First please filter the source addr on all egress traffic, please. Please. Second, please don’t be the network admin whom emails: “… To: [email protected] From: [email protected] Subject: An attempt of intrusion comes from your ip
. …” Just in case you missed the obvious: message body was empty, $cluelessAdmin didn’t do a basic whois for our OrgAbuseEmail, and $cluelessAdmin ASSumed we knew which of our 2,048 IPs apparently started WWIII while providing absolutely zero collaborating evidence (attaching or linking to raw tcpdump is very nice, “-d” is Ok too). We often receive dozens of these totally useless/blank emails, in clusters of a few minutes. Tricks like that earn an instant 144-hour null route badge for whichever sending company’s entire presumed netblock (if we can’t find an obvious AS), repeat offenses earn longer and more colorful badges. All get a personal voicemail to the $cluelessAdmin company’s exec(s)/admin(s). I deliver these voicemails roughly three times a week now. Teh Stupid leaves burn marks on our NOC techs, and the poor geeks can only take so much! Other suggestions, such as watching and responding to s/NetFlow spikes, or tracking/linking multiple complaining networks before even attempting to look at origins…these sometimes warrant a followup depending upon volume and frequency (easily tracked with an SQLLite + PHP-based tool/api). We’ve found things are more-often just fat fingers, someone more bored than harmful, or someone that hasn’t figured out zmap options yet. As for a genuine DDoS, with a spoofed-source - can you really do much about this? For years we’ve just automatically null-routed (+RTBH) the ingress target (and, if obvious, any egress source) for a shortish random() period, and everyone typically gets bored shortly thereafter. Our current null-route based homegrown DDoS mitigation platform requires barely ~10 seconds from detection/onset to mitigation, so we tend to elimianate most fun and drama pretty quickly. For more business-focused clients, services like CloudFlare typically keeps DDoS attacks off ingress IPs. (BTW: in addition business sites, we host Minecraft, Teamspeak, and other "l33t hax0r” targeted services) Gregg Berkholtz > On Nov 18, 2014, at 4:58 PM, Mike <[email protected]> wrote: > > Hello, > > I provide broadband connectivity to mostly residential users. Over the > past few years, instances of DDoS against the network - specfically > targeting end users - has been on the rise, and today I can qualify many > of these as simple acts of revenge where someone will engage a dos > (possibly, services like 'booters' or similar) because they lost an > online game or had some interactive in a forum they didn't like. I have > good 'consumer broadband' filtering rules in place which make sense and > protect against quite a lot of obviously ddos oriented traffic streams. > The next step I want to engage, for those types of traffic which I can > positively identify as not spoofed, is to send out abuse reports to > owners of ip ranges used to launch these attacks. Ideally I'd like to be > able to write up some form letter describing the attack, the source > ip(s) of note, some disassembled sample packets, and then feed a list of > IP source addresses and have it mail it out to the abuse contact at each > source network. I am wondering if anyone has a pointer or reference to > any tools which might help facillitate this? > > Thank you. > > Mike-
