Reporting DDOS reflection attacks

Miles Fidelman mfidelman at meetinghouse.net
Sat Nov 8 13:50:15 UTC 2014


I can offer an indirect story, and not quite a reflection attack, but a 
DDoS one.

We happen to have a host that had an IPMI board exposed to the net, that 
got compromised, and became a vector for a DDoS attack. The target 
reported the attack to at least some of the sources, including 
Windstream/Hosted Solutions, where this particular server is located.  
They contacted me, and I dealt with things with about a 1-hour 
turn-around from when a trouble ticket hit my inbox (well, still dealing 
with things - that IPMI card is offline until I get around to securing 
it, and it's the occasional reboot-by-phone-call until then).  So at 
least one small success.

Miles Fidelman


McDonald Richards wrote:
> Out of curiosity, have any of you had luck reporting the sources of attacks
> to the admins of the origin ASNs?
>
> Any failure or success stories you can share?
>
> Macca
>
>
> On Sat, Nov 8, 2014 at 6:20 PM, Paul Bennett <paul.w.bennett at gmail.com>
> wrote:
>
>> On Sat, Nov 8, 2014 at 2:00 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
>>> On 8 Nov 2014, at 1:56, srn.nanog at prgmr.com wrote:
>>>
>>>> But right now how should we be doing it?
>>> <http://www.team-cymru.org/Services/ip-to-asn.html>
>> Once you get the ASN or at least the domain name of the ISP providing
>> service to the reflecting host, several major reputable ISPs
>> (including my employer, who I can't name because I'm not an official
>> spokesperson) will welcome RFC 5070 "IODEF" reports for general
>> network abuse and RFC 5965 "MARF" format for email abuse, directed to
>> abuse@ the main domain for that ISP.
>>
>> http://www.ietf.org/rfc/rfc5070.txt
>>
>> http://www.ietf.org/rfc/rfc5965.txt
>>
>>
>>
>> --
>> Paul W Bennett
>>


-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra




More information about the NANOG mailing list