[177284] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Pavel Odintsov)
Sun Jan 11 16:12:22 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <D04DB38B-A4F1-42A6-BF50-D188C84588EF@delong.com>
Date: Mon, 12 Jan 2015 01:11:39 +0400
From: Pavel Odintsov <pavel.odintsov@gmail.com>
To: Owen DeLong <owen@delong.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hello!
But abuse@ contacts is very-very-very hard way to contacting with ASN
administrator in case of attack. Big amount of requests to #Nanog
about "please contact ASN XXXX noc with me offlist" confirms this.
I'm got multiple attacks from well known ISP and I spend about 10-20
hours to contacting they in average. It's unacceptable time
We need FAST and RELIABLE way to contacting with noc of attackers
network for effective attack mitigation.
We need something like RTBH for knocking network admin of remote network.
Maybe somebody can create social network for noc's with API ?:)
On Sun, Jan 11, 2015 at 11:55 PM, Owen DeLong <owen@delong.com> wrote:
>
>> On Jan 11, 2015, at 05:07 , Mike Hammett <nanog@ics-il.net> wrote:
>>
>> Why does it seem like everyone is trying to "solve" this the wrong way?
>
> Because it=E2=80=99s what we CAN do.
>
>>
>> Do other networks' abuse departments just not give a shit? Blackhole all=
of the zombie attackers and notify their abuse departments. Sure, most of =
the owners of the PCs being used in these scenarios have no idea they're be=
ing used to attack people, but I'd think that if their network's abuse depa=
rtment was notified, either they'd contact the customer about it issue or a=
t least have on file that they were notified. When the unknowing end-user r=
eached out to support over larger and larger parts of the Internet not work=
ing, they'd be told to clean up their system.
>>
>> The way to stop this stuff is for those millions of end users to clean u=
p their infected PCs.
>
> Agreed=E2=80=A6 However, let=E2=80=99s look at it from an economics persp=
ective=E2=80=A6
>
> The average residential service provider doesn=E2=80=99t have the resourc=
es and doesn=E2=80=99t charge enough to build the resources to deal with th=
is onslaught. It won=E2=80=99t be the service provider that the attacker bl=
ames for the initial few disconnections, it will be the websites in questio=
n.
>
> So, let=E2=80=99s say XYZ.COM <http://xyz.com/> is a really popular site =
with lots of end-users. Some of those end-users are also unknowingly attack=
ing XYZ.COM <http://xyz.com/>.
>
> XYZ.COM <http://xyz.com/> black holes those customers (along with all the=
other zombies attacking them).
>
> XYZ.COM <http://xyz.com/> gets angry calls from those customers and has n=
o ability to contact the rest.
> The rest don=E2=80=99t call their ISP or XYZ.COM <http://xyz.com/> becaus=
e they don=E2=80=99t know that they are unsuccessfully trying to reach XYZ.=
COM <http://xyz.com/>, so they don=E2=80=99t see the problem.
>
> Depending on hold times, etc., XYZ.COM <http://xyz.com/> loses some fract=
ion of their customers (who instead of cleaning up their system, move into =
the second group who don=E2=80=99t care about the problem any more.) The re=
st may clean up their systems.
>
> So, at the cost of some fraction of their customer base and a substantial=
burden on their call center, XYZ.COM <http://xyz.com/> has managed to clea=
n up a relatively small percentage of systems, but accomplished little else=
.
>
> I=E2=80=99m all for finding a way to do a better job of this. Personally,=
I=E2=80=99d like to see some sort of centralized clearing house where cred=
ible reporters of dDOS information could send some form of standardized (au=
tomated) report. The clearing house would then take care of contacting the =
responsible ISPs in a scaleable and useful manner that the ISPs could handl=
e. Because the clearing house would be a known credible source and because =
they are providing the information in a way that the ISP can more efficient=
ly utilize the information, it MIGHT allow the ISP to take proactive action=
such as contacting the user and addressing the problem, limiting the user=
=E2=80=99s ability to send dDOS traffic, etc.
>
> However, this would require lots of cooperation and if such a clearing ho=
use were to evolve, it would probably have to start as a coalition of resid=
ential ISPs.
>
> Owen
>
>
--=20
Sincerely yours, Pavel Odintsov
