[175931] in North American Network Operators' Group
Re: Reporting DDOS reflection attacks
daemon@ATHENA.MIT.EDU (Yardiel D. Fuentes)
Sat Nov 8 18:46:19 2014
X-Original-To: nanog@nanog.org
From: "Yardiel D. Fuentes" <yardiel@gmail.com>
In-Reply-To: <000201cffbaa$82416690$86c433b0$@iname.com>
Date: Sat, 8 Nov 2014 18:46:08 -0500
To: Frank Bulk <frnkblk@iname.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Another DDoS/DoS email thread in progress, ah?... these seem to occur =
often lately...
So....Perfect timing to remind all in the list that there is a NANOG =
BCOP in the works on this topic.=20
Some of us have been working on documenting our collective knowledge =
about real practices that
can help our community deal with this annoying networking decease...in a =
vendor agnostic manner...
Our DDoS/DoS attack Best Common Ops Practices doc seeks to provide =
community-wide guidelines=20
on what to do before, during and after a DDoS/DoS attack.
If any of you want to contribute and join us to help the community on =
what we have documented so far,=20
please check out the document below and/or drop me a note...
http://bcop.nanog.org/index.php/BCOP_Drafts
Yardiel Fuentes
yardiel@gmail.com
twitter: #techguane
On Nov 8, 2014, at 6:19 PM, Frank Bulk wrote:
> Do you know if third-parties such as SANS ISC or ShadowServer take =
lists of IPs?
>=20
> Frank
>=20
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of =
srn.nanog@prgmr.com
> Sent: Friday, November 07, 2014 12:57 PM
> To: nanog@nanog.org
> Subject: Reporting DDOS reflection attacks
>=20
> Like most small providers, we occasionally get hit by DoS attacks. We =
got hammered by an SSDP
> reflection attack (udp port 1900) last week. We took a 27 second log =
and from there extracted
> about 160k unique IPs.
>=20
> It is really difficult to find abuse emails for 160k IPs.
>=20
> We know about abuse.net but abuse.net requires hostnames, not IPs for =
lookups and not all IP
> addresses have valid DNS entries.
>=20
> The only other way we know of to report problems is to grab the abuse =
email addresses is whois.
> However, whois is not structured and is not set up to deal with this =
number of requests - even
> caching whois data based on subnets will result in many thousands of =
lookups.
>=20
> Long term it seems like structured data and some kind of =
authentication would be ideal for reporting
> attacks. But right now how should we be doing it?
>=20
>=20
