First please filter the source addr on all egress traffic, please. Please. Second, please don’t be the network admin whom emails: “… To: notOurOrgAbuseEmail@tocici.com From: cluelessAdmin@example.com Subject: An attempt of intrusion comes from your ip . …” Just in case you missed the obvious: message body was empty, $cluelessAdmin didn’t do a basic whois for our OrgAbuseEmail, and $cluelessAdmin ASSumed we knew which of our 2,048 IPs apparently started WWIII while providing absolutely zero collaborating evidence (attaching or linking to raw tcpdump is very nice, “-d” is Ok too). We often receive dozens of these totally useless/blank emails, in clusters of a few minutes. Tricks like that earn an instant 144-hour null route badge for whichever sending company’s entire presumed netblock (if we can’t find an obvious AS), repeat offenses earn longer and more colorful badges. All get a personal voicemail to the $cluelessAdmin company’s exec(s)/admin(s). I deliver these voicemails roughly three times a week now. Teh Stupid leaves burn marks on our NOC techs, and the poor geeks can only take so much! Other suggestions, such as watching and responding to s/NetFlow spikes, or tracking/linking multiple complaining networks before even attempting to look at origins…these sometimes warrant a followup depending upon volume and frequency (easily tracked with an SQLLite + PHP-based tool/api). We’ve found things are more-often just fat fingers, someone more bored than harmful, or someone that hasn’t figured out zmap options yet. As for a genuine DDoS, with a spoofed-source - can you really do much about this? For years we’ve just automatically null-routed (+RTBH) the ingress target (and, if obvious, any egress source) for a shortish random() period, and everyone typically gets bored shortly thereafter. Our current null-route based homegrown DDoS mitigation platform requires barely ~10 seconds from detection/onset to mitigation, so we tend to elimianate most fun and drama pretty quickly. For more business-focused clients, services like CloudFlare typically keeps DDoS attacks off ingress IPs. (BTW: in addition business sites, we host Minecraft, Teamspeak, and other "l33t hax0r” targeted services) Gregg Berkholtz
On Nov 18, 2014, at 4:58 PM, Mike <mike-nanog@tiedyenetworks.com> wrote:
Hello,
I provide broadband connectivity to mostly residential users. Over the past few years, instances of DDoS against the network - specfically targeting end users - has been on the rise, and today I can qualify many of these as simple acts of revenge where someone will engage a dos (possibly, services like 'booters' or similar) because they lost an online game or had some interactive in a forum they didn't like. I have good 'consumer broadband' filtering rules in place which make sense and protect against quite a lot of obviously ddos oriented traffic streams. The next step I want to engage, for those types of traffic which I can positively identify as not spoofed, is to send out abuse reports to owners of ip ranges used to launch these attacks. Ideally I'd like to be able to write up some form letter describing the attack, the source ip(s) of note, some disassembled sample packets, and then feed a list of IP source addresses and have it mail it out to the abuse contact at each source network. I am wondering if anyone has a pointer or reference to any tools which might help facillitate this?
Thank you.
Mike-