nanog mailing list archives
Re: Reporting DDOS reflection attacks
From: Damian Menscher <damian () google com>
Date: Sat, 8 Nov 2014 14:48:47 -0800
I've used https://abusix.com/contactdb.html Be prepared for a lot of backscatter. You'll get autoresponders, automated ticketing systems sending frequent updates, bounce messages (from full abuse@ inboxes), and be surveyed for how well they're not performing. Also, be prepared for ISPs / hosting providers to ask for additional information, like logs proving the attack came from their customer. Oh, and be prepared to feel sorry for their customers whose VMs are deleted for "hacking", rather than being informed of their misconfiguration. On the bright side, some 10% will actually correct the problem, thereby costing the attacker a few minutes of work to re-scan for active amplifiers. :P Damian Professional Pessimist On Fri, Nov 7, 2014 at 10:56 AM, <srn.nanog () prgmr com> wrote:
Like most small providers, we occasionally get hit by DoS attacks. We got hammered by an SSDP reflection attack (udp port 1900) last week. We took a 27 second log and from there extracted about 160k unique IPs. It is really difficult to find abuse emails for 160k IPs. We know about abuse.net but abuse.net requires hostnames, not IPs for lookups and not all IP addresses have valid DNS entries. The only other way we know of to report problems is to grab the abuse email addresses is whois. However, whois is not structured and is not set up to deal with this number of requests - even caching whois data based on subnets will result in many thousands of lookups. Long term it seems like structured data and some kind of authentication would be ideal for reporting attacks. But right now how should we be doing it?
Current thread:
- Reporting DDOS reflection attacks srn . nanog (Nov 07)
- Re: Reporting DDOS reflection attacks Roland Dobbins (Nov 07)
- Re: Reporting DDOS reflection attacks Paul Bennett (Nov 07)
- Re: Reporting DDOS reflection attacks McDonald Richards (Nov 08)
- Re: Reporting DDOS reflection attacks Roland Dobbins (Nov 08)
- Re: Reporting DDOS reflection attacks Miles Fidelman (Nov 08)
- Re: Reporting DDOS reflection attacks srn . nanog (Nov 08)
- Re: Reporting DDOS reflection attacks Paul Bennett (Nov 07)
- Re: Reporting DDOS reflection attacks Roland Dobbins (Nov 07)
- Re: Reporting DDOS reflection attacks Ruairi Carroll (Nov 08)
- Re: Reporting DDOS reflection attacks srn . nanog (Nov 08)
- Re: Reporting DDOS reflection attacks Damian Menscher (Nov 08)
- Re: Reporting DDOS reflection attacks Brian Rak (Nov 09)
- Re: Reporting DDOS reflection attacks srn . nanog (Nov 09)
- Re: Reporting DDOS reflection attacks Brian Rak (Nov 09)
- RE: Reporting DDOS reflection attacks Frank Bulk (Nov 08)
- Re: Reporting DDOS reflection attacks Yardiel D. Fuentes (Nov 08)
- Re: Reporting DDOS reflection attacks Roland Dobbins (Nov 08)
- Re: Reporting DDOS reflection attacks Doug Barton (Nov 09)
- Re: Reporting DDOS reflection attacks manning bill (Nov 09)
- Message not available
- Re: Reporting DDOS reflection attacks Larry Sheldon (Nov 09)
- Re: Reporting DDOS reflection attacks Roland Dobbins (Nov 09)
- Re: Reporting DDOS reflection attacks Yardiel D. Fuentes (Nov 08)