nanog mailing list archives
RE: Compromised Hosts?
From: "Ejay Hire" <ejay.hire () isdn net>
Date: Mon, 22 Mar 2004 10:53:29 -0600
We get a lot of automated complaints. A human reads all of them, and act on some of them. I'm particularly fond of the dozen-a-week "Source quench" attack emails we get, where Joe Guy's IDS identifies the single source quench packet from a DSL Cpe as malicious. Perhaps next time we should give our ICMP control messages friendlier names. :) -Ejay
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]
On
Behalf Of Dan Ellis Sent: Sunday, March 21, 2004 6:51 PM To: nanog () merit edu Subject: RE: Compromised Hosts? We're a regional broadband (cable/dsl) provider with 100K+
subs and we do act on any notification regarding any one
of
our IP's participating in a DDOS. The most useful into is
to
state it is a DDOS, it is affecting service for you, the time/date and the IP of the source. Traffic details
always
help. Our downfall is that due to the number of "notifications", our abuse team sometimes gets behind; sometimes issues are not acted on until after the DDOS has
ceased. Regardless, they are contacted, warned, their account is noted, and if the behavior occurs again, they
are
disconnected until they are cleaned. I think it's difficult for the national guys to do this mainly because of the number of complaints that are
received;
most e-mails are automated, most from innocent probes or misconfigured firewalls - very few contain useful info or
are DDOS's.
--Dan -- Daniel Ellis, CTO - PenTeleData (610)826-9293 "The only way to predict the future is to invent it." --Alan Kay -----Original Message----- From: Deepak Jain [mailto:deepak () ai net] Sent: Sunday, March 21, 2004 7:26 PM To: nanog () merit edu Subject: Compromised Hosts? Nanogers - Would any broadband providers that received
automated, detailed
(time/date stamp, IP information) with hosts that are
being used to
attack (say as part of a DDOS attack) actually do anything
about it?
Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be
effective?
If even 5% of these were acted upon, it might make a
difference. The question is... would even 1% be? Thanks for your opinions, DJ
Current thread:
- Compromised Hosts? Deepak Jain (Mar 21)
- Re: Compromised Hosts? Dan Hollis (Mar 21)
- Re: Compromised Hosts? Paul Vixie (Mar 21)
- Re: Compromised Hosts? Mike Tancsa (Mar 21)
- Re: Compromised Hosts? Richard Cox (Mar 22)
- <Possible follow-ups>
- RE: Compromised Hosts? Dan Ellis (Mar 21)
- RE: Compromised Hosts? Ejay Hire (Mar 22)
- Re: Compromised Hosts? Richard A Steenbergen (Mar 22)
- RE: Compromised Hosts? Ejay Hire (Mar 22)