DDOS solution recommendation

Damian Menscher damian at google.com
Sun Jan 11 22:22:06 UTC 2015

On Sun, Jan 11, 2015 at 5:07 AM, Mike Hammett <nanog at ics-il.net> wrote:
> Blackhole all of the zombie attackers and notify their abuse departments.
> Sure, most of the owners of the PCs being used in these scenarios have no
> idea they're being used to attack people, but I'd think that if their
> network's abuse department was notified, either they'd contact the customer
> about it issue or at least have on file that they were notified. When the
> unknowing end-user reached out to support over larger and larger parts of
> the Internet not working, they'd be told to clean up their system.

Notification to abuse departments is largely a waste of time, but I've
tried it anyway.  My records indicate that over the past year I sent 3139
emails covering 24054 known-infected machines regarding 16 distinct
incidents.  A few machines were cleaned, but the attacks continue.

Part of the problem is that most network providers don't have the resources
to chase down abuse issues.  In one case I informed an ISP of ~70k infected
customers.  They said their support team couldn't possibly handle that, and
took no action.  In another case, a well-known ISP was unable to receive my
list because they bounced emails over a certain size.

I try to bypass the ISP where possible by sending notices directly to users
That has a provable effect, though not as large as one might hope.

Your later comment of blackholing is indeed quite effective (I once
blackholed 3 IPs at a hosting provider who had ignored 3 abuse complaints
over 3 months, and they had the machines cleaned within days), but is a
last resort since there can be significant collateral damage (which is, of
course, why they suddenly decided to care).  I've also encouraged website
owners to care by marking their website as infected in Google search

On Sun, Jan 11, 2015 at 5:50 AM, Patrick W. Gilmore <patrick at ianai.net>
> But I've said for years (despite some people saying I am confused) that
> BCP38 is the single most important thing we can do to cut DDoS.

Yes, agreed.  I've been working on this, but unfortunately nobody is ready
to take action, often citing hardware limitations.  And since nobody is
compliant, there's no way to push others to upgrade.

 On Sun, Jan 11, 2015 at 6:51 AM, Job Snijders <job at instituut.net> wrote:

> On Sun, Jan 11, 2015 at 08:46:40AM -0600, Mike Hammett wrote:
> > Is anyone maintaining a list of good, bad and ugly providers in terms
> > of how seriously they take things they should like BCP38 and community
> > support and whatever else that's quantifiable?
> This list sheds some light on antispoofing commitments made by various
> providers: https://www.routingmanifesto.org/participants/

I have traced spoofed-source attacks to providers on that list.  I once
considered posting a list-of-shame, but it would be too long (and not win
any friends here).

On Sun, Jan 11, 2015 at 10:09 AM, Joel Maslak <jmaslak at antelope.net> wrote:

> I urge caution in building automatic systems to respond to network abuse,
> lest you have unanticipated consequences.

I'm always amused at the automation people create.  Googlebot is a frequent
victim of admins who know perl, but not /robots.txt.


More information about the NANOG mailing list