Re: Reporting DDOS reflection attacks

[Miles Fidelman <mfidelman () meetinghouse net>]

I can offer an indirect story, and not quite a reflection attack, but a 
DDoS one.

We happen to have a host that had an IPMI board exposed to the net, that 
got compromised, and became a vector for a DDoS attack. The target 
reported the attack to at least some of the sources, including 
Windstream/Hosted Solutions, where this particular server is located.  
They contacted me, and I dealt with things with about a 1-hour 
turn-around from when a trouble ticket hit my inbox (well, still dealing 
with things - that IPMI card is offline until I get around to securing 
it, and it's the occasional reboot-by-phone-call until then).  So at 
least one small success.

Miles Fidelman


McDonald Richards wrote:
> Out of curiosity, have any of you had luck reporting the sources of attacks
> to the admins of the origin ASNs?
>
> Any failure or success stories you can share?
>
> Macca
>
>
> On Sat, Nov 8, 2014 at 6:20 PM, Paul Bennett <paul.w.bennett () gmail com>
> wrote:
>
> > On Sat, Nov 8, 2014 at 2:00 AM, Roland Dobbins <rdobbins () arbor net> wrote:
> > > On 8 Nov 2014, at 1:56, srn.nanog () prgmr com wrote:
> > >
> > > > But right now how should we be doing it?
> > > <http://www.team-cymru.org/Services/ip-to-asn.html>
> > Once you get the ASN or at least the domain name of the ISP providing
> > service to the reflecting host, several major reputable ISPs
> > (including my employer, who I can't name because I'm not an official
> > spokesperson) will welcome RFC 5070 "IODEF" reports for general
> > network abuse and RFC 5965 "MARF" format for email abuse, directed to
> > abuse@ the main domain for that ISP.
> >
> > http://www.ietf.org/rfc/rfc5070.txt
> >
> > http://www.ietf.org/rfc/rfc5965.txt
> >
> >
> >
> > --
> > Paul W Bennett


--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra