We have had pretty good success in identifying offenders with simple monitoring flow data for NTP flows destined for our address space with packet counts higher than 100; we disable them and notify to correct the configuration on the host. Granted we only service about 1,000 different customers.
In cases where a large amount of incoming traffic was generated, we have been able to temporarily blackhole offenders to not saturate smaller downstream connections until traffic levels die down; unfortunately it takes a few days for that to happen, and many service providers outside the US don't seem to be very responsive to their published abuse address. I prefer targeted, temporary, and communicated filtering for actual incidents over blanket filtering for potential incidents. On Sun, Feb 23, 2014 at 7:35 PM, Randy Bush <ra...@psg.com> wrote: >> Ive talked to some major peering exchanges and they refuse to take any >> action. Possibly if the requests come from many peering participants >> it will be taken more seriously? > > i have talked to fiber providers and they have refused to take action. > perhaps if requests came from hundreds of the unclued zombies they would > take it seriously. > > randy > -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
