NOC responses when advised of ongoing DoS attacks (Was Re: We have a firewall (was Re: Pakistan government orders ISPservice level agreement))

Christopher L. Morrow chris at UU.NET
Wed May 7 14:52:04 UTC 2003

On Wed, 7 May 2003, Niels Bakker wrote:

> > --- Scott Granados <scott at> wrote:
> >> Unless you actually call UUnet and your not a customer, God help you then.
> * thegameiam at (David Barak) [Wed 07 May 2003, 15:24 CEST]:
> > Well, I don't have a whole lot of sympathy for this -
> > how many (non-networking) companies will do things
> > which don't benefit their customers on behalf of
> > someone who is not a customer (and shows no sign of
> > becoming one)?  I can't think of any offhand, and I
> > don't think that a whole lot would show up in an
> > exhaustive search.
> I'd have thought having a customer *not* waste all their outgoing
> bandwidth on useless data such as participating in a DoS attack would
> make for a happier customer.

This is, of course, true, and happier customers are a good thing.
Unfortunately, there are MANY customers that just don't know that they are
the source of someone else's troubles :( Not to mention customers with
'lots' of bandwidth who don't even notice 100mbps of 'extra' traffic :( It
sounds whacky, but it is true, sadly.

This also only matters if you can pin the traffic down to a far end
customer, which is not always the case with spoofed attacks for
instance... (from the attackee perspective that is)

> If you're one of those believers in only your own bottom line, perhaps
> the liability stick is a good on to wave in your general direction in
> cases like this? (not stating that you are negligent when advised of
> DoS attacks in progress, of course)

Hmm, as with any large carrier (I think) UUNET
(mci/ex-wcom/whomever-we-are-for-now but UUNET works for me) will always
attempt to do the right thing with respect to the customer being attacked.
We do hope that customers ATTACKING folks will do the right thing also and
stop the pain on themselves and others. We have on many occasions
contacted these folks and requested their help in stopping the pain... If
we do trace traffic back we always filter there if possible, why bother
transitting the traffic if we are just going to drop it on the far side?
The sad reality here is that not all customers are reachable all the time,
not all are interested in stopping the traffic, and not all know how to
stop the traffic :(

More information about the NANOG mailing list