Reporting DDOS reflection attacks

srn.nanog at prgmr.com srn.nanog at prgmr.com
Sun Nov 9 17:43:47 UTC 2014


On 11/09/2014 09:31 AM, Brian Rak wrote:

> Some tips:
> 1) Verify the servers are still vulnerable.  This is pretty straightforward, and saves everyone
> involved some time
For a DDOS, I'd be concerned that the provider would now think my activity was malicious.

> 2) Your abuse emails should include tcpdump-like output (or you'll get tons of replies asking for logs)
Is the output from nfdump close enough?

> 3) Sticking to one abusive IP per email seems to get the best response rate (or you confuse all the
> automated systems for parsing these)
The smallest email abuse report I sent last week contained over 15,000 IPs. Is it really better to
send that many emails?


More information about the NANOG mailing list