Re: abuse reporting tools

[Gregg Berkholtz <gregg () tocici com>]

First please filter the source addr on all egress traffic, please. Please.

Second, please don’t be the network admin whom emails:
“…
To: notOurOrgAbuseEmail () tocici com
From: cluelessAdmin () example com
Subject: An attempt of intrusion comes from your ip

.
…”

Just in case you missed the obvious: message body was empty, $cluelessAdmin didn’t do a basic whois for our 
OrgAbuseEmail, and $cluelessAdmin ASSumed we knew which of our 2,048 IPs apparently started WWIII while providing 
absolutely zero collaborating evidence (attaching or linking to raw tcpdump is very nice, “-d” is Ok too). We often 
receive dozens of these totally useless/blank emails, in clusters of a few minutes.

Tricks like that earn an instant 144-hour null route badge for whichever sending company’s entire presumed netblock (if 
we can’t find an obvious AS), repeat offenses earn longer and more colorful badges. All get a personal voicemail to the 
$cluelessAdmin company’s exec(s)/admin(s). I deliver these voicemails roughly three times a week now. Teh Stupid leaves 
burn marks on our NOC techs, and the poor geeks can only take so much!

Other suggestions, such as watching and responding to s/NetFlow spikes, or tracking/linking multiple complaining 
networks before even attempting to look at origins…these sometimes warrant a followup depending upon volume and 
frequency (easily tracked with an SQLLite + PHP-based tool/api). We’ve found things are more-often just fat fingers, 
someone more bored than harmful, or someone that hasn’t figured out zmap options yet.

As for a genuine DDoS, with a spoofed-source - can you really do much about this? For years we’ve just automatically 
null-routed (+RTBH) the ingress target (and, if obvious, any egress source) for a shortish random() period, and 
everyone typically gets bored shortly thereafter. Our current null-route based homegrown DDoS mitigation platform 
requires barely ~10 seconds from detection/onset to mitigation, so we tend to elimianate most fun and drama pretty 
quickly. For more business-focused clients, services like CloudFlare typically keeps DDoS attacks off ingress IPs.

(BTW: in addition business sites, we host Minecraft, Teamspeak, and other "l33t hax0r” targeted services)

Gregg Berkholtz

> On Nov 18, 2014, at 4:58 PM, Mike <mike-nanog () tiedyenetworks com> wrote:
>
> Hello,
>
>    I provide broadband connectivity to mostly residential users. Over the
> past few years, instances of DDoS against the network - specfically
> targeting end users - has been on the rise, and today I can qualify many
> of these as simple acts of revenge where someone will engage a dos
> (possibly, services like 'booters' or similar) because they lost an
> online game or had some interactive in a forum they didn't like. I have
> good 'consumer broadband' filtering rules in place which make sense and
> protect against quite a lot of obviously ddos oriented traffic streams.
> The next step I want to engage, for those types of traffic which I can
> positively identify as not spoofed, is to send out abuse reports to
> owners of ip ranges used to launch these attacks. Ideally I'd like to be
> able to write up some form letter describing the attack, the source
> ip(s) of note, some disassembled sample packets, and then feed a list of
> IP source addresses and have it mail it out to the abuse contact at each
> source network. I am wondering if anyone has a pointer or reference to
> any tools which might help facillitate this?
>
> Thank you.
>
> Mike-