[176360] in North American Network Operators' Group
Re: abuse reporting tools
daemon@ATHENA.MIT.EDU (Gregg Berkholtz)
Wed Nov 26 01:39:18 2014
X-Original-To: nanog@nanog.org
From: Gregg Berkholtz <gregg@tocici.com>
In-Reply-To: <546BEB30.9040207@tiedyenetworks.com>
Date: Tue, 25 Nov 2014 22:38:53 -0800
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
First please filter the source addr on all egress traffic, please. =
Please.
Second, please don=E2=80=99t be the network admin whom emails:
=E2=80=9C=E2=80=A6
To: notOurOrgAbuseEmail@tocici.com
From: cluelessAdmin@example.com
Subject: An attempt of intrusion comes from your ip
.
=E2=80=A6=E2=80=9D
Just in case you missed the obvious: message body was empty, =
$cluelessAdmin didn=E2=80=99t do a basic whois for our OrgAbuseEmail, =
and $cluelessAdmin ASSumed we knew which of our 2,048 IPs apparently =
started WWIII while providing absolutely zero collaborating evidence =
(attaching or linking to raw tcpdump is very nice, =E2=80=9C-d=E2=80=9D =
is Ok too). We often receive dozens of these totally useless/blank =
emails, in clusters of a few minutes.
Tricks like that earn an instant 144-hour null route badge for whichever =
sending company=E2=80=99s entire presumed netblock (if we can=E2=80=99t =
find an obvious AS), repeat offenses earn longer and more colorful =
badges. All get a personal voicemail to the $cluelessAdmin company=E2=80=99=
s exec(s)/admin(s). I deliver these voicemails roughly three times a =
week now. Teh Stupid leaves burn marks on our NOC techs, and the poor =
geeks can only take so much!
Other suggestions, such as watching and responding to s/NetFlow spikes, =
or tracking/linking multiple complaining networks before even attempting =
to look at origins=E2=80=A6these sometimes warrant a followup depending =
upon volume and frequency (easily tracked with an SQLLite + PHP-based =
tool/api). We=E2=80=99ve found things are more-often just fat fingers, =
someone more bored than harmful, or someone that hasn=E2=80=99t figured =
out zmap options yet.
As for a genuine DDoS, with a spoofed-source - can you really do much =
about this? For years we=E2=80=99ve just automatically null-routed =
(+RTBH) the ingress target (and, if obvious, any egress source) for a =
shortish random() period, and everyone typically gets bored shortly =
thereafter. Our current null-route based homegrown DDoS mitigation =
platform requires barely ~10 seconds from detection/onset to mitigation, =
so we tend to elimianate most fun and drama pretty quickly. For more =
business-focused clients, services like CloudFlare typically keeps DDoS =
attacks off ingress IPs.
(BTW: in addition business sites, we host Minecraft, Teamspeak, and =
other "l33t hax0r=E2=80=9D targeted services)
Gregg Berkholtz
> On Nov 18, 2014, at 4:58 PM, Mike <mike-nanog@tiedyenetworks.com> =
wrote:
>=20
> Hello,
>=20
> I provide broadband connectivity to mostly residential users. Over =
the
> past few years, instances of DDoS against the network - specfically
> targeting end users - has been on the rise, and today I can qualify =
many
> of these as simple acts of revenge where someone will engage a dos
> (possibly, services like 'booters' or similar) because they lost an
> online game or had some interactive in a forum they didn't like. I =
have
> good 'consumer broadband' filtering rules in place which make sense =
and
> protect against quite a lot of obviously ddos oriented traffic =
streams.
> The next step I want to engage, for those types of traffic which I can
> positively identify as not spoofed, is to send out abuse reports to
> owners of ip ranges used to launch these attacks. Ideally I'd like to =
be
> able to write up some form letter describing the attack, the source
> ip(s) of note, some disassembled sample packets, and then feed a list =
of
> IP source addresses and have it mail it out to the abuse contact at =
each
> source network. I am wondering if anyone has a pointer or reference to
> any tools which might help facillitate this?
>=20
> Thank you.
>=20
> Mike-
