About ddos-response@nfoservers.com

Alain_Hebert · January 24, 2014, 2:22pm

Well,

Those poor guys are under perma DNS Amplifcation DDoS for what seems
to be 2 weeks now.

About 7 days ago they started sending us emails for what is less
than 2MB worth of data (~500 packets) which is about how long it takes
for filters to take effect.

But after 1 week of communication they are not changing their
procedures

Anyone else receiving those emails?

Christopher_Morrow · January 24, 2014, 2:33pm

they seem to be hosted at internap, you'd think they could just ask
internap to fix this for them instead, eh?

Jared_Mauch · January 24, 2014, 2:36pm

You haven’t been able to get GTT/nLayer/TINet to track the traffic back?

Details are welcome, either here or in private. There are plenty of people who will chase and fix this stuff when they’re aware of it.

- Jared

Chris_Boyd1 · January 24, 2014, 3:23pm

When OpenResolver Project was announced, there were about 60 abusable addresses in my corner of the Internet. I was able to get that number down under 20 by asking politely. The NFOserver reports have been a pretty good stick to get the number down below 10.

--Chris

1117 · January 24, 2014, 3:40pm

http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html

Uh.. Oh. I see a lot of references to Teléfonica in Latin America.

Alain_Hebert · January 24, 2014, 8:50pm

Hi,

Well the abusers started to use burst and then switching targeted IP.

Last time I opened a ticket with GT-T/nLayer for a ~120Mbps NTP DDoS
Amplification "attempt" toward 2 of my IP's.

. after 2h, I called them directly to be told they lost my
original request;

. after 4h, got told it wasn't assigned yet;

. after 12h, they finally applied the filter as the amp attempt
stopped;

Based on that experience... why bother.

To give you an idea, in the past 4 days and 30m queries, I'm up to
1100 blocked targets on one of my DNS Servers.

Christopher_Morrow · January 24, 2014, 9:38pm

    Hi,

    Well the abusers started to use burst and then switching targeted IP.

    Last time I opened a ticket with GT-T/nLayer for a ~120Mbps NTP DDoS
Amplification "attempt" toward 2 of my IP's.

        . after 2h, I called them directly to be told they lost my
original request;

        . after 4h, got told it wasn't assigned yet;

        . after 12h, they finally applied the filter as the amp attempt
stopped;

    Based on that experience... why bother.

there are providers that have services to stop this sort of thing,
there is at least one provider that does that stuff for free... you
could vote with your wallet, of course.

To give you an idea, in the past 4 days and 30m queries, I'm up to
1100 blocked targets on one of my DNS Servers.

that's a bummer.