Re: DDOS solution recommendation

[Stephen Fulton <sf () lists esoteric ca>]

peeringdb.com is usually quite accurate.

-- Stephen

On 2015-01-11 4:11 PM, Pavel Odintsov wrote:
> Hello!
>
> But abuse@ contacts is very-very-very hard way to contacting with ASN
> administrator in case of attack. Big amount of requests to #Nanog
> about "please contact ASN XXXX noc with me offlist" confirms this.
>
> I'm got multiple attacks from well known ISP and I spend about 10-20
> hours to contacting they in average. It's unacceptable time
>
> We need FAST and RELIABLE way to contacting with noc of attackers
> network for effective attack mitigation.
>
> We need something like RTBH for knocking network admin of remote network.
>
> Maybe somebody can create social network for noc's with API ?:)
>
>
>
>
>
> On Sun, Jan 11, 2015 at 11:55 PM, Owen DeLong <owen () delong com> wrote:
> > > On Jan 11, 2015, at 05:07 , Mike Hammett <nanog () ics-il net> wrote:
> > >
> > > Why does it seem like everyone is trying to "solve" this the wrong way?
> >
> > Because it’s what we CAN do.
> >
> > > Do other networks' abuse departments just not give a shit? Blackhole all of the zombie attackers and notify their abuse departments. Sure, most 
> > > of the owners of the PCs being used in these scenarios have no idea they're being used to attack people, but I'd think that if their 
> > > network's abuse department was notified, either they'd contact the customer about it issue or at least have on file that they were 
> > > notified. When the unknowing end-user reached out to support over larger and larger parts of the Internet not working, they'd be told to clean 
> > > up their system.
> > >
> > > The way to stop this stuff is for those millions of end users to clean up their infected PCs.
> >
> > Agreed… However, let’s look at it from an economics perspective…
> >
> > The average residential service provider doesn’t have the resources and doesn’t charge enough to build the resources to 
> > deal with this onslaught. It won’t be the service provider that the attacker blames for the initial few disconnections, 
> > it will be the websites in question.
> >
> > So, let’s say XYZ.COM <http://xyz.com/> is a really popular site with lots of end-users. Some of those end-users are also 
> > unknowingly attacking XYZ.COM <http://xyz.com/>.
> >
> > XYZ.COM <http://xyz.com/> black holes those customers (along with all the other zombies attacking them).
> >
> > XYZ.COM <http://xyz.com/> gets angry calls from those customers and has no ability to contact the rest.
> > The rest don’t call their ISP or XYZ.COM <http://xyz.com/> because they don’t know that they are unsuccessfully trying to 
> > reach XYZ.COM <http://xyz.com/>, so they don’t see the problem.
> >
> > Depending on hold times, etc., XYZ.COM <http://xyz.com/> loses some fraction of their customers (who instead of 
> > cleaning up their system, move into the second group who don’t care about the problem any more.) The rest may clean up their 
> > systems.
> >
> > So, at the cost of some fraction of their customer base and a substantial burden on their call center, XYZ.COM 
> > <http://xyz.com/> has managed to clean up a relatively small percentage of systems, but accomplished little else.
> >
> > I’m all for finding a way to do a better job of this. Personally, I’d like to see some sort of centralized clearing 
> > house where credible reporters of dDOS information could send some form of standardized (automated) report. The 
> > clearing house would then take care of contacting the responsible ISPs in a scaleable and useful manner that the ISPs 
> > could handle. Because the clearing house would be a known credible source and because they are providing the 
> > information in a way that the ISP can more efficiently utilize the information, it MIGHT allow the ISP to take 
> > proactive action such as contacting the user and addressing the problem, limiting the user’s ability to send dDOS 
> > traffic, etc.
> >
> > However, this would require lots of cooperation and if such a clearing house were to evolve, it would probably have to 
> > start as a coalition of residential ISPs.
> >
> > Owen