[76172] in North American Network Operators' Group
What good is a noc team? How do you mitigate this? [was: How many
daemon@ATHENA.MIT.EDU (Gadi Evron)
Thu Dec 2 18:14:24 2004
Date: Fri, 03 Dec 2004 01:20:36 +0200
From: Gadi Evron <ge@linuxbox.org>
To: Chad Skidmore <cskidmore@go180.net>
Cc: Aaron Glenn <aaron.glenn@gmail.com>, nanog@merit.edu
In-Reply-To: <7A2C7588564516488CD950202373E682010031E0@imail.inet.go180.net>
Errors-To: owner-nanog-outgoing@merit.edu
> Sorry your experience has been different, this is definitely one of
> those YMMV kinds of deals. That is a significant attack by most
> anyone's standards. Getting to the right security team usually ends
> up being the challenge. Once there however we have found many
> providers do a great job of dealing with attacks quickly. Use of BGP
> triggered blackholes can be a great help and going to the NOC/Abuse
> team with lots of good information from the start helps you get to
> the people that can pull the attack of quickly. You have to remember
> that, like all of us, larger service providers have their share of
> low clue factor customers. The quicker you can help them realize
> that you have a fairly high clue factor the quicker you'll get to
> folks on their side with a high clue factor. During times of
> outages, attacks, etc. it is easy to get agitated quickly and that
> often times doesn't help you get through the first couple of barrier
> noc techs.
Okay, making this an operational issue. Say you are attacked. Say it
isn't even a botnet. Say a new worm is out and you are getting traffic
from 19 different class A's.
Who do you call? What do you block?
How can a noc team here help?
"Please block any outgoing connections from your network to ours on port
25? Please?" I tried this once.. it doesn't help. I ended up blackholing
an entire country just to mitigate it a bit, for a few hours.
Any practical suggestions?
Gadi.
