Best way to get foreign ISPs to shut down DDoS reflectors?
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks? I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed. Example Networks: CLARO S.A. Telefonica China Telecom Korea Telecom
It won't work. Get a good DDoS protection and forget about it. On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed.
Example Networks:
CLARO S.A. Telefonica China Telecom Korea Telecom
We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond. On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io> wrote:
It won't work.
Get a good DDoS protection and forget about it.
On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed.
Example Networks:
CLARO S.A. Telefonica China Telecom Korea Telecom
Sounds like you'll need to talk to your upstreams if they can provide DDOS protection, alternatively look for remote DDOS protection options. Regards, Filip On 23 April 2020 11:30:36 pm GMT+02:00, Bottiger <bottiger10@gmail.com> wrote:
We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond.
On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io> wrote:
It won't work.
Get a good DDoS protection and forget about it.
On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed.
Example Networks:
CLARO S.A. Telefonica China Telecom Korea Telecom
-- Sent from my mobile device. Please excuse my brevity.
This brings up an interesting question -- what is "good DDoS protection" on an ISP scale? Apart from having enough bandwidth to weather the attack and having upstream providers attempt to filter it for you/ -----Original Message----- From: "Bottiger" <bottiger10@gmail.com> Sent: Thursday, April 23, 2020 5:30pm To: "Siyuan Miao" <aveline@misaka.io> Cc: "North American Network Operators' Group" <nanog@nanog.org> Subject: Re: Best way to get foreign ISPs to shut down DDoS reflectors? We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond. On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <[ aveline@misaka.io ]( mailto:aveline@misaka.io )> wrote: It won't work. Get a good DDoS protection and forget about it. On Fri, Apr 24, 2020 at 5:17 AM Bottiger <[ bottiger10@gmail.com ]( mailto:bottiger10@gmail.com )> wrote: Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks? I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed. Example Networks: CLARO S.A. Telefonica China Telecom Korea Telecom
The answer is “it depends”. What are you trying to accomplish? Are you trying to detect and surgically mitigate every DDoS attack? If so, you will need a good DDoS attack detection and mitigation solution and a team of people to run it or a 3rd party company that can do this for you. Do you want a cheap solution? There are open source projects that can detect DDoS attacks and generate RTBHs, flowspec rules, and inline filters that can block the traffic (eg. https://fastnetmon.com). Also, RTBHs can usually be advertised upstream (and to UTRS https://www.team-cymru.com/utrs.html) to reduce the amount of attack traffic that the victim network receives. Some ISPs just do the RTBH to the customer’s IP when there’s a DDoS and then force the customer to get another IP via DHCP, etc. -Rich From: NANOG Email List <nanog-bounces@nanog.org> on behalf of NANOG list <nanog@nanog.org> Reply-To: Shawn L <shawnl@up.net> Date: Thursday, April 23, 2020 at 3:39 PM To: NANOG list <nanog@nanog.org> Subject: Re: Best way to get foreign ISPs to shut down DDoS reflectors? This brings up an interesting question -- what is "good DDoS protection" on an ISP scale? Apart from having enough bandwidth to weather the attack and having upstream providers attempt to filter it for you/ -----Original Message----- From: "Bottiger" <bottiger10@gmail.com> Sent: Thursday, April 23, 2020 5:30pm To: "Siyuan Miao" <aveline@misaka.io> Cc: "North American Network Operators' Group" <nanog@nanog.org> Subject: Re: Best way to get foreign ISPs to shut down DDoS reflectors? We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond. On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io<mailto:aveline@misaka.io>> wrote: It won't work. Get a good DDoS protection and forget about it. On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com<mailto:bottiger10@gmail.com>> wrote: Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks? I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed. Example Networks: CLARO S.A. Telefonica China Telecom Korea Telecom E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
On Thu, Apr 23, 2020 at 2:38 PM Shawn L via NANOG <nanog@nanog.org> wrote:
This brings up an interesting question -- what is "good DDoS protection" on an ISP scale? Apart from having enough bandwidth to weather the attack and having upstream providers attempt to filter it for you/
Hi Shawn, I believe the normal mechanism is that you use BGP to sink the impacted /24s at many high-bandwidth exchange points worldwide, filter, and pass the traffic which the filter accepts back to your core infrastructure via a tunnel (VPN). Build or buy. If it's practical to sink the bandwidth near the DDOS target, I wouldn't think it was much of a DDOS. A question which interests me: How many attacks do folks find landing in the middle-ground between "annoying but readily handled" and "far beyond my ability?" Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Good luck with that. 😊 As Damian Menscher has presented at NANOG, even if we do an amazing job and shut down 99% of all DDoS reflectors, there will still be enough bandwidth to generate terabit size attacks. https://stats.cybergreen.net I think we need to instead collectively focus on stopping the spoofed traffic that allows these attacks to be generated in the first place. -Rich From: NANOG Email List <nanog-bounces@nanog.org> on behalf of Bottiger <bottiger10@gmail.com> Date: Thursday, April 23, 2020 at 3:32 PM To: Siyuan Miao <aveline@misaka.io> Cc: NANOG list <nanog@nanog.org> Subject: Re: Best way to get foreign ISPs to shut down DDoS reflectors? We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond. On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io<mailto:aveline@misaka.io>> wrote: It won't work. Get a good DDoS protection and forget about it. On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com<mailto:bottiger10@gmail.com>> wrote: Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks? I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed. Example Networks: CLARO S.A. Telefonica China Telecom Korea Telecom E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
On Thu, Apr 23, 2020 at 3:14 PM Compton, Rich A <Rich.Compton@charter.com> wrote:
Good luck with that. 😊 As Damian Menscher has presented at NANOG, even if we do an amazing job and shut down 99% of all DDoS reflectors, there will still be enough bandwidth to generate terabit size attacks. https://stats.cybergreen.net
I think we need to instead collectively focus on stopping the spoofed traffic that allows these attacks to be generated in the first place.
-Rich
The bcp38 religion has failed to deliver the promised land for 20 years. 1 spoofer is all you need to trigger all the reflectors. I do bcp38, i encourage others to as well, but i do not plan on it unclogging the pipes in my lifetime. You will get more miles from ACL dropping and policing known bad traffic (most of udp)
*From: *NANOG Email List <nanog-bounces@nanog.org> on behalf of Bottiger < bottiger10@gmail.com> *Date: *Thursday, April 23, 2020 at 3:32 PM *To: *Siyuan Miao <aveline@misaka.io>
*Cc: *NANOG list <nanog@nanog.org> *Subject: *Re: Best way to get foreign ISPs to shut down DDoS reflectors?
We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond.
On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io> wrote:
It won't work.
Get a good DDoS protection and forget about it.
On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed.
Example Networks:
CLARO S.A.
Telefonica
China Telecom
Korea Telecom
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
On Thu, Apr 23, 2020 at 3:26 PM Ca By <cb.list6@gmail.com> wrote:
On Thu, Apr 23, 2020 at 3:14 PM Compton, Rich A <Rich.Compton@charter.com> wrote:
Good luck with that. 😊 As Damian Menscher has presented at NANOG, even if we do an amazing job and shut down 99% of all DDoS reflectors, there will still be enough bandwidth to generate terabit size attacks. https://stats.cybergreen.net
I think we need to instead collectively focus on stopping the spoofed traffic that allows these attacks to be generated in the first place.
-Rich
The bcp38 religion has failed to deliver the promised land for 20 years.
That's because it's been opt-in for thousands of ASNs. 1 spoofer is all you need to trigger all the reflectors.
A handful of transit providers is all you need to identify and filter all sources of spoofing. I do bcp38, i encourage others to as well, but i do not plan on it
unclogging the pipes in my lifetime.
You will get more miles from ACL dropping and policing known bad traffic (most of udp)
Do you have 10 Tbps of spare ingress capacity? If not, you should re-think your strategy (which may simply include a playbook for how to explain the outage to your customers). Damian *From: *NANOG Email List <nanog-bounces@nanog.org> on behalf of Bottiger <
bottiger10@gmail.com> *Date: *Thursday, April 23, 2020 at 3:32 PM *To: *Siyuan Miao <aveline@misaka.io>
*Cc: *NANOG list <nanog@nanog.org> *Subject: *Re: Best way to get foreign ISPs to shut down DDoS reflectors?
We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond.
On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io> wrote:
It won't work.
Get a good DDoS protection and forget about it.
On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed.
Example Networks:
CLARO S.A.
Telefonica
China Telecom
Korea Telecom
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
There are many decent options for ddos protection in the US and Europe, however there are very few in Brazil and Asia that support BGP. Servers and bandwidth in these areas are much more expensive. Even though we are already doing anycast to split up the ddos attack, a majority of the attack traffic is now ending up in these expensive areas, and to top it off, these ISPs won't respond to abuse emails. It makes me wonder what the point of these abuse email are and if the regional registries have any power to force them to reply. On Thu, Apr 23, 2020 at 3:12 PM Compton, Rich A <Rich.Compton@charter.com> wrote:
Good luck with that. 😊 As Damian Menscher has presented at NANOG, even if we do an amazing job and shut down 99% of all DDoS reflectors, there will still be enough bandwidth to generate terabit size attacks. https://stats.cybergreen.net
I think we need to instead collectively focus on stopping the spoofed traffic that allows these attacks to be generated in the first place.
-Rich
*From: *NANOG Email List <nanog-bounces@nanog.org> on behalf of Bottiger < bottiger10@gmail.com> *Date: *Thursday, April 23, 2020 at 3:32 PM *To: *Siyuan Miao <aveline@misaka.io> *Cc: *NANOG list <nanog@nanog.org> *Subject: *Re: Best way to get foreign ISPs to shut down DDoS reflectors?
We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond.
On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io> wrote:
It won't work.
Get a good DDoS protection and forget about it.
On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed.
Example Networks:
CLARO S.A.
Telefonica
China Telecom
Korea Telecom
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
Bottiger, If what you are saying is true and can be backed by documentation, I would start at the abuse contact for the offending 'Amplifier' and then start working your way up the transits of the offending AS# until someone cuts them off. The Squeaky wheel gets the grease! On Thu, Apr 23, 2020 at 3:33 PM Bottiger <bottiger10@gmail.com> wrote:
There are many decent options for ddos protection in the US and Europe, however there are very few in Brazil and Asia that support BGP. Servers and bandwidth in these areas are much more expensive.
Even though we are already doing anycast to split up the ddos attack, a majority of the attack traffic is now ending up in these expensive areas, and to top it off, these ISPs won't respond to abuse emails.
It makes me wonder what the point of these abuse email are and if the regional registries have any power to force them to reply.
On Thu, Apr 23, 2020 at 3:12 PM Compton, Rich A <Rich.Compton@charter.com> wrote:
Good luck with that. 😊 As Damian Menscher has presented at NANOG, even if we do an amazing job and shut down 99% of all DDoS reflectors, there will still be enough bandwidth to generate terabit size attacks. https://stats.cybergreen.net
I think we need to instead collectively focus on stopping the spoofed traffic that allows these attacks to be generated in the first place.
-Rich
*From: *NANOG Email List <nanog-bounces@nanog.org> on behalf of Bottiger <bottiger10@gmail.com> *Date: *Thursday, April 23, 2020 at 3:32 PM *To: *Siyuan Miao <aveline@misaka.io> *Cc: *NANOG list <nanog@nanog.org> *Subject: *Re: Best way to get foreign ISPs to shut down DDoS reflectors?
We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond.
On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io> wrote:
It won't work.
Get a good DDoS protection and forget about it.
On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed.
Example Networks:
CLARO S.A.
Telefonica
China Telecom
Korea Telecom
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
I highly doubt NTT or any other major transit provider would ever cut off Korea Telecom or China Telecom. And these are reflectors, they are not part of a botnet. On Thu, Apr 23, 2020 at 5:11 PM TJ Trout <tj@pcguys.us> wrote:
Bottiger,
If what you are saying is true and can be backed by documentation, I would start at the abuse contact for the offending 'Amplifier' and then start working your way up the transits of the offending AS# until someone cuts them off. The Squeaky wheel gets the grease!
On Thu, Apr 23, 2020 at 3:33 PM Bottiger <bottiger10@gmail.com> wrote:
There are many decent options for ddos protection in the US and Europe, however there are very few in Brazil and Asia that support BGP. Servers and bandwidth in these areas are much more expensive.
Even though we are already doing anycast to split up the ddos attack, a majority of the attack traffic is now ending up in these expensive areas, and to top it off, these ISPs won't respond to abuse emails.
It makes me wonder what the point of these abuse email are and if the regional registries have any power to force them to reply.
On Thu, Apr 23, 2020 at 3:12 PM Compton, Rich A <Rich.Compton@charter.com> wrote:
Good luck with that. 😊 As Damian Menscher has presented at NANOG, even if we do an amazing job and shut down 99% of all DDoS reflectors, there will still be enough bandwidth to generate terabit size attacks. https://stats.cybergreen.net
I think we need to instead collectively focus on stopping the spoofed traffic that allows these attacks to be generated in the first place.
-Rich
*From: *NANOG Email List <nanog-bounces@nanog.org> on behalf of Bottiger <bottiger10@gmail.com> *Date: *Thursday, April 23, 2020 at 3:32 PM *To: *Siyuan Miao <aveline@misaka.io> *Cc: *NANOG list <nanog@nanog.org> *Subject: *Re: Best way to get foreign ISPs to shut down DDoS reflectors?
We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. Surely there must be some way to get them to respond.
On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline@misaka.io> wrote:
It won't work.
Get a good DDoS protection and forget about it.
On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10@gmail.com> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have listed.
Example Networks:
CLARO S.A.
Telefonica
China Telecom
Korea Telecom
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
participants (9)
-
Bottiger
-
Ca By
-
Compton, Rich A
-
Damian Menscher
-
Filip Hruska
-
Shawn L
-
Siyuan Miao
-
TJ Trout
-
William Herrin