Reporting DDOS reflection attacks

Miles Fidelman mfidelman at
Sat Nov 8 13:50:15 UTC 2014

I can offer an indirect story, and not quite a reflection attack, but a 
DDoS one.

We happen to have a host that had an IPMI board exposed to the net, that 
got compromised, and became a vector for a DDoS attack. The target 
reported the attack to at least some of the sources, including 
Windstream/Hosted Solutions, where this particular server is located.  
They contacted me, and I dealt with things with about a 1-hour 
turn-around from when a trouble ticket hit my inbox (well, still dealing 
with things - that IPMI card is offline until I get around to securing 
it, and it's the occasional reboot-by-phone-call until then).  So at 
least one small success.

Miles Fidelman

McDonald Richards wrote:
> Out of curiosity, have any of you had luck reporting the sources of attacks
> to the admins of the origin ASNs?
> Any failure or success stories you can share?
> Macca
> On Sat, Nov 8, 2014 at 6:20 PM, Paul Bennett <paul.w.bennett at>
> wrote:
>> On Sat, Nov 8, 2014 at 2:00 AM, Roland Dobbins <rdobbins at> wrote:
>>> On 8 Nov 2014, at 1:56, srn.nanog at wrote:
>>>> But right now how should we be doing it?
>>> <>
>> Once you get the ASN or at least the domain name of the ISP providing
>> service to the reflecting host, several major reputable ISPs
>> (including my employer, who I can't name because I'm not an official
>> spokesperson) will welcome RFC 5070 "IODEF" reports for general
>> network abuse and RFC 5965 "MARF" format for email abuse, directed to
>> [email protected] the main domain for that ISP.
>> --
>> Paul W Bennett

In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

More information about the NANOG mailing list