Apologies for the non-personal email address, but I don't want to give our attacker any additional information than I need to.
I'd be happy to send personal contact/ASN information to any nanog admins or regular members of nanog if it's useful. Over the past year or so, we (a decent sized tier 2 with a nationwide US backbone) have had several large DDoS attacks from what appear to be the same person who is (we presume) going down something like the alexa list of top sites, attacking them, and asking for small amounts of money to stop. This has been going on for a long time -- almost every detail is exactly the same as what is described here: http://it.slashdot.org/story/12/11/03/1846252/ask-slashdot-how-to-deal-with-a-ddos-attack and more recently: http://techcrunch.com/2014/03/03/meetup-suffering-significant-ddos-attack-taking-it-offline-for-days/ and: https://gist.github.com/dhh/9741477 And I believe attacks including vimeo, github, and others. The attacker is smarter than many random attackers, or at least has better tools. He watches when you mitigate the attack, and shifts his attack to something new. He (or his tools) also watch DNS for the thing he's attacking and the attack moves as DNS changes. We've seen UDP amplification (NTP and DNS mainly), syn flood, syn/ack flood, layer 7 cache busting (https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801/), and others we haven't been able to fully mitigate/identify. The largest we've seen (which isn't the largest we've read about) attacks are over 50Gbit and 10s of millions of pps. He is in regular communication (via whois info and other collected contact data) asking for <$1000 USD sums to stop the attacks. While we are interested in technical means to mitigate the attacks (the syn and syn/acks are brutal, all cores pegged on multicore 10G nic servers just dealing with interrupts), what I'd really like to find out is how to help fix the problem. We've tried to engage upstream providers to help trace the attacks, but have gotten nowhere (they didn't seem to understand that the syn attacks were spoofed, and looking at source IPs didn't matter, we wanted to know the ingress points on their network.) What are the best practices for this? Are there secret code words (http://xkcd.com/806/) we can use to get to someone at our upstreams who might know what we're talking about? Is it worth the time? Is it worth talking to law enforcement? Some of these have been >500k costs to the customer, but we assume the person doing it isn't in any western country, so maybe it doesn't even matter? Thanks.
