Reporting DDOS reflection attacks

Frank Bulk frnkblk at
Sat Nov 8 23:19:56 UTC 2014

Do you know if third-parties such as SANS ISC or ShadowServer take lists of IPs?


-----Original Message-----
From: NANOG [mailto:nanog-bounces at] On Behalf Of srn.nanog at
Sent: Friday, November 07, 2014 12:57 PM
To: nanog at
Subject: Reporting DDOS reflection attacks

Like most small providers, we occasionally get hit by DoS attacks. We got hammered by an SSDP
reflection attack (udp port 1900) last week. We took a 27 second log and from there extracted
about 160k unique IPs.

It is really difficult to find abuse emails for 160k IPs.

We know about but requires hostnames, not IPs for lookups and not all IP
addresses have valid DNS entries.

The only other way we know of to report problems is to grab the abuse email addresses is whois.
However, whois is not structured and is not set up to deal with this number of requests - even
caching whois data based on subnets will result in many thousands of lookups.

Long term it seems like structured data and some kind of authentication would be ideal for reporting
attacks. But right now how should we be doing it?

More information about the NANOG mailing list