Reporting DDOS reflection attacks

Ruairi Carroll ruairi.carroll at
Sat Nov 8 11:30:54 UTC 2014


We've been hit on/off with large scale amplification attacks over the last
few years.

We found looking up src ASN of the attack and reporting is not super
helpful, as many blocks come from sub allocations and you'll just get
redirected to someone else. This will just cause more overhead and legwork
for you in the long run.

Whois data *seems* to be a little more reliable, and there's an abuseEmail
script out there that helps automate the abuse contact lookup ( ).

We've added a bit of logic in front of this to aggregate the flows per
destination abuse email, then send a report with all listed flows +

Feel free to ping me offlist if you want some more info on this.


On 7 November 2014 18:56, <srn.nanog at> wrote:

> Like most small providers, we occasionally get hit by DoS attacks. We got
> hammered by an SSDP
> reflection attack (udp port 1900) last week. We took a 27 second log and
> from there extracted
> about 160k unique IPs.
> It is really difficult to find abuse emails for 160k IPs.
> We know about but requires hostnames, not IPs for
> lookups and not all IP
> addresses have valid DNS entries.
> The only other way we know of to report problems is to grab the abuse
> email addresses is whois.
> However, whois is not structured and is not set up to deal with this
> number of requests - even
> caching whois data based on subnets will result in many thousands of
> lookups.
> Long term it seems like structured data and some kind of authentication
> would be ideal for reporting
> attacks. But right now how should we be doing it?

More information about the NANOG mailing list