Re: Ransom DDoS attack - need help!

["Roland Dobbins" <rdobbins () arbor net>]

On 4 Dec 2015, at 9:34, alvin nanog wrote:

> all that tcpdump jibberish

Is entirely unnecessary, as well as being completely impractical on a 
network of any size.

Reasonable network access policies for the entities under attack plus 
flow telemetry collection/analysis, S/RTBH, and/or flowspec are a good 
start, along with this:

<http://www.merit.edu/mail.archives/nanog/msg03776.html>

This business of attempting to use packet captures for everything is the 
equivalent of your doctor attempting to diagnose the reason you're 
running a fever by using an electron microscope.

Start with the BCPs, then move to the macroanalytical.  Only dip into 
the microanalytical when required, and even then, do so very 
selectively.

-----------------------------------
Roland Dobbins <rdobbins () arbor net>