(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog

Me, elsewhere

Miscellaneous public code

A PHP API client for Reddit

I don't tweet much

XMPP chat
(Pidgin, Miranda, Swift, etc.)

Perfect is the enemy of good enough.

DDoS involving forged packets from

Posted September 25, 2018 by shaun

As noticed in a tweet from @AlecMuffett, there's a large DDoS attack taking place involving forged packets that appear to come from

I have servers on a variety of networks, and tcpdump shows traffic "from", destination port 80, at all of them. My points of observation are widespread, so this attack is likely spraying much of the IPv4 space. The volume I'm seeing to any given host is only ~25 packets per second, but reflected traffic could be millions of times that number.

CeraNetworks/CloudRadium, the owner of, is responding to abuse reports with a statement that is the target and not the source of the DDoS.

Dropping traffic to and from can prevent your system from contributing to the reflection:

    [root@host ~]# iptables -I OUTPUT -d -j DROP
    [root@host ~]# iptables -I INPUT -s -j DROP

...or the equivalent for your OS, until the DDoS gets filtered by transit providers.

If you're an AS, please implement BCP38 and prevent spoofed traffic from egressing your network.

If you're an end user, consider installing and running Spoofer to help CAIDA identify networks that still allow this malicious traffic to be sent.

Card image by Sagor Kumar, via Wikimedia Commons

Recent articles

📰 Caveat with Vantec SATA/IDE to USB 2.0 Adapter and Macrium software

📰 Jay Niffley, Man of Mystery

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Undeliverable as addressed: A massive broken spam campaign?

📰 Using WITH_META_MODE and ccache for FreeBSD build boosts

📰 Resolving subversion error E000013: Unable to create pristine install stream

📰 Enhancements to SmokePing's AnotherDNS probe

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from

▲ Back to top | Permalink to this page