Mailing List Archive

DDoS attack with blackmail
Hello

We got attacked by a group that calls themselves "Fancy Lazarus". They want
payment in BC to not attack us again. The attack was a volume attack to our
DNS and URL fetch from our webserver.

I am interested in any experience in fighting back against these guys.

Thanks,

Baldur
Re: DDoS attack with blackmail [ In reply to ]
Not this Lazarus group, I hope: https://www.bbc.co.uk/programmes/w13xtvg9

Really good podcast, BTW..

Brandon


On Thu, May 20, 2021 at 12:28 PM Baldur Norddahl <baldur.norddahl@gmail.com>
wrote:

> Hello
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They
> want payment in BC to not attack us again. The attack was a volume attack
> to our DNS and URL fetch from our webserver.
>
> I am interested in any experience in fighting back against these guys.
>
> Thanks,
>
> Baldur
>
>
Re: DDoS attack with blackmail [ In reply to ]
I would encourage you to contact the FBI. Another ISP told me a fairly
positive story after being in the same situation.

--TimH

On Thu, 20 May 2021 21:26:50 +0200
Baldur Norddahl <baldur.norddahl@gmail.com> wrote:

> Hello
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They want
> payment in BC to not attack us again. The attack was a volume attack to our
> DNS and URL fetch from our webserver.
>
> I am interested in any experience in fighting back against these guys.
>
> Thanks,
>
> Baldur
Re: DDoS attack with blackmail [ In reply to ]
On Thu, May 20, 2021 at 12:28 PM Baldur Norddahl
<baldur.norddahl@gmail.com> wrote:
> We got attacked by a group that calls themselves "Fancy Lazarus". They want payment in BC to not attack us again. The attack was a volume attack to our DNS and URL fetch from our webserver.
>
> I am interested in any experience in fighting back against these guys.

If you announce your addresses with BGP then your first two calls
should be to a DDOS mitigator and the FBI. You can reclaim your
routing from the DDOS mitigator after the group gives up but should
keep the relationship with the mitigator so you can more quickly
activate it next time.

If you don't do BGP, substitute your ISP for the DDOS mitigator and
hope they're among the clueful. Call the FBI either way.

There's nothing super fancy about a DDOS mitigator. They take over
your BGP, bringing packets to them first instead of to you. They have
big enough connections to sink whatever packets the attacker sends
their way. They filter this data and then allow just the legitimate
packets to make their way over a VPN back to you.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/
Re: DDoS attack with blackmail [ In reply to ]
20 years ago I wrote an automatic teardrop attack. If your IP spammed us 5 times, then a script would run, knocking the remote host off the internet entirely.

Later I modified it to launch 1000 teardrop attacks/second…

Today, contact the FBI.

And get a mitigation service above your borders if you can.


—L.B.

Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
6x7 Networks & 6x7 Telecom, LLC
CEO
lb@6by7.net <mailto:lb@6by7.net>
"The only fully end-to-end encrypted global telecommunications company in the world.”
FCC License KJ6FJJ



> On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
>
> Hello
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They want payment in BC to not attack us again. The attack was a volume attack to our DNS and URL fetch from our webserver.
>
> I am interested in any experience in fighting back against these guys.
>
> Thanks,
>
> Baldur
>
RE: DDoS attack with blackmail [ In reply to ]
I also recommend book Art of War from Sun Tzu.



All the answers to your questions are in that book.



Jean



From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org> On Behalf Of Lady Benjamin Cannon of Glencoe, ASCE
Sent: May 20, 2021 7:18 PM
To: Baldur Norddahl <baldur.norddahl@gmail.com>
Cc: NANOG Operators' Group <nanog@nanog.org>
Subject: Re: DDoS attack with blackmail



20 years ago I wrote an automatic teardrop attack. If your IP spammed us 5 times, then a script would run, knocking the remote host off the internet entirely.



Later I modified it to launch 1000 teardrop attacks/second…



Today, contact the FBI.



And get a mitigation service above your borders if you can.





—L.B.



Ms. Lady Benjamin PD Cannon of Glencoe, ASCE

6x7 Networks & 6x7 Telecom, LLC

CEO

lb@6by7.net <mailto:lb@6by7.net>

"The only fully end-to-end encrypted global telecommunications company in the world.”

FCC License KJ6FJJ








On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com> > wrote:



Hello



We got attacked by a group that calls themselves "Fancy Lazarus". They want payment in BC to not attack us again. The attack was a volume attack to our DNS and URL fetch from our webserver.



I am interested in any experience in fighting back against these guys.



Thanks,



Baldur
RE: DDoS attack with blackmail [ In reply to ]
Some industries can’t afford that extra delay by DDoS mitigation vendors.



The video game industry is one of them and there might be others that can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.



As a side note, my former employer in video game was bidding for these vendors offering DDoS protection. While bidding, we were hit with abnormal patterns. As soon as we chose one vendors those very tricky DDoS patterns stopped.

I am not saying they are working on both side, but still the coincidence was interesting. In the end, we never used them because they were not able to perfectly block the threat without impacting all the others projects.



I think these mitigators are nice to have as a very last resort. I believe what is more important for Network Operators is: to be aware of this, to be able to detect it, mitigate it and/or minimize the impact. It’s like magic, where did that rabbit go?



The art of war taught me everything there is to know about DDoS attacks even if it was written some 2500 years ago.



I suspect that the attack that impacted Baldur’s assets was a very easy DDoS to detect and block, but can’t confirm.



@Baldur: do you care to share some metrics?



Jean



From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org> On Behalf Of Jean St-Laurent via NANOG
Sent: May 21, 2021 10:52 AM
To: 'Lady Benjamin Cannon of Glencoe, ASCE' <lb@6by7.net>; 'Baldur Norddahl' <baldur.norddahl@gmail.com>
Cc: 'NANOG Operators' Group' <nanog@nanog.org>
Subject: RE: DDoS attack with blackmail



I also recommend book Art of War from Sun Tzu.



All the answers to your questions are in that book.



Jean



From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org <mailto:nanog-bounces+jean=ddostest.me@nanog.org> > On Behalf Of Lady Benjamin Cannon of Glencoe, ASCE
Sent: May 20, 2021 7:18 PM
To: Baldur Norddahl <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com> >
Cc: NANOG Operators' Group <nanog@nanog.org <mailto:nanog@nanog.org> >
Subject: Re: DDoS attack with blackmail



20 years ago I wrote an automatic teardrop attack. If your IP spammed us 5 times, then a script would run, knocking the remote host off the internet entirely.



Later I modified it to launch 1000 teardrop attacks/second…



Today, contact the FBI.



And get a mitigation service above your borders if you can.





—L.B.



Ms. Lady Benjamin PD Cannon of Glencoe, ASCE

6x7 Networks & 6x7 Telecom, LLC

CEO

lb@6by7.net <mailto:lb@6by7.net>

"The only fully end-to-end encrypted global telecommunications company in the world.”

FCC License KJ6FJJ






On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com> > wrote:



Hello



We got attacked by a group that calls themselves "Fancy Lazarus". They want payment in BC to not attack us again. The attack was a volume attack to our DNS and URL fetch from our webserver.



I am interested in any experience in fighting back against these guys.



Thanks,



Baldur
Re: DDoS attack with blackmail [ In reply to ]
DDoS Attack Preparation Workbook
https://www.senki.org/ddos-attack-preparation-workbook/ <https://www.senki.org/ddos-attack-preparation-workbook/>


> On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com>> wrote:
>
> Hello
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They want payment in BC to not attack us again. The attack was a volume attack to our DNS and URL fetch from our webserver.
>
> I am interested in any experience in fighting back against these guys.
>
> Thanks,
>
> Baldur
>
Re: DDoS attack with blackmail [ In reply to ]
While I have no design to engage in over email argument over how much
latency people can actually tolerate, I will simply state that most people
have a very poor understanding of it and how much additional latency is
really introduced by DDoS mitigation.

As for implying that DDoS mitigation companies are complicit or involved in
attacks, while not the first time i heard that crap it's pretty offensive
to those that work long hours for years dealing with the garbage. If you
honestly believe anyone your dealing with is involved with launching
attacks you clearly have not done your research into potential partners.



On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
nanog@nanog.org> wrote:

> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>
>
>
> The video game industry is one of them and there might be others that
> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>
>
>
> As a side note, my former employer in video game was bidding for these
> vendors offering DDoS protection. While bidding, we were hit with abnormal
> patterns. As soon as we chose one vendors those very tricky DDoS patterns
> stopped.
>
> I am not saying they are working on both side, but still the coincidence
> was interesting. In the end, we never used them because they were not able
> to perfectly block the threat without impacting all the others projects.
>
>
>
> I think these mitigators are nice to have as a very last resort. I believe
> what is more important for Network Operators is: to be aware of this, to be
> able to detect it, mitigate it and/or minimize the impact. It’s like magic,
> where did that rabbit go?
>
>
>
> The art of war taught me everything there is to know about DDoS attacks
> even if it was written some 2500 years ago.
>
>
>
> I suspect that the attack that impacted Baldur’s assets was a very easy
> DDoS to detect and block, but can’t confirm.
>
>
>
> @Baldur: do you care to share some metrics?
>
>
>
> Jean
>
>
>
> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Jean
> St-Laurent via NANOG
> *Sent:* May 21, 2021 10:52 AM
> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' <lb@6by7.net>; 'Baldur
> Norddahl' <baldur.norddahl@gmail.com>
> *Cc:* 'NANOG Operators' Group' <nanog@nanog.org>
> *Subject:* RE: DDoS attack with blackmail
>
>
>
> I also recommend book Art of War from Sun Tzu.
>
>
>
> All the answers to your questions are in that book.
>
>
>
> Jean
>
>
>
> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Lady
> Benjamin Cannon of Glencoe, ASCE
> *Sent:* May 20, 2021 7:18 PM
> *To:* Baldur Norddahl <baldur.norddahl@gmail.com>
> *Cc:* NANOG Operators' Group <nanog@nanog.org>
> *Subject:* Re: DDoS attack with blackmail
>
>
>
> 20 years ago I wrote an automatic teardrop attack. If your IP spammed us
> 5 times, then a script would run, knocking the remote host off the internet
> entirely.
>
>
>
> Later I modified it to launch 1000 teardrop attacks/second…
>
>
>
> Today, contact the FBI.
>
>
>
> And get a mitigation service above your borders if you can.
>
>
>
>
>
> —L.B.
>
>
>
> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>
> 6x7 Networks & 6x7 Telecom, LLC
>
> CEO
>
> lb@6by7.net
>
> "The only fully end-to-end encrypted global telecommunications company in
> the world.”
>
> FCC License KJ6FJJ
>
>
>
>
> On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com>
> wrote:
>
>
>
> Hello
>
>
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They
> want payment in BC to not attack us again. The attack was a volume attack
> to our DNS and URL fetch from our webserver.
>
>
>
> I am interested in any experience in fighting back against these guys.
>
>
>
> Thanks,
>
>
>
> Baldur
>
>
>
>
>
Re: DDoS attack with blackmail [ In reply to ]
Jim,

While I don't envy those who put in long hours to mitigate DDoSes at the
11th hour, the security industry as a whole, DDoS mitigation included,
doesn't have a perfectly clean track record. Public court records offer
plenty of evidence, and convictions from foul play while trying to win bids.

An individual I worked with previously personally handled a long, drawn out
DDoS event that was ultimately perpetrated by a security contractor bidding
for a job (I didn't work it personally, but it was a frequent topic of
discussion while it was ongoing). Fortunately, after subsequent months of
law enforcement investigation, the contractor was brought up on charges.

It's definitely not "crap" , it's a fact, albeit not necessarily common.

-Matt

On Mon, May 24, 2021 at 10:38 AM jim deleskie <deleskie@gmail.com> wrote:

> While I have no design to engage in over email argument over how much
> latency people can actually tolerate, I will simply state that most people
> have a very poor understanding of it and how much additional latency is
> really introduced by DDoS mitigation.
>
> As for implying that DDoS mitigation companies are complicit or involved
> in attacks, while not the first time i heard that crap it's pretty
> offensive to those that work long hours for years dealing with the
> garbage. If you honestly believe anyone your dealing with is involved with
> launching attacks you clearly have not done your research into potential
> partners.
>
>
>
> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
> nanog@nanog.org> wrote:
>
>> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>>
>>
>>
>> The video game industry is one of them and there might be others that
>> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>>
>>
>>
>> As a side note, my former employer in video game was bidding for these
>> vendors offering DDoS protection. While bidding, we were hit with abnormal
>> patterns. As soon as we chose one vendors those very tricky DDoS patterns
>> stopped.
>>
>> I am not saying they are working on both side, but still the coincidence
>> was interesting. In the end, we never used them because they were not able
>> to perfectly block the threat without impacting all the others projects.
>>
>>
>>
>> I think these mitigators are nice to have as a very last resort. I
>> believe what is more important for Network Operators is: to be aware of
>> this, to be able to detect it, mitigate it and/or minimize the impact. It’s
>> like magic, where did that rabbit go?
>>
>>
>>
>> The art of war taught me everything there is to know about DDoS attacks
>> even if it was written some 2500 years ago.
>>
>>
>>
>> I suspect that the attack that impacted Baldur’s assets was a very easy
>> DDoS to detect and block, but can’t confirm.
>>
>>
>>
>> @Baldur: do you care to share some metrics?
>>
>>
>>
>> Jean
>>
>>
>>
>> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Jean
>> St-Laurent via NANOG
>> *Sent:* May 21, 2021 10:52 AM
>> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' <lb@6by7.net>; 'Baldur
>> Norddahl' <baldur.norddahl@gmail.com>
>> *Cc:* 'NANOG Operators' Group' <nanog@nanog.org>
>> *Subject:* RE: DDoS attack with blackmail
>>
>>
>>
>> I also recommend book Art of War from Sun Tzu.
>>
>>
>>
>> All the answers to your questions are in that book.
>>
>>
>>
>> Jean
>>
>>
>>
>> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Lady
>> Benjamin Cannon of Glencoe, ASCE
>> *Sent:* May 20, 2021 7:18 PM
>> *To:* Baldur Norddahl <baldur.norddahl@gmail.com>
>> *Cc:* NANOG Operators' Group <nanog@nanog.org>
>> *Subject:* Re: DDoS attack with blackmail
>>
>>
>>
>> 20 years ago I wrote an automatic teardrop attack. If your IP spammed us
>> 5 times, then a script would run, knocking the remote host off the internet
>> entirely.
>>
>>
>>
>> Later I modified it to launch 1000 teardrop attacks/second…
>>
>>
>>
>> Today, contact the FBI.
>>
>>
>>
>> And get a mitigation service above your borders if you can.
>>
>>
>>
>>
>>
>> —L.B.
>>
>>
>>
>> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>>
>> 6x7 Networks & 6x7 Telecom, LLC
>>
>> CEO
>>
>> lb@6by7.net
>>
>> "The only fully end-to-end encrypted global telecommunications company in
>> the world.”
>>
>> FCC License KJ6FJJ
>>
>>
>>
>>
>> On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com>
>> wrote:
>>
>>
>>
>> Hello
>>
>>
>>
>> We got attacked by a group that calls themselves "Fancy Lazarus". They
>> want payment in BC to not attack us again. The attack was a volume attack
>> to our DNS and URL fetch from our webserver.
>>
>>
>>
>> I am interested in any experience in fighting back against these guys.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Baldur
>>
>>
>>
>>
>>
>

--
Matt Erculiani
ERCUL-ARIN
Re: DDoS attack with blackmail [ In reply to ]
I can also name one recent instance in which a client of mine was without
doubt DdoS'd by a mitigation provider they were getting a quote from, and
sadly this didn't even end up being the worst of the behavior we had to
deal with from them before ultimately terminating our contract with them.
It's not surprising either, if you look into the history of the
owner/founder (hint: fbi serving warrants for cybercrime). The security
sector is sadly rife with this crap in my experience

On Mon, May 24, 2021, 12:59 PM Matt Erculiani <merculiani@gmail.com> wrote:

> Jim,
>
> While I don't envy those who put in long hours to mitigate DDoSes at the
> 11th hour, the security industry as a whole, DDoS mitigation included,
> doesn't have a perfectly clean track record. Public court records offer
> plenty of evidence, and convictions from foul play while trying to win bids.
>
> An individual I worked with previously personally handled a long, drawn
> out DDoS event that was ultimately perpetrated by a security contractor
> bidding for a job (I didn't work it personally, but it was a frequent topic
> of discussion while it was ongoing). Fortunately, after subsequent months
> of law enforcement investigation, the contractor was brought up on charges.
>
> It's definitely not "crap" , it's a fact, albeit not necessarily common.
>
> -Matt
>
> On Mon, May 24, 2021 at 10:38 AM jim deleskie <deleskie@gmail.com> wrote:
>
>> While I have no design to engage in over email argument over how much
>> latency people can actually tolerate, I will simply state that most people
>> have a very poor understanding of it and how much additional latency is
>> really introduced by DDoS mitigation.
>>
>> As for implying that DDoS mitigation companies are complicit or involved
>> in attacks, while not the first time i heard that crap it's pretty
>> offensive to those that work long hours for years dealing with the
>> garbage. If you honestly believe anyone your dealing with is involved with
>> launching attacks you clearly have not done your research into potential
>> partners.
>>
>>
>>
>> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
>> nanog@nanog.org> wrote:
>>
>>> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>>>
>>>
>>>
>>> The video game industry is one of them and there might be others that
>>> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>>>
>>>
>>>
>>> As a side note, my former employer in video game was bidding for these
>>> vendors offering DDoS protection. While bidding, we were hit with abnormal
>>> patterns. As soon as we chose one vendors those very tricky DDoS patterns
>>> stopped.
>>>
>>> I am not saying they are working on both side, but still the coincidence
>>> was interesting. In the end, we never used them because they were not able
>>> to perfectly block the threat without impacting all the others projects.
>>>
>>>
>>>
>>> I think these mitigators are nice to have as a very last resort. I
>>> believe what is more important for Network Operators is: to be aware of
>>> this, to be able to detect it, mitigate it and/or minimize the impact. It’s
>>> like magic, where did that rabbit go?
>>>
>>>
>>>
>>> The art of war taught me everything there is to know about DDoS attacks
>>> even if it was written some 2500 years ago.
>>>
>>>
>>>
>>> I suspect that the attack that impacted Baldur’s assets was a very easy
>>> DDoS to detect and block, but can’t confirm.
>>>
>>>
>>>
>>> @Baldur: do you care to share some metrics?
>>>
>>>
>>>
>>> Jean
>>>
>>>
>>>
>>> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Jean
>>> St-Laurent via NANOG
>>> *Sent:* May 21, 2021 10:52 AM
>>> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' <lb@6by7.net>; 'Baldur
>>> Norddahl' <baldur.norddahl@gmail.com>
>>> *Cc:* 'NANOG Operators' Group' <nanog@nanog.org>
>>> *Subject:* RE: DDoS attack with blackmail
>>>
>>>
>>>
>>> I also recommend book Art of War from Sun Tzu.
>>>
>>>
>>>
>>> All the answers to your questions are in that book.
>>>
>>>
>>>
>>> Jean
>>>
>>>
>>>
>>> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Lady
>>> Benjamin Cannon of Glencoe, ASCE
>>> *Sent:* May 20, 2021 7:18 PM
>>> *To:* Baldur Norddahl <baldur.norddahl@gmail.com>
>>> *Cc:* NANOG Operators' Group <nanog@nanog.org>
>>> *Subject:* Re: DDoS attack with blackmail
>>>
>>>
>>>
>>> 20 years ago I wrote an automatic teardrop attack. If your IP spammed
>>> us 5 times, then a script would run, knocking the remote host off the
>>> internet entirely.
>>>
>>>
>>>
>>> Later I modified it to launch 1000 teardrop attacks/second…
>>>
>>>
>>>
>>> Today, contact the FBI.
>>>
>>>
>>>
>>> And get a mitigation service above your borders if you can.
>>>
>>>
>>>
>>>
>>>
>>> —L.B.
>>>
>>>
>>>
>>> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>>>
>>> 6x7 Networks & 6x7 Telecom, LLC
>>>
>>> CEO
>>>
>>> lb@6by7.net
>>>
>>> "The only fully end-to-end encrypted global telecommunications company
>>> in the world.”
>>>
>>> FCC License KJ6FJJ
>>>
>>>
>>>
>>>
>>> On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com>
>>> wrote:
>>>
>>>
>>>
>>> Hello
>>>
>>>
>>>
>>> We got attacked by a group that calls themselves "Fancy Lazarus". They
>>> want payment in BC to not attack us again. The attack was a volume attack
>>> to our DNS and URL fetch from our webserver.
>>>
>>>
>>>
>>> I am interested in any experience in fighting back against these guys.
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Baldur
>>>
>>>
>>>
>>>
>>>
>>
>
> --
> Matt Erculiani
> ERCUL-ARIN
>
RE: DDoS attack with blackmail [ In reply to ]
I don’t believe that these companies are complicit at high level.

My guess is that there are some business salesmen working there that needs to fulfill their monthly quota of new clients.



What is usually common, is that when face by a DDoS for the first time without the proper tooling, it sounds like it’s an impossible task to solve. The knowledge on internet is pretty limited on the topic.

It takes months and sometimes years to configure all the DDoS gates. Rolland’s ppt is a nice place to start as it has valuable knowledge. It’s just tough to figure out what is best for you.



The truth is, it will be more beneficial to your organisation in the medium/long term if you start learning and improving your DDoS defenses now than to rely 100% on DDoS mitigators.

These companies are fantastic when you protect slow assets like Credit card transactions. The customer don’t really care if his transaction to validate the CC takes 4 seconds instead of 3.



In the end, DDoS mitigations is not more complex than what you are used to do daily. Protect your routers, protect the control-plane, protect the SSH lines, etc. It’s just a different kind of protections.



Let me know if you need some advices or hints, because I’ve spent some freaking long hours fighting them and together we have a better chance to win and not pay ransom from blackmails.

I don’t have all the answers on DDoS, but maybe I have the one that you are looking for.



The moment you become very resilient to DDoS attacks, your customers will thank you and also support staff that will see the DDoS bounce like mosquitoes on the windshield of your car at 90 Mph.



Start learning now and start improving your DDoS. This won’t go away anytime soon.



Jean





From: jim deleskie <deleskie@gmail.com>
Sent: May 24, 2021 12:38 PM
To: Jean St-Laurent <jean@ddostest.me>
Cc: NANOG Operators' Group <nanog@nanog.org>
Subject: Re: DDoS attack with blackmail



While I have no design to engage in over email argument over how much latency people can actually tolerate, I will simply state that most people have a very poor understanding of it and how much additional latency is really introduced by DDoS mitigation.



As for implying that DDoS mitigation companies are complicit or involved in attacks, while not the first time i heard that crap it's pretty offensive to those that work long hours for years dealing with the garbage. If you honestly believe anyone your dealing with is involved with launching attacks you clearly have not done your research into potential partners.







On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <nanog@nanog.org <mailto:nanog@nanog.org> > wrote:

Some industries can’t afford that extra delay by DDoS mitigation vendors.



The video game industry is one of them and there might be others that can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.



As a side note, my former employer in video game was bidding for these vendors offering DDoS protection. While bidding, we were hit with abnormal patterns. As soon as we chose one vendors those very tricky DDoS patterns stopped.

I am not saying they are working on both side, but still the coincidence was interesting. In the end, we never used them because they were not able to perfectly block the threat without impacting all the others projects.



I think these mitigators are nice to have as a very last resort. I believe what is more important for Network Operators is: to be aware of this, to be able to detect it, mitigate it and/or minimize the impact. It’s like magic, where did that rabbit go?



The art of war taught me everything there is to know about DDoS attacks even if it was written some 2500 years ago.



I suspect that the attack that impacted Baldur’s assets was a very easy DDoS to detect and block, but can’t confirm.



@Baldur: do you care to share some metrics?



Jean



From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org <mailto:ddostest.me@nanog.org> > On Behalf Of Jean St-Laurent via NANOG
Sent: May 21, 2021 10:52 AM
To: 'Lady Benjamin Cannon of Glencoe, ASCE' <lb@6by7.net <mailto:lb@6by7.net> >; 'Baldur Norddahl' <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com> >
Cc: 'NANOG Operators' Group' <nanog@nanog.org <mailto:nanog@nanog.org> >
Subject: RE: DDoS attack with blackmail



I also recommend book Art of War from Sun Tzu.



All the answers to your questions are in that book.



Jean



From: NANOG <nanog-bounces+jean=ddostest.me@nanog.org <mailto:nanog-bounces+jean=ddostest.me@nanog.org> > On Behalf Of Lady Benjamin Cannon of Glencoe, ASCE
Sent: May 20, 2021 7:18 PM
To: Baldur Norddahl <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com> >
Cc: NANOG Operators' Group <nanog@nanog.org <mailto:nanog@nanog.org> >
Subject: Re: DDoS attack with blackmail



20 years ago I wrote an automatic teardrop attack. If your IP spammed us 5 times, then a script would run, knocking the remote host off the internet entirely.



Later I modified it to launch 1000 teardrop attacks/second…



Today, contact the FBI.



And get a mitigation service above your borders if you can.





—L.B.



Ms. Lady Benjamin PD Cannon of Glencoe, ASCE

6x7 Networks & 6x7 Telecom, LLC

CEO

lb@6by7.net <mailto:lb@6by7.net>

"The only fully end-to-end encrypted global telecommunications company in the world.”

FCC License KJ6FJJ






On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com> > wrote:



Hello



We got attacked by a group that calls themselves "Fancy Lazarus". They want payment in BC to not attack us again. The attack was a volume attack to our DNS and URL fetch from our webserver.



I am interested in any experience in fighting back against these guys.



Thanks,



Baldur
Re: DDoS attack with blackmail [ In reply to ]
Hey,

Did you get the attack promised ? after 1 week after notice ?

Today we've been warned and got some udp flood for 3 hours.

On Tue, May 25, 2021 at 2:14 PM Jean St-Laurent via NANOG <nanog@nanog.org>
wrote:

> I don’t believe that these companies are complicit at high level.
>
> My guess is that there are some business salesmen working there that needs
> to fulfill their monthly quota of new clients.
>
>
>
> What is usually common, is that when face by a DDoS for the first time
> without the proper tooling, it sounds like it’s an impossible task to
> solve. The knowledge on internet is pretty limited on the topic.
>
> It takes months and sometimes years to configure all the DDoS gates.
> Rolland’s ppt is a nice place to start as it has valuable knowledge. It’s
> just tough to figure out what is best for you.
>
>
>
> The truth is, it will be more beneficial to your organisation in the
> medium/long term if you start learning and improving your DDoS defenses now
> than to rely 100% on DDoS mitigators.
>
> These companies are fantastic when you protect slow assets like Credit
> card transactions. The customer don’t really care if his transaction to
> validate the CC takes 4 seconds instead of 3.
>
>
>
> In the end, DDoS mitigations is not more complex than what you are used to
> do daily. Protect your routers, protect the control-plane, protect the SSH
> lines, etc. It’s just a different kind of protections.
>
>
>
> Let me know if you need some advices or hints, because I’ve spent some
> freaking long hours fighting them and together we have a better chance to
> win and not pay ransom from blackmails.
>
> I don’t have all the answers on DDoS, but maybe I have the one that you
> are looking for.
>
>
>
> The moment you become very resilient to DDoS attacks, your customers will
> thank you and also support staff that will see the DDoS bounce like
> mosquitoes on the windshield of your car at 90 Mph.
>
>
>
> Start learning now and start improving your DDoS. This won’t go away
> anytime soon.
>
>
>
> Jean
>
>
>
>
>
> *From:* jim deleskie <deleskie@gmail.com>
> *Sent:* May 24, 2021 12:38 PM
> *To:* Jean St-Laurent <jean@ddostest.me>
> *Cc:* NANOG Operators' Group <nanog@nanog.org>
> *Subject:* Re: DDoS attack with blackmail
>
>
>
> While I have no design to engage in over email argument over how much
> latency people can actually tolerate, I will simply state that most people
> have a very poor understanding of it and how much additional latency is
> really introduced by DDoS mitigation.
>
>
>
> As for implying that DDoS mitigation companies are complicit or involved
> in attacks, while not the first time i heard that crap it's pretty
> offensive to those that work long hours for years dealing with the
> garbage. If you honestly believe anyone your dealing with is involved with
> launching attacks you clearly have not done your research into potential
> partners.
>
>
>
>
>
>
>
> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
> nanog@nanog.org> wrote:
>
> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>
>
>
> The video game industry is one of them and there might be others that
> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>
>
>
> As a side note, my former employer in video game was bidding for these
> vendors offering DDoS protection. While bidding, we were hit with abnormal
> patterns. As soon as we chose one vendors those very tricky DDoS patterns
> stopped.
>
> I am not saying they are working on both side, but still the coincidence
> was interesting. In the end, we never used them because they were not able
> to perfectly block the threat without impacting all the others projects.
>
>
>
> I think these mitigators are nice to have as a very last resort. I believe
> what is more important for Network Operators is: to be aware of this, to be
> able to detect it, mitigate it and/or minimize the impact. It’s like magic,
> where did that rabbit go?
>
>
>
> The art of war taught me everything there is to know about DDoS attacks
> even if it was written some 2500 years ago.
>
>
>
> I suspect that the attack that impacted Baldur’s assets was a very easy
> DDoS to detect and block, but can’t confirm.
>
>
>
> @Baldur: do you care to share some metrics?
>
>
>
> Jean
>
>
>
> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Jean
> St-Laurent via NANOG
> *Sent:* May 21, 2021 10:52 AM
> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' <lb@6by7.net>; 'Baldur
> Norddahl' <baldur.norddahl@gmail.com>
> *Cc:* 'NANOG Operators' Group' <nanog@nanog.org>
> *Subject:* RE: DDoS attack with blackmail
>
>
>
> I also recommend book Art of War from Sun Tzu.
>
>
>
> All the answers to your questions are in that book.
>
>
>
> Jean
>
>
>
> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Lady
> Benjamin Cannon of Glencoe, ASCE
> *Sent:* May 20, 2021 7:18 PM
> *To:* Baldur Norddahl <baldur.norddahl@gmail.com>
> *Cc:* NANOG Operators' Group <nanog@nanog.org>
> *Subject:* Re: DDoS attack with blackmail
>
>
>
> 20 years ago I wrote an automatic teardrop attack. If your IP spammed us
> 5 times, then a script would run, knocking the remote host off the internet
> entirely.
>
>
>
> Later I modified it to launch 1000 teardrop attacks/second…
>
>
>
> Today, contact the FBI.
>
>
>
> And get a mitigation service above your borders if you can.
>
>
>
>
>
> —L.B.
>
>
>
> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>
> 6x7 Networks & 6x7 Telecom, LLC
>
> CEO
>
> lb@6by7.net
>
> "The only fully end-to-end encrypted global telecommunications company in
> the world.”
>
> FCC License KJ6FJJ
>
>
>
>
> On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com>
> wrote:
>
>
>
> Hello
>
>
>
> We got attacked by a group that calls themselves "Fancy Lazarus". They
> want payment in BC to not attack us again. The attack was a volume attack
> to our DNS and URL fetch from our webserver.
>
>
>
> I am interested in any experience in fighting back against these guys.
>
>
>
> Thanks,
>
>
>
> Baldur
>
>
>
>
>
>
Re: DDoS attack with blackmail [ In reply to ]
I’m also curious if they did as promised.

I read this today:
https://beta.darkreading.com/threat-intelligence/-fancy-lazarus-criminal-group-launches-ddos-extortion-campaign

Best.

On Wed, Jun 9, 2021 at 8:35 AM Edvinas Kairys <edvinas.email@gmail.com>
wrote:

> Hey,
>
> Did you get the attack promised ? after 1 week after notice ?
>
> Today we've been warned and got some udp flood for 3 hours.
>
> On Tue, May 25, 2021 at 2:14 PM Jean St-Laurent via NANOG <nanog@nanog.org>
> wrote:
>
>> I don’t believe that these companies are complicit at high level.
>>
>> My guess is that there are some business salesmen working there that
>> needs to fulfill their monthly quota of new clients.
>>
>>
>>
>> What is usually common, is that when face by a DDoS for the first time
>> without the proper tooling, it sounds like it’s an impossible task to
>> solve. The knowledge on internet is pretty limited on the topic.
>>
>> It takes months and sometimes years to configure all the DDoS gates.
>> Rolland’s ppt is a nice place to start as it has valuable knowledge. It’s
>> just tough to figure out what is best for you.
>>
>>
>>
>> The truth is, it will be more beneficial to your organisation in the
>> medium/long term if you start learning and improving your DDoS defenses now
>> than to rely 100% on DDoS mitigators.
>>
>> These companies are fantastic when you protect slow assets like Credit
>> card transactions. The customer don’t really care if his transaction to
>> validate the CC takes 4 seconds instead of 3.
>>
>>
>>
>> In the end, DDoS mitigations is not more complex than what you are used
>> to do daily. Protect your routers, protect the control-plane, protect the
>> SSH lines, etc. It’s just a different kind of protections.
>>
>>
>>
>> Let me know if you need some advices or hints, because I’ve spent some
>> freaking long hours fighting them and together we have a better chance to
>> win and not pay ransom from blackmails.
>>
>> I don’t have all the answers on DDoS, but maybe I have the one that you
>> are looking for.
>>
>>
>>
>> The moment you become very resilient to DDoS attacks, your customers will
>> thank you and also support staff that will see the DDoS bounce like
>> mosquitoes on the windshield of your car at 90 Mph.
>>
>>
>>
>> Start learning now and start improving your DDoS. This won’t go away
>> anytime soon.
>>
>>
>>
>> Jean
>>
>>
>>
>>
>>
>> *From:* jim deleskie <deleskie@gmail.com>
>> *Sent:* May 24, 2021 12:38 PM
>> *To:* Jean St-Laurent <jean@ddostest.me>
>> *Cc:* NANOG Operators' Group <nanog@nanog.org>
>> *Subject:* Re: DDoS attack with blackmail
>>
>>
>>
>> While I have no design to engage in over email argument over how much
>> latency people can actually tolerate, I will simply state that most people
>> have a very poor understanding of it and how much additional latency is
>> really introduced by DDoS mitigation.
>>
>>
>>
>> As for implying that DDoS mitigation companies are complicit or involved
>> in attacks, while not the first time i heard that crap it's pretty
>> offensive to those that work long hours for years dealing with the
>> garbage. If you honestly believe anyone your dealing with is involved with
>> launching attacks you clearly have not done your research into potential
>> partners.
>>
>>
>>
>>
>>
>>
>>
>> On Sat., May 22, 2021, 11:20 a.m. Jean St-Laurent via NANOG, <
>> nanog@nanog.org> wrote:
>>
>> Some industries can’t afford that extra delay by DDoS mitigation vendors.
>>
>>
>>
>> The video game industry is one of them and there might be others that
>> can’t tolerate these extra ms. Telemedicine, video-conference, fintech, etc.
>>
>>
>>
>> As a side note, my former employer in video game was bidding for these
>> vendors offering DDoS protection. While bidding, we were hit with abnormal
>> patterns. As soon as we chose one vendors those very tricky DDoS patterns
>> stopped.
>>
>> I am not saying they are working on both side, but still the coincidence
>> was interesting. In the end, we never used them because they were not able
>> to perfectly block the threat without impacting all the others projects.
>>
>>
>>
>> I think these mitigators are nice to have as a very last resort. I
>> believe what is more important for Network Operators is: to be aware of
>> this, to be able to detect it, mitigate it and/or minimize the impact. It’s
>> like magic, where did that rabbit go?
>>
>>
>>
>> The art of war taught me everything there is to know about DDoS attacks
>> even if it was written some 2500 years ago.
>>
>>
>>
>> I suspect that the attack that impacted Baldur’s assets was a very easy
>> DDoS to detect and block, but can’t confirm.
>>
>>
>>
>> @Baldur: do you care to share some metrics?
>>
>>
>>
>> Jean
>>
>>
>>
>> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Jean
>> St-Laurent via NANOG
>> *Sent:* May 21, 2021 10:52 AM
>> *To:* 'Lady Benjamin Cannon of Glencoe, ASCE' <lb@6by7.net>; 'Baldur
>> Norddahl' <baldur.norddahl@gmail.com>
>> *Cc:* 'NANOG Operators' Group' <nanog@nanog.org>
>> *Subject:* RE: DDoS attack with blackmail
>>
>>
>>
>> I also recommend book Art of War from Sun Tzu.
>>
>>
>>
>> All the answers to your questions are in that book.
>>
>>
>>
>> Jean
>>
>>
>>
>> *From:* NANOG <nanog-bounces+jean=ddostest.me@nanog.org> *On Behalf Of *Lady
>> Benjamin Cannon of Glencoe, ASCE
>> *Sent:* May 20, 2021 7:18 PM
>> *To:* Baldur Norddahl <baldur.norddahl@gmail.com>
>> *Cc:* NANOG Operators' Group <nanog@nanog.org>
>> *Subject:* Re: DDoS attack with blackmail
>>
>>
>>
>> 20 years ago I wrote an automatic teardrop attack. If your IP spammed us
>> 5 times, then a script would run, knocking the remote host off the internet
>> entirely.
>>
>>
>>
>> Later I modified it to launch 1000 teardrop attacks/second…
>>
>>
>>
>> Today, contact the FBI.
>>
>>
>>
>> And get a mitigation service above your borders if you can.
>>
>>
>>
>>
>>
>> —L.B.
>>
>>
>>
>> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
>>
>> 6x7 Networks & 6x7 Telecom, LLC
>>
>> CEO
>>
>> lb@6by7.net
>>
>> "The only fully end-to-end encrypted global telecommunications company in
>> the world.”
>>
>> FCC License KJ6FJJ
>>
>>
>>
>>
>> On May 20, 2021, at 12:26 PM, Baldur Norddahl <baldur.norddahl@gmail.com>
>> wrote:
>>
>>
>>
>> Hello
>>
>>
>>
>> We got attacked by a group that calls themselves "Fancy Lazarus". They
>> want payment in BC to not attack us again. The attack was a volume attack
>> to our DNS and URL fetch from our webserver.
>>
>>
>>
>> I am interested in any experience in fighting back against these guys.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Baldur
>>
>>
>>
>>
>>
>> --
Brandon Svec
15106862204 ?? or ????