Reporting DDOS reflection attacks
Brian Rak
brak at gameservers.com
Sun Nov 9 17:31:39 UTC 2014
Also, abusix is not completely accurate (and they've never responded to
my emails reporting problems). For example, any IPs from apnic and
nic.ad.jp return the registry's abuse address, which doesn't do anything.
Don't forget about all the providers with incorrect abuse contacts, or
providers that require you to fill out some form, or providers that
auto-respond with messages saying it's not their IP space (I'm looking
at you charter... 71.90.222.x is definitely your space, despite what
your abuse system thinks).
Some tips:
1) Verify the servers are still vulnerable. This is pretty
straightforward, and saves everyone involved some time
2) Your abuse emails should include tcpdump-like output (or you'll get
tons of replies asking for logs)
3) Sticking to one abusive IP per email seems to get the best response
rate (or you confuse all the automated systems for parsing these)
4) We provide instructions for fixing the issue for some common
software... this seems to help some of the people who have no idea what
they are doing.
5) Make sure you don't send this from your email address. It should
definitely be it's own mailbox due to volume of bounces and autoreplies
you'll see.
Don't expect that sending abuse emails is going to have any noticeable
effect on the size of the attacks you see. The openresolverproject
stats show the scope of the issue:
http://openresolverproject.org/breakdown.cgi
On 11/8/2014 5:48 PM, Damian Menscher wrote:
> I've used https://abusix.com/contactdb.html
>
> Be prepared for a lot of backscatter. You'll get autoresponders, automated
> ticketing systems sending frequent updates, bounce messages (from full
> abuse@ inboxes), and be surveyed for how well they're not performing.
>
> Also, be prepared for ISPs / hosting providers to ask for additional
> information, like logs proving the attack came from their customer.
>
> Oh, and be prepared to feel sorry for their customers whose VMs are deleted
> for "hacking", rather than being informed of their misconfiguration.
>
> On the bright side, some 10% will actually correct the problem, thereby
> costing the attacker a few minutes of work to re-scan for active
> amplifiers. :P
>
> Damian
> Professional Pessimist
>
> On Fri, Nov 7, 2014 at 10:56 AM, <srn.nanog at prgmr.com> wrote:
>
>> Like most small providers, we occasionally get hit by DoS attacks. We got
>> hammered by an SSDP
>> reflection attack (udp port 1900) last week. We took a 27 second log and
>> from there extracted
>> about 160k unique IPs.
>>
>> It is really difficult to find abuse emails for 160k IPs.
>>
>> We know about abuse.net but abuse.net requires hostnames, not IPs for
>> lookups and not all IP
>> addresses have valid DNS entries.
>>
>> The only other way we know of to report problems is to grab the abuse
>> email addresses is whois.
>> However, whois is not structured and is not set up to deal with this
>> number of requests - even
>> caching whois data based on subnets will result in many thousands of
>> lookups.
>>
>> Long term it seems like structured data and some kind of authentication
>> would be ideal for reporting
>> attacks. But right now how should we be doing it?
>>
More information about the NANOG
mailing list