at least mitigating the severity of
the attacks; <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1) Sure would be nice if IoT or
whatever they want to call themselves devices were secured
and regularly patched etc, but that's an uphill battle in
itself. There should be an effort to put some form of
minimum certification and open set of libraries the
manufactories could get to patch / push updates if not
already existing. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">2). Network need to get more
intelligent and coordinated. Detection and a trusted
method to share attack vectors so that response could
happen faster and improve detection. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">3). Business model's will likely need
to change or volumes will need to be better supported;
there are various ways to solve this from routing most
services through ddos protection or perhaps just
outstripping ddos volumes by having so much surplus
capacity it isn't a concern (whilst this may not often be
feasible or economical) it seems that is the way things
are moving. Buy Scale, Build Scale, or eat the ddos.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 27 October 2016 at 12:15, Peter
Tiggerdine <<a moz-do-not-send="true"
href="mailto:ptiggerdine@gmail.com" target="_blank">ptiggerdine@gmail.com</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">Reading both articles seems to give
a lot of "creative license" to the term IoT. This is
the problem with journo's today, facts from credible
and verifiable sources seems to be not a requirement
anymore. At least Ars mentioned it in the article, but
it begs the question why print it? <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">DVR and IP cameras aren't IoT.
We've had both of those long before the term IoT
existed. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Unpatched home routers are likely
to make up the bulk of the traffic <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Peter Tiggerdine<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">GPG Fingerprint: 2A3F
EA19 F6C2 93C1 411D 5AB2 D5A8 E8A8 0E74
6127<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Thu, Oct 27, 2016 at 10:45
AM, Nick Stallman <<a moz-do-not-send="true"
href="mailto:nick@agentpoint.com"
target="_blank">nick@agentpoint.com</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Yes there is.<br>
There are a few keywords to focus on however.<br>
<br>
Like 'part'. Technically if just a single IoT
device was part of the attack then the media
will say it was a IoT attack.<br>
<br>
And 'device'. If you start calling security
DVR's IoT devices (arguably they aren't, they
are a server) then yep a few thousand of them
took part.<br>
<br>
I could be wrong but my impression was the
bulk was traditional DDoS and not mostly IoT.<br>
<br>
On 27/10/16 11:17, Peter Tiggerdine wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0cm 0cm 0cm
6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Is there any evidence to
suggest that IoT devices played a part on
this DDoS? My understanding is we're still
dealing with the same problem as ever;
unpatched/secured desktops/routers/switches
which when you consider how accessible large
amounts of bandwidth is explain the increase
in DDoS size.<br>
<br>
Most IoT devices don't enough CPU power to
contribute more than 1K sustained. Doesn't
mean there's not alot to be done in the
security space with IoT, just means there's
better targets with greater return.<br>
<br>
Regards,<br>
<br>
Peter Tiggerdine<br>
<br>
GPG Fingerprint: 2A3F EA19 F6C2 93C1 411D
5AB2 D5A8 E8A8 0E74 6127<br>
<br>
On Thu, Oct 27, 2016 at 9:54 AM, <a
moz-do-not-send="true"
href="mailto:mike@thebibers.com"
target="_blank">
mike@thebibers.com</a> <mailto:<a
moz-do-not-send="true"
href="mailto:mike@thebibers.com"
target="_blank">mike@thebibers.com</a>>
<<a moz-do-not-send="true"
href="mailto:mbiber@ipv6forum.com.au"
target="_blank">mbiber@ipv6forum.com.au</a>
<mailto:<a moz-do-not-send="true"
href="mailto:mbiber@ipv6forum.com.au"
target="_blank">mbiber@ipv6forum.com.au</a>>>
wrote:<br>
<br>
IPv6 with mandatory IPsec Authentication
through filtering engines?<br>
<br>
Michael Biber<br>
IPv6Now<br>
<a moz-do-not-send="true"
href="http://6now.net" target="_blank">6now.net</a>
<<a moz-do-not-send="true"
href="http://6now.net" target="_blank">http://6now.net</a>><br>
<a moz-do-not-send="true"
href="tel:0412058808" target="_blank">0412058808</a>
<tel:<a moz-do-not-send="true"
href="tel:0412058808" target="_blank">0412058808</a>><br>
<br>
<br>
On 27 Oct 2016 10:03 AM, "Paul Wilkins"
<<a moz-do-not-send="true"
href="mailto:paulwilkins369@gmail.com"
target="_blank">paulwilkins369@gmail.com</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:paulwilkins369@gmail.com"
target="_blank">paulwilkins369@gmail.com</a>>>
wrote:<br>
<br>
After Mirai's 1.2Tbps, which is
pretty much unmitigateable,<br>
perhaps time for the industry to
realise that IoT means we've<br>
arrived at a new age of DDoS. If
this is the shape of things<br>
to come, where do we go from here?<br>
<br>
Kind regards<br>
<br>
Paul Wilkins<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a>
<mailto:<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a>><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">
http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>><br>
<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a>
<mailto:<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a>><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="color:#888888"><br>
<span class="m8981336766756662619hoenzb">--
</span><br>
<span class="m8981336766756662619hoenzb">Nick
Stallman</span><br>
<span class="m8981336766756662619hoenzb">Technical
Director</span><br>
<span class="m8981336766756662619hoenzb">Agentpoint
Pty Ltd</span><br>
<span class="m8981336766756662619hoenzb">The
Real Estate Web Developers</span><br>
<span class="m8981336766756662619hoenzb">Melbourne
| Sydney | Miami</span><br>
<span class="m8981336766756662619hoenzb"><a
moz-do-not-send="true"
href="mailto:nick@agentpoint.com"
target="_blank">nick@agentpoint.com</a></span><br>
<span class="m8981336766756662619hoenzb"><a
moz-do-not-send="true"
href="http://www.agentpoint.com.au"
target="_blank">www.agentpoint.com.au</a>
|
<a moz-do-not-send="true"
href="http://www.zooproperty.com"
target="_blank">www.zooproperty.com</a>
| <a moz-do-not-send="true"
href="http://www.ginga.com.au"
target="_blank">
www.ginga.com.au</a> | <a
moz-do-not-send="true"
href="http://www.business2.com.au"
target="_blank">www.business2.com.au</a></span><br>
<br>
<span class="m8981336766756662619hoenzb"><a
moz-do-not-send="true"
href="http://Business2.com.au"
target="_blank">Business2.com.au</a> is
a real estate agent information website
that helps you understand Portals,
Technology and comes with FREE tools to
help your Agency become an online success!</span></span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net"
target="_blank">AusNOG@lists.ausnog.net</a><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>