Ransom DDoS attack - need help!

Roland Dobbins rdobbins at arbor.net
Fri Dec 4 04:09:02 UTC 2015

On 4 Dec 2015, at 9:34, alvin nanog wrote:

> all that tcpdump jibberish

Is entirely unnecessary, as well as being completely impractical on a 
network of any size.

Reasonable network access policies for the entities under attack plus 
flow telemetry collection/analysis, S/RTBH, and/or flowspec are a good 
start, along with this:


This business of attempting to use packet captures for everything is the 
equivalent of your doctor attempting to diagnose the reason you're 
running a fever by using an electron microscope.

Start with the BCPs, then move to the macroanalytical.  Only dip into 
the microanalytical when required, and even then, do so very 

Roland Dobbins <rdobbins at arbor.net>

More information about the NANOG mailing list