Reporting DDOS reflection attacks

Damian Menscher damian at
Sat Nov 8 22:48:47 UTC 2014

I've used

Be prepared for a lot of backscatter.  You'll get autoresponders, automated
ticketing systems sending frequent updates, bounce messages (from full
[email protected] inboxes), and be surveyed for how well they're not performing.

Also, be prepared for ISPs / hosting providers to ask for additional
information, like logs proving the attack came from their customer.

Oh, and be prepared to feel sorry for their customers whose VMs are deleted
for "hacking", rather than being informed of their misconfiguration.

On the bright side, some 10% will actually correct the problem, thereby
costing the attacker a few minutes of work to re-scan for active
amplifiers. :P

Professional Pessimist

On Fri, Nov 7, 2014 at 10:56 AM, <srn.nanog at> wrote:

> Like most small providers, we occasionally get hit by DoS attacks. We got
> hammered by an SSDP
> reflection attack (udp port 1900) last week. We took a 27 second log and
> from there extracted
> about 160k unique IPs.
> It is really difficult to find abuse emails for 160k IPs.
> We know about but requires hostnames, not IPs for
> lookups and not all IP
> addresses have valid DNS entries.
> The only other way we know of to report problems is to grab the abuse
> email addresses is whois.
> However, whois is not structured and is not set up to deal with this
> number of requests - even
> caching whois data based on subnets will result in many thousands of
> lookups.
> Long term it seems like structured data and some kind of authentication
> would be ideal for reporting
> attacks. But right now how should we be doing it?

More information about the NANOG mailing list