abuse reporting tools
Gregg Berkholtz
gregg at tocici.com
Wed Nov 26 06:38:53 UTC 2014
First please filter the source addr on all egress traffic, please. Please.
Second, please don’t be the network admin whom emails:
“…
To: notOurOrgAbuseEmail at tocici.com
From: cluelessAdmin at example.com
Subject: An attempt of intrusion comes from your ip
.
…”
Just in case you missed the obvious: message body was empty, $cluelessAdmin didn’t do a basic whois for our OrgAbuseEmail, and $cluelessAdmin ASSumed we knew which of our 2,048 IPs apparently started WWIII while providing absolutely zero collaborating evidence (attaching or linking to raw tcpdump is very nice, “-d” is Ok too). We often receive dozens of these totally useless/blank emails, in clusters of a few minutes.
Tricks like that earn an instant 144-hour null route badge for whichever sending company’s entire presumed netblock (if we can’t find an obvious AS), repeat offenses earn longer and more colorful badges. All get a personal voicemail to the $cluelessAdmin company’s exec(s)/admin(s). I deliver these voicemails roughly three times a week now. Teh Stupid leaves burn marks on our NOC techs, and the poor geeks can only take so much!
Other suggestions, such as watching and responding to s/NetFlow spikes, or tracking/linking multiple complaining networks before even attempting to look at origins…these sometimes warrant a followup depending upon volume and frequency (easily tracked with an SQLLite + PHP-based tool/api). We’ve found things are more-often just fat fingers, someone more bored than harmful, or someone that hasn’t figured out zmap options yet.
As for a genuine DDoS, with a spoofed-source - can you really do much about this? For years we’ve just automatically null-routed (+RTBH) the ingress target (and, if obvious, any egress source) for a shortish random() period, and everyone typically gets bored shortly thereafter. Our current null-route based homegrown DDoS mitigation platform requires barely ~10 seconds from detection/onset to mitigation, so we tend to elimianate most fun and drama pretty quickly. For more business-focused clients, services like CloudFlare typically keeps DDoS attacks off ingress IPs.
(BTW: in addition business sites, we host Minecraft, Teamspeak, and other "l33t hax0r” targeted services)
Gregg Berkholtz
> On Nov 18, 2014, at 4:58 PM, Mike <mike-nanog at tiedyenetworks.com> wrote:
>
> Hello,
>
> I provide broadband connectivity to mostly residential users. Over the
> past few years, instances of DDoS against the network - specfically
> targeting end users - has been on the rise, and today I can qualify many
> of these as simple acts of revenge where someone will engage a dos
> (possibly, services like 'booters' or similar) because they lost an
> online game or had some interactive in a forum they didn't like. I have
> good 'consumer broadband' filtering rules in place which make sense and
> protect against quite a lot of obviously ddos oriented traffic streams.
> The next step I want to engage, for those types of traffic which I can
> positively identify as not spoofed, is to send out abuse reports to
> owners of ip ranges used to launch these attacks. Ideally I'd like to be
> able to write up some form letter describing the attack, the source
> ip(s) of note, some disassembled sample packets, and then feed a list of
> IP source addresses and have it mail it out to the abuse contact at each
> source network. I am wondering if anyone has a pointer or reference to
> any tools which might help facillitate this?
>
> Thank you.
>
> Mike-
More information about the NANOG
mailing list