I can offer an indirect story, and not quite a reflection attack, but a
DDoS one.
We happen to have a host that had an IPMI board exposed to the net, that
got compromised, and became a vector for a DDoS attack. The target
reported the attack to at least some of the sources, including
Windstream/Hosted Solutions, where this particular server is located.
They contacted me, and I dealt with things with about a 1-hour
turn-around from when a trouble ticket hit my inbox (well, still dealing
with things - that IPMI card is offline until I get around to securing
it, and it's the occasional reboot-by-phone-call until then). So at
least one small success.
Miles Fidelman
McDonald Richards wrote:
Out of curiosity, have any of you had luck reporting the sources of attacks
to the admins of the origin ASNs?
Any failure or success stories you can share?
Macca
On Sat, Nov 8, 2014 at 6:20 PM, Paul Bennett <paul.w.benn...@gmail.com>
wrote:
On Sat, Nov 8, 2014 at 2:00 AM, Roland Dobbins <rdobb...@arbor.net> wrote:
On 8 Nov 2014, at 1:56, srn.na...@prgmr.com wrote:
But right now how should we be doing it?
<http://www.team-cymru.org/Services/ip-to-asn.html>
Once you get the ASN or at least the domain name of the ISP providing
service to the reflecting host, several major reputable ISPs
(including my employer, who I can't name because I'm not an official
spokesperson) will welcome RFC 5070 "IODEF" reports for general
network abuse and RFC 5965 "MARF" format for email abuse, directed to
abuse@ the main domain for that ISP.
http://www.ietf.org/rfc/rfc5070.txt
http://www.ietf.org/rfc/rfc5965.txt
--
Paul W Bennett
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
