nanog mailing list archives
Re: DDOS solution recommendation
From: Damian Menscher <damian () google com>
Date: Sun, 11 Jan 2015 14:22:06 -0800
On Sun, Jan 11, 2015 at 5:07 AM, Mike Hammett <nanog () ics-il net> wrote:
Blackhole all of the zombie attackers and notify their abuse departments. Sure, most of the owners of the PCs being used in these scenarios have no idea they're being used to attack people, but I'd think that if their network's abuse department was notified, either they'd contact the customer about it issue or at least have on file that they were notified. When the unknowing end-user reached out to support over larger and larger parts of the Internet not working, they'd be told to clean up their system.
Notification to abuse departments is largely a waste of time, but I've tried it anyway. My records indicate that over the past year I sent 3139 emails covering 24054 known-infected machines regarding 16 distinct incidents. A few machines were cleaned, but the attacks continue. Part of the problem is that most network providers don't have the resources to chase down abuse issues. In one case I informed an ISP of ~70k infected customers. They said their support team couldn't possibly handle that, and took no action. In another case, a well-known ISP was unable to receive my list because they bounced emails over a certain size. I try to bypass the ISP where possible by sending notices directly to users ( http://googleblog.blogspot.com/2011/07/using-data-to-protect-people-from.html and http://googleonlinesecurity.blogspot.com/2012/05/notifying-users-affected-by-dnschanger.html). That has a provable effect, though not as large as one might hope. Your later comment of blackholing is indeed quite effective (I once blackholed 3 IPs at a hosting provider who had ignored 3 abuse complaints over 3 months, and they had the machines cleaned within days), but is a last resort since there can be significant collateral damage (which is, of course, why they suddenly decided to care). I've also encouraged website owners to care by marking their website as infected in Google search results. On Sun, Jan 11, 2015 at 5:50 AM, Patrick W. Gilmore <patrick () ianai net> wrote:
But I've said for years (despite some people saying I am confused) that BCP38 is the single most important thing we can do to cut DDoS.
Yes, agreed. I've been working on this, but unfortunately nobody is ready to take action, often citing hardware limitations. And since nobody is compliant, there's no way to push others to upgrade. On Sun, Jan 11, 2015 at 6:51 AM, Job Snijders <job () instituut net> wrote:
On Sun, Jan 11, 2015 at 08:46:40AM -0600, Mike Hammett wrote:Is anyone maintaining a list of good, bad and ugly providers in terms of how seriously they take things they should like BCP38 and community support and whatever else that's quantifiable?This list sheds some light on antispoofing commitments made by various providers: https://www.routingmanifesto.org/participants/
I have traced spoofed-source attacks to providers on that list. I once considered posting a list-of-shame, but it would be too long (and not win any friends here). On Sun, Jan 11, 2015 at 10:09 AM, Joel Maslak <jmaslak () antelope net> wrote:
I urge caution in building automatic systems to respond to network abuse, lest you have unanticipated consequences.
I'm always amused at the automation people create. Googlebot is a frequent victim of admins who know perl, but not /robots.txt. Damian
Current thread:
- Re: DDOS solution recommendation, (continued)
- Re: DDOS solution recommendation Mike Hammett (Jan 11)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Valdis . Kletnieks (Jan 11)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Mike Hammett (Jan 11)
- Re: DDOS solution recommendation Phil Bedard (Jan 11)
- Re: DDOS solution recommendation Patrick W. Gilmore (Jan 11)
- Re: DDOS solution recommendation Mike Hammett (Jan 11)
- Re: DDOS solution recommendation Patrick W. Gilmore (Jan 11)
- Re: DDOS solution recommendation Mike Hammett (Jan 11)
- Re: DDOS solution recommendation Damian Menscher (Jan 11)
- Re: DDOS solution recommendation Grant Taylor (Jan 11)
- Re: DDOS solution recommendation Mark Andrews (Jan 11)
- Re: DDOS solution recommendation Grant Taylor (Jan 11)
- Re: DDOS solution recommendation Mark Andrews (Jan 11)
- Re: DDOS solution recommendation Valdis . Kletnieks (Jan 12)
- Re: DDOS solution recommendation Brandon Ross (Jan 12)
- Re: DDOS solution recommendation Christopher Morrow (Jan 12)
- Re: DDOS solution recommendation Mike Hammett (Jan 12)
- Re: DDOS solution recommendation Christopher Morrow (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 12)