Best way to get foreign ISPs to shut down DDoS reflectors?

Fri Apr 24 00:09:47 UTC 2020

On Thu, Apr 23, 2020 at 3:26 PM Ca By <cb.list6 at gmail.com> wrote:

> On Thu, Apr 23, 2020 at 3:14 PM Compton, Rich A <Rich.Compton at charter.com>
> wrote:
>
>> Good luck with that.  😊  As Damian Menscher has presented at NANOG,
>> even if we do an amazing job and shut down 99% of all DDoS reflectors,
>> there will still be enough bandwidth to generate terabit size attacks.
>> https://stats.cybergreen.net
>>
>> I think we need to instead collectively focus on stopping the spoofed
>> traffic that allows these attacks to be generated in the first place.
>>
>> -Rich
>>
>
> The bcp38 religion has failed to deliver the promised land for 20 years.
>

That's because it's been opt-in for thousands of ASNs.

1 spoofer is all you need to trigger all the reflectors.
>

A handful of transit providers is all you need to identify and filter all
sources of spoofing.

I do bcp38, i encourage others to as well, but i do not plan on it
> unclogging the pipes in my lifetime.
>
> You will get more miles from ACL dropping and policing known bad traffic
> (most of udp)
>

Do you have 10 Tbps of spare ingress capacity?  If not, you should re-think
your strategy (which may simply include a playbook for how to explain
the outage to your customers).

Damian

*From: *NANOG Email List <nanog-bounces at nanog.org> on behalf of Bottiger <
>> bottiger10 at gmail.com>
>> *Date: *Thursday, April 23, 2020 at 3:32 PM
>> *To: *Siyuan Miao <aveline at misaka.io>
>>
>> *Cc: *NANOG list <nanog at nanog.org>
>> *Subject: *Re: Best way to get foreign ISPs to shut down DDoS reflectors?
>>
>>
>>
>> We are unable to upgrade our bandwidth in those areas. There are no
>> providers within our budget there at the moment. Surely there must be some
>> way to get them to respond.
>>
>>
>>
>> On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline at misaka.io> wrote:
>>
>> It won't work.
>>
>>
>>
>> Get a good DDoS protection and forget about it.
>>
>>
>>
>> On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10 at gmail.com> wrote:
>>
>> Is there a guide on how to get foreign ISPs to shut down reflectors used
>> in DDoS attacks?
>>
>>
>>
>> I've tried sending emails listed under abuse contacts for their regional
>> registries. Either there is none listed, the email is full, email does not
>> exist, or they do not reply. Same results when sending to whatever other
>> email they have listed.
>>
>>
>>
>> Example Networks:
>>
>>
>>
>> CLARO S.A.
>>
>> Telefonica
>>
>> China Telecom
>>
>> Korea Telecom
>>
>> The contents of this e-mail message and
>> any attachments are intended solely for the
>> addressee(s) and may contain confidential
>> and/or legally privileged information. If you
>> are not the intended recipient of this message
>> or if this message has been addressed to you
>> in error, please immediately alert the sender
>> by reply e-mail and then delete this message
>> and any attachments. If you are not the
>> intended recipient, you are notified that
>> any use, dissemination, distribution, copying,
>> or storage of this message or any attachment
>> is strictly prohibited.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200423/ea869eb5/attachment.html>