<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt">The answer is “it depends”. What are you trying to accomplish? Are you trying to detect and surgically mitigate every DDoS attack? If so, you will need a good DDoS attack detection and mitigation solution
and a team of people to run it or a 3<sup>rd</sup> party company that can do this for you. Do you want a cheap solution? There are open source projects that can detect DDoS attacks and generate RTBHs, flowspec rules, and inline filters that can block the
traffic (eg. <a href="https://fastnetmon.com">https://fastnetmon.com</a>). Also, RTBHs can usually be advertised upstream (and to UTRS
<a href="https://www.team-cymru.com/utrs.html">https://www.team-cymru.com/utrs.html</a>) to reduce the amount of attack traffic that the victim network receives. Some ISPs just do the RTBH to the customer’s IP when there’s a DDoS and then force the customer
to get another IP via DHCP, etc.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt">-Rich<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">NANOG Email List <nanog-bounces@nanog.org> on behalf of NANOG list <nanog@nanog.org><br>
<b>Reply-To: </b>Shawn L <shawnl@up.net><br>
<b>Date: </b>Thursday, April 23, 2020 at 3:39 PM<br>
<b>To: </b>NANOG list <nanog@nanog.org><br>
<b>Subject: </b>Re: Best way to get foreign ISPs to shut down DDoS reflectors?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p style="margin:0in;margin-bottom:.0001pt;overflow-wrap: break-word"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">This brings up an interesting question -- what is "good DDoS protection" on an ISP scale? Apart from having enough bandwidth
to weather the attack and having upstream providers attempt to filter it for you/<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;overflow-wrap: break-word"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> <o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;overflow-wrap: break-word">
<span style="font-size:10.0pt;font-family:"Arial",sans-serif"><br>
<br>
-----Original Message-----<br>
From: "Bottiger" <bottiger10@gmail.com><br>
Sent: Thursday, April 23, 2020 5:30pm<br>
To: "Siyuan Miao" <aveline@misaka.io><br>
Cc: "North American Network Operators' Group" <nanog@nanog.org><br>
Subject: Re: Best way to get foreign ISPs to shut down DDoS reflectors?<o:p></o:p></span></p>
<div id="SafeStyles1587677805">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <<a href="mailto:aveline@misaka.io">aveline@misaka.io</a>> wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">It won't work.
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Get a good DDoS protection and forget about it.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">On Fri, Apr 24, 2020 at 5:17 AM Bottiger <<a href="mailto:bottiger10@gmail.com" target="_blank">bottiger10@gmail.com</a>> wrote:<o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply.
Same results when sending to whatever other email they have listed.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Example Networks:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">CLARO S.A.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Telefonica<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">China Telecom<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Korea Telecom<o:p></o:p></span></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
The contents of this e-mail message and <br>any attachments are intended solely for the <br>addressee(s) and may contain confidential <br>and/or legally privileged information. If you<br>are not the intended recipient of this message<br>or if this message has been addressed to you <br>in error, please immediately alert the sender<br>by reply e-mail and then delete this message <br>and any attachments. If you are not the <br>intended recipient, you are notified that <br>any use, dissemination, distribution, copying,<br>or storage of this message or any attachment <br>is strictly prohibited.</body>
</html>