Hello! But abuse@ contacts is very-very-very hard way to contacting with ASN administrator in case of attack. Big amount of requests to #Nanog about "please contact ASN XXXX noc with me offlist" confirms this.
I'm got multiple attacks from well known ISP and I spend about 10-20 hours to contacting they in average. It's unacceptable time We need FAST and RELIABLE way to contacting with noc of attackers network for effective attack mitigation. We need something like RTBH for knocking network admin of remote network. Maybe somebody can create social network for noc's with API ?:) On Sun, Jan 11, 2015 at 11:55 PM, Owen DeLong <[email protected]> wrote: > >> On Jan 11, 2015, at 05:07 , Mike Hammett <[email protected]> wrote: >> >> Why does it seem like everyone is trying to "solve" this the wrong way? > > Because it’s what we CAN do. > >> >> Do other networks' abuse departments just not give a shit? Blackhole all of >> the zombie attackers and notify their abuse departments. Sure, most of the >> owners of the PCs being used in these scenarios have no idea they're being >> used to attack people, but I'd think that if their network's abuse >> department was notified, either they'd contact the customer about it issue >> or at least have on file that they were notified. When the unknowing >> end-user reached out to support over larger and larger parts of the Internet >> not working, they'd be told to clean up their system. >> >> The way to stop this stuff is for those millions of end users to clean up >> their infected PCs. > > Agreed… However, let’s look at it from an economics perspective… > > The average residential service provider doesn’t have the resources and > doesn’t charge enough to build the resources to deal with this onslaught. It > won’t be the service provider that the attacker blames for the initial few > disconnections, it will be the websites in question. > > So, let’s say XYZ.COM <http://xyz.com/> is a really popular site with lots of > end-users. Some of those end-users are also unknowingly attacking XYZ.COM > <http://xyz.com/>. > > XYZ.COM <http://xyz.com/> black holes those customers (along with all the > other zombies attacking them). > > XYZ.COM <http://xyz.com/> gets angry calls from those customers and has no > ability to contact the rest. > The rest don’t call their ISP or XYZ.COM <http://xyz.com/> because they don’t > know that they are unsuccessfully trying to reach XYZ.COM <http://xyz.com/>, > so they don’t see the problem. > > Depending on hold times, etc., XYZ.COM <http://xyz.com/> loses some fraction > of their customers (who instead of cleaning up their system, move into the > second group who don’t care about the problem any more.) The rest may clean > up their systems. > > So, at the cost of some fraction of their customer base and a substantial > burden on their call center, XYZ.COM <http://xyz.com/> has managed to clean > up a relatively small percentage of systems, but accomplished little else. > > I’m all for finding a way to do a better job of this. Personally, I’d like to > see some sort of centralized clearing house where credible reporters of dDOS > information could send some form of standardized (automated) report. The > clearing house would then take care of contacting the responsible ISPs in a > scaleable and useful manner that the ISPs could handle. Because the clearing > house would be a known credible source and because they are providing the > information in a way that the ISP can more efficiently utilize the > information, it MIGHT allow the ISP to take proactive action such as > contacting the user and addressing the problem, limiting the user’s ability > to send dDOS traffic, etc. > > However, this would require lots of cooperation and if such a clearing house > were to evolve, it would probably have to start as a coalition of residential > ISPs. > > Owen > > -- Sincerely yours, Pavel Odintsov
