Reporting DDOS reflection attacks

srn.nanog at prgmr.com srn.nanog at prgmr.com
Sat Nov 8 16:58:15 UTC 2014


On 11/07/2014 11:20 PM, Paul Bennett wrote:
> On Sat, Nov 8, 2014 at 2:00 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
>>
>> On 8 Nov 2014, at 1:56, srn.nanog at prgmr.com wrote:
>>
>>> But right now how should we be doing it?
>>
>> <http://www.team-cymru.org/Services/ip-to-asn.html>
> 
> Once you get the ASN or at least the domain name of the ISP providing
> service to the reflecting host, several major reputable ISPs
> (including my employer, who I can't name because I'm not an official
> spokesperson) will welcome RFC 5070 "IODEF" reports for general
> network abuse and RFC 5965 "MARF" format for email abuse, directed to
> [email protected] the main domain for that ISP.
> 
> http://www.ietf.org/rfc/rfc5070.txt
> 
> http://www.ietf.org/rfc/rfc5965.txt

Thanks, the IP->subnet/ASN lookup and rfc5070 look like exactly what we need to start with.  I'm
fairly certain it would have gotten us the same contact for all the IPs we reported last week.

Since IODEF is so flexible, are there any exact guidelines or examples on how to use it to report a
DDOS? For example, should there be a separate XML document for each prefix or one for the entire
list? What I found was https://tools.ietf.org/html/draft-ietf-mile-iodef-guidance-03#page-21 but it
could use some more explanation.


More information about the NANOG mailing list