peeringdb.com is usually quite accurate.
-- Stephen
On 2015-01-11 4:11 PM, Pavel Odintsov wrote:
Hello!
But abuse@ contacts is very-very-very hard way to contacting with ASN
administrator in case of attack. Big amount of requests to #Nanog
about "please contact ASN XXXX noc with me offlist" confirms this.
I'm got multiple attacks from well known ISP and I spend about 10-20
hours to contacting they in average. It's unacceptable time
We need FAST and RELIABLE way to contacting with noc of attackers
network for effective attack mitigation.
We need something like RTBH for knocking network admin of remote network.
Maybe somebody can create social network for noc's with API ?:)
On Sun, Jan 11, 2015 at 11:55 PM, Owen DeLong <o...@delong.com> wrote:
On Jan 11, 2015, at 05:07 , Mike Hammett <na...@ics-il.net> wrote:
Why does it seem like everyone is trying to "solve" this the wrong way?
Because it’s what we CAN do.
Do other networks' abuse departments just not give a shit? Blackhole all of the
zombie attackers and notify their abuse departments. Sure, most of the owners
of the PCs being used in these scenarios have no idea they're being used to
attack people, but I'd think that if their network's abuse department was
notified, either they'd contact the customer about it issue or at least have on
file that they were notified. When the unknowing end-user reached out to
support over larger and larger parts of the Internet not working, they'd be
told to clean up their system.
The way to stop this stuff is for those millions of end users to clean up their
infected PCs.
Agreed… However, let’s look at it from an economics perspective…
The average residential service provider doesn’t have the resources and doesn’t
charge enough to build the resources to deal with this onslaught. It won’t be
the service provider that the attacker blames for the initial few
disconnections, it will be the websites in question.
So, let’s say XYZ.COM <http://xyz.com/> is a really popular site with lots of
end-users. Some of those end-users are also unknowingly attacking XYZ.COM
<http://xyz.com/>.
XYZ.COM <http://xyz.com/> black holes those customers (along with all the other
zombies attacking them).
XYZ.COM <http://xyz.com/> gets angry calls from those customers and has no
ability to contact the rest.
The rest don’t call their ISP or XYZ.COM <http://xyz.com/> because they don’t know
that they are unsuccessfully trying to reach XYZ.COM <http://xyz.com/>, so they don’t
see the problem.
Depending on hold times, etc., XYZ.COM <http://xyz.com/> loses some fraction of
their customers (who instead of cleaning up their system, move into the second group
who don’t care about the problem any more.) The rest may clean up their systems.
So, at the cost of some fraction of their customer base and a substantial burden on
their call center, XYZ.COM <http://xyz.com/> has managed to clean up a
relatively small percentage of systems, but accomplished little else.
I’m all for finding a way to do a better job of this. Personally, I’d like to
see some sort of centralized clearing house where credible reporters of dDOS
information could send some form of standardized (automated) report. The
clearing house would then take care of contacting the responsible ISPs in a
scaleable and useful manner that the ISPs could handle. Because the clearing
house would be a known credible source and because they are providing the
information in a way that the ISP can more efficiently utilize the information,
it MIGHT allow the ISP to take proactive action such as contacting the user and
addressing the problem, limiting the user’s ability to send dDOS traffic, etc.
However, this would require lots of cooperation and if such a clearing house
were to evolve, it would probably have to start as a coalition of residential
ISPs.
Owen
