What good is a noc team? How do you mitigate this? [was: How many backbones ...]

Thu Dec 2 23:20:36 UTC 2004

> Sorry your experience has been different, this is definitely one of
> those YMMV kinds of deals.  That is a significant attack by most
> anyone's standards.  Getting to the right security team usually ends
> up being the challenge.  Once there however we have found many
> providers do a great job of dealing with attacks quickly.  Use of BGP
> triggered blackholes can be a great help and going to the NOC/Abuse
> team with lots of good information from the start helps you get to
> the people that can pull the attack of quickly.  You have to remember
> that, like all of us, larger service providers have their share of
> low clue factor customers.  The quicker you can help them realize
> that you have a fairly high clue factor the quicker you'll get to
> folks on their side with a high clue factor.  During times of
> outages, attacks, etc. it is easy to get agitated quickly and that
> often times doesn't help you get through the first couple of barrier
> noc techs.

Okay, making this an operational issue. Say you are attacked. Say it 
isn't even a botnet. Say a new worm is out and you are getting traffic 
from 19 different class A's.

Who do you call? What do you block?

How can a noc team here help?

"Please block any outgoing connections from your network to ours on port 
25? Please?" I tried this once.. it doesn't help. I ended up blackholing 
an entire country just to mitigate it a bit, for a few hours.

Any practical suggestions?

	Gadi.