[175930] in North American Network Operators' Group
RE: Reporting DDOS reflection attacks
daemon@ATHENA.MIT.EDU (Frank Bulk)
Sat Nov 8 18:20:13 2014
X-Original-To: nanog@nanog.org
From: "Frank Bulk" <frnkblk@iname.com>
To: <srn.nanog@prgmr.com>,
<nanog@nanog.org>
In-Reply-To: <545D15EF.8080509@prgmr.com>
Date: Sat, 8 Nov 2014 17:19:56 -0600
Errors-To: nanog-bounces@nanog.org
Do you know if third-parties such as SANS ISC or ShadowServer take lists =
of IPs?
Frank
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of =
srn.nanog@prgmr.com
Sent: Friday, November 07, 2014 12:57 PM
To: nanog@nanog.org
Subject: Reporting DDOS reflection attacks
Like most small providers, we occasionally get hit by DoS attacks. We =
got hammered by an SSDP
reflection attack (udp port 1900) last week. We took a 27 second log and =
from there extracted
about 160k unique IPs.
It is really difficult to find abuse emails for 160k IPs.
We know about abuse.net but abuse.net requires hostnames, not IPs for =
lookups and not all IP
addresses have valid DNS entries.
The only other way we know of to report problems is to grab the abuse =
email addresses is whois.
However, whois is not structured and is not set up to deal with this =
number of requests - even
caching whois data based on subnets will result in many thousands of =
lookups.
Long term it seems like structured data and some kind of authentication =
would be ideal for reporting
attacks. But right now how should we be doing it?
