Reporting DDOS reflection attacks
mfidelman at meetinghouse.net
Sat Nov 8 13:50:15 UTC 2014
I can offer an indirect story, and not quite a reflection attack, but a
We happen to have a host that had an IPMI board exposed to the net, that
got compromised, and became a vector for a DDoS attack. The target
reported the attack to at least some of the sources, including
Windstream/Hosted Solutions, where this particular server is located.
They contacted me, and I dealt with things with about a 1-hour
turn-around from when a trouble ticket hit my inbox (well, still dealing
with things - that IPMI card is offline until I get around to securing
it, and it's the occasional reboot-by-phone-call until then). So at
least one small success.
McDonald Richards wrote:
> Out of curiosity, have any of you had luck reporting the sources of attacks
> to the admins of the origin ASNs?
> Any failure or success stories you can share?
> On Sat, Nov 8, 2014 at 6:20 PM, Paul Bennett <paul.w.bennett at gmail.com>
>> On Sat, Nov 8, 2014 at 2:00 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
>>> On 8 Nov 2014, at 1:56, srn.nanog at prgmr.com wrote:
>>>> But right now how should we be doing it?
>> Once you get the ASN or at least the domain name of the ISP providing
>> service to the reflecting host, several major reputable ISPs
>> (including my employer, who I can't name because I'm not an official
>> spokesperson) will welcome RFC 5070 "IODEF" reports for general
>> network abuse and RFC 5965 "MARF" format for email abuse, directed to
>> [email protected] the main domain for that ISP.
>> Paul W Bennett
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
More information about the NANOG