Another DDoS/DoS email thread in progress, ah?... these seem to occur often 
lately...

So....Perfect timing to remind all in the list that there is a NANOG BCOP in 
the works on this topic. 

Some of us have been working on documenting our collective knowledge about real 
practices that
can help our community deal with this annoying networking decease...in a vendor 
agnostic manner...

Our DDoS/DoS attack Best Common Ops Practices doc seeks to provide 
community-wide guidelines 
on what to do before, during and after a DDoS/DoS attack.

If any of you want to contribute and join us to help the community on what we 
have documented so far, 
please check out the document below and/or drop me a note...

http://bcop.nanog.org/index.php/BCOP_Drafts


Yardiel Fuentes
yard...@gmail.com
twitter: #techguane


On Nov 8, 2014, at 6:19 PM, Frank Bulk wrote:

> Do you know if third-parties such as SANS ISC or ShadowServer take lists of 
> IPs?
> 
> Frank
> 
> -----Original Message-----
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of srn.na...@prgmr.com
> Sent: Friday, November 07, 2014 12:57 PM
> To: nanog@nanog.org
> Subject: Reporting DDOS reflection attacks
> 
> Like most small providers, we occasionally get hit by DoS attacks. We got 
> hammered by an SSDP
> reflection attack (udp port 1900) last week. We took a 27 second log and from 
> there extracted
> about 160k unique IPs.
> 
> It is really difficult to find abuse emails for 160k IPs.
> 
> We know about abuse.net but abuse.net requires hostnames, not IPs for lookups 
> and not all IP
> addresses have valid DNS entries.
> 
> The only other way we know of to report problems is to grab the abuse email 
> addresses is whois.
> However, whois is not structured and is not set up to deal with this number 
> of requests - even
> caching whois data based on subnets will result in many thousands of lookups.
> 
> Long term it seems like structured data and some kind of authentication would 
> be ideal for reporting
> attacks. But right now how should we be doing it?
> 
> 

Reply via email to