What good is a noc team? How do you mitigate this? [was: How many backbones ...]
Gadi Evron
ge at linuxbox.org
Thu Dec 2 23:20:36 UTC 2004
> Sorry your experience has been different, this is definitely one of
> those YMMV kinds of deals. That is a significant attack by most
> anyone's standards. Getting to the right security team usually ends
> up being the challenge. Once there however we have found many
> providers do a great job of dealing with attacks quickly. Use of BGP
> triggered blackholes can be a great help and going to the NOC/Abuse
> team with lots of good information from the start helps you get to
> the people that can pull the attack of quickly. You have to remember
> that, like all of us, larger service providers have their share of
> low clue factor customers. The quicker you can help them realize
> that you have a fairly high clue factor the quicker you'll get to
> folks on their side with a high clue factor. During times of
> outages, attacks, etc. it is easy to get agitated quickly and that
> often times doesn't help you get through the first couple of barrier
> noc techs.
Okay, making this an operational issue. Say you are attacked. Say it
isn't even a botnet. Say a new worm is out and you are getting traffic
from 19 different class A's.
Who do you call? What do you block?
How can a noc team here help?
"Please block any outgoing connections from your network to ours on port
25? Please?" I tried this once.. it doesn't help. I ended up blackholing
an entire country just to mitigate it a bit, for a few hours.
Any practical suggestions?
Gadi.
More information about the NANOG
mailing list