Share you attacks dump

[SeFlow-matteob]

Hi Guys,
in order to keep the community updated with new attack trends, why not every time we see an attack bypassing provider protection not share here a dump of attack?
It can help anyone to update their filters.

Any dump will be much appreciate by community (and me )

 

[panteL]

It's wasted time if you have issues with your filters just ask a member to solve the problem.. We don't need a thread for this (I think). Sorry bra

 

[SeFlow-matteob]

It's wasted time if you have issues with your filters just ask a member to solve the problem.. We don't need a thread for this (I think). Sorry bra

I doubt that someone here can really manage our equipments

By the way we received 3500 DDoS in last 2 months and we had big view on new trends, BUT DDoS mitigation is art and in continous evolution and every day new attacks are discovered.

One man or single company can't know all attacks trends, but a "community share" can improve a lot .

I not have specific problem, but know new DDoS trend before reaching our filters allow everyone in the community to update their solutions

 

[Rijndael]

How could this be of any help to others? If I'm not mistaken, you are a seflow employee, which if I recall correctly doesn't provide any public filtering method. So you are willing to provide public filtering methods ( and thus probably loose money, clients) ? I doubt

 

[0vert1m3]

My attack log is like 2 gb a month or so xD

 

[panteL]

My attack log is like 2 gb a month or so xD

But what are you doing? Are you hosting a puplic Teamspeak Server or a big website ?

 

[0vert1m3]

But what are you doing? Are you hosting a puplic Teamspeak Server or a big website ?

Privat Torrent / Seeding Com

 

[SeFlow-matteob]

How could this be of any help to others? If I'm not mistaken, you are a seflow employee, which if I recall correctly doesn't provide any public filtering method. So you are willing to provide public filtering methods ( and thus probably loose money, clients) ? I doubt

Because every one can catch dump of attack and update their filter.. because someone can share their filters etc.

Yes, i'm head of soc dept. in SeFlow. I think that a great protection is in place if all component are setup perfectly. Is useless have great bandwidth, great filters and vm/server with bad parameters. I mean you receive 2Gbps syn... most filtered by protection and server receive only 10Mbps... if is not setup correctly service become irresponsive...

This is why i'm asking around the dump of attacks:
1) To optimize our filters
2) We started a security blog where we give tips to setup networks/servers correctly.

An example:
SYNPROXY setup: http://www.seflow.net/2/index.php/en/blog/synproxy-module-protect-yourself-by-syn-flood
BOGON Filters: http://www.seflow.net/2/index.php/en/blog/filter-bogon-prefixes-to-alleviate-spoofed-ddos

Yes , we will not share our main filters configuration or network setup, but we're not monster and i created my skill with a mix of internet how-tos and experience, now is time to give it back

My attack log is like 2 gb a month or so xD

You not need to post entire dump, just few packets are enought

 

[oalaro]

I used this php script to do an automatic tcpdump when inbound traffic crosses a certain threshold. Configuration should be pretty self explanatory

<?php

# DDoS Detection & Packet Capture Script
# Written by Robert 'xnite' Whitney
# Website: http://xnite.org
# Email:   [email protected]

# Run script as root via crontab every 5 to 10 minutes
# Ensure all dependences are satisfied before running this script (ifstat, tcpdump, php)
# This script will only allow a single tcpdump process to run at once

# Configuration
$CONFIG = [
'device'                => 'eth0', //Usually eth0, if you are unsure, you can find the device name by running ifconfig.
'report_speed'          => '15', //MBps that you want to start tracking at.
'packets2capture'       => '1000', //Number of packets to capture in pcap dump.
'save_to'               => '/var/log/ddos' //Path to save ddos pcap logs to without the trailing /.
];

# Do not edit below this line!
exec("/usr/bin/ifstat .5 1 | /bin/grep -o '[0-9]\{1,9\}\.[0-9]\{1,9\}'", $iospeed);
$report_speed = $CONFIG['report_speed']*1024;
$ts = date('U');
$folder = $CONFIG['save_to'];
$interface = $CONFIG['device'];
$packnum = $CONFIG['packets2capture'];
if($iospeed[0]+$iospeed[1] >= $CONFIG['report_speed']*1024) {
        echo $iospeed[0]+$iospeed[1]." is equal to or greater than $report_speed.\n";
        echo "Capturing tcpdump.\nPackets: $packnum\nInterface: $interface\n Saving to: $folder/$ts.ddos.pcap\n";
        exec("/usr/bin/pkill -9 tcpdump");
        exec("/usr/sbin/tcpdump -nn -i $interface -s 0 -c $packnum -w $folder/$ts.ddos.pcap");
} else {
        echo $iospeed[0]+$iospeed[1]." is less than $report_speed.\n";
}

?>

 

[0vert1m3]

Because every one can catch dump of attack and update their filter.. because someone can share their filters etc.

Yes, i'm head of soc dept. in SeFlow. I think that a great protection is in place if all component are setup perfectly. Is useless have great bandwidth, great filters and vm/server with bad parameters. I mean you receive 2Gbps syn... most filtered by protection and server receive only 10Mbps... if is not setup correctly service become irresponsive...

This is why i'm asking around the dump of attacks:
1) To optimize our filters
2) We started a security blog where we give tips to setup networks/servers correctly.

An example:
SYNPROXY setup: http://www.seflow.net/2/index.php/en/blog/synproxy-module-protect-yourself-by-syn-flood
BOGON Filters: http://www.seflow.net/2/index.php/en/blog/filter-bogon-prefixes-to-alleviate-spoofed-ddos

Yes , we will not share our main filters configuration or network setup, but we're not monster and i created my skill with a mix of internet how-tos and experience, now is time to give it back



You not need to post entire dump, just few packets are enought

Yea but i wont share it ^^ Hosting on Cyberbunker and SeFlow is crap btw

 

[SeFlow-matteob]

Yea but i wont share it ^^ Hosting on Cyberbunker and SeFlow is crap btw

Why you think that?

 

[0vert1m3]

Why you think that?

I got like 6 DMAC,s and they just wipte my servers without telling me.

 

[SeFlow-matteob]

I got like 6 DMAC,s and they just wipte my servers without telling me.

oh... are not them a shit, but you're an abuser... there is a big difference

 

[0vert1m3]

oh... are not them a shit, but you're an abuser... there is a big difference

fuck that, fuck (C), fuck (Dmac) Yea but hosting now since 1 y on Cyberbunker an god like 182 Dmac,s over the time and the still dont fck wipe my server and say fuck you ^^

 

[SeFlow-matteob]

fuck that, fuck (C), fuck (Dmac) Yea but hosting now since 1 y on Cyberbunker an god like 182 Dmac,s over the time and the still dont fck wipe my server and say fuck you ^^

Because you not need to do real business. I will never never never trust on company that not respect EU laws.

@oalaro nice script! Can i write an article about that?

 

[oalaro]

@oalaro nice script! Can i write an article about that?

Not my script. Found it of github https://gist.github.com/zQueal/5665326 So i guess you can do anything you want with it.

 

[0vert1m3]

Because you not need to do real business. I will never never never trust on company that not respect EU laws.

@oalaro nice script! Can i write an article about that?

Cyberbunker is hosting Gov shit u know that right ? And who cares about laws ^^

 

[SeFlow-matteob]

Cyberbunker is hosting Gov shit u know that right ? And who cares about laws ^^

1. Be respectful
2. Cyberbunker was sold in 1998 (You were already born?) to a private company that start selling on 2000 to public. Is a normal company like others.

 

[0vert1m3]

1. Be respectful
2. Cyberbunker was sold in 1998 (You were already born?) to a private company that start selling on 2000 to public. Is a normal company like others.

1. Sry for that but shut u mouth
2. And your second answer (I will never never never trust on company that not respect EU laws.) U know anything about their employees ?.Cyberbunker is more trusted then even bigger companys. "CyberBunker is one of the most trustworthy datacenters in the world. Please feel free to google for customer complaints. You do not find any because there aren't any. The only thing you may find are others that are complaining about CyberBunker's clients. Well, what should we say about that?"
3. Yes for the public "normal" user Cyberbunker starts selling servers in 2000, but Cyberbunker exist since 1989 and the start selling from secret places in 1994.....
4. And what u sad about respect ? Are u trying to get me mad or soo ? "was sold in 1998 (You were already born?)" skid.