Re: Best way to get foreign ISPs to shut down DDoS reflectors?

["Compton, Rich A" <Rich.Compton () charter com>]

The answer is “it depends”.  What are you trying to accomplish?  Are you trying to detect and surgically mitigate every 
DDoS attack?  If so, you will need a good DDoS attack detection and mitigation solution and a team of people to run it 
or a 3rd party company that can do this for you.  Do you want a cheap solution?  There are open source projects that 
can detect DDoS attacks and generate RTBHs, flowspec rules, and inline filters that can block the traffic (eg. 
https://fastnetmon.com).  Also, RTBHs can usually be advertised upstream (and to UTRS 
https://www.team-cymru.com/utrs.html) to reduce the amount of attack traffic that the victim network receives.  Some 
ISPs just do the RTBH to the customer’s IP when there’s a DDoS and then force the customer to get another IP via DHCP, 
etc.

-Rich

From: NANOG Email List <nanog-bounces () nanog org> on behalf of NANOG list <nanog () nanog org>
Reply-To: Shawn L <shawnl () up net>
Date: Thursday, April 23, 2020 at 3:39 PM
To: NANOG list <nanog () nanog org>
Subject: Re: Best way to get foreign ISPs to shut down DDoS reflectors?


This brings up an interesting question -- what is "good DDoS protection" on an ISP scale?  Apart from having enough 
bandwidth to weather the attack and having upstream providers attempt to filter it for you/




-----Original Message-----
From: "Bottiger" <bottiger10 () gmail com>
Sent: Thursday, April 23, 2020 5:30pm
To: "Siyuan Miao" <aveline () misaka io>
Cc: "North American Network Operators' Group" <nanog () nanog org>
Subject: Re: Best way to get foreign ISPs to shut down DDoS reflectors?
We are unable to upgrade our bandwidth in those areas. There are no providers within our budget there at the moment. 
Surely there must be some way to get them to respond.

On Thu, Apr 23, 2020 at 2:23 PM Siyuan Miao <aveline () misaka io<mailto:aveline () misaka io>> wrote:
It won't work.
Get a good DDoS protection and forget about it.

On Fri, Apr 24, 2020 at 5:17 AM Bottiger <bottiger10 () gmail com<mailto:bottiger10 () gmail com>> wrote:
Is there a guide on how to get foreign ISPs to shut down reflectors used in DDoS attacks?
I've tried sending emails listed under abuse contacts for their regional registries. Either there is none listed, the 
email is full, email does not exist, or they do not reply. Same results when sending to whatever other email they have 
listed.
Example Networks:
CLARO S.A.
Telefonica
China Telecom
Korea Telecom
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain 
confidential and/or legally privileged information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this 
message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly prohibited.