nanog mailing list archives

Re: Attacker Data / Wall of Shame

From: "Christopher L. Morrow" <chris () UU NET>
Date: Wed, 6 Nov 2002 03:56:55 +0000 (GMT)



On Tue, 5 Nov 2002, Daniel Senie wrote:


We have had enough regular attacks on our web farm to put together tools
that catalogue the attacks, report them to a central database, and post
them to a website. The data is extracted hourly for the website to cut down
on server / database loading.

You can find our display of this data at:

   http://www.shame.denialinfo.com/

You have the option of viewing the data by IP address, Date of attack or
sorted by the number of attacks from a host. The attacking systems seem
well distributed around the world, though the extent to which that's a
result of open proxies is unclear.


This is neat, BUT what exactly is a DoS attack in this definition? Is
this:

web proxy probes
web formmail submission attempts
slapper/nimda/cr/crII probes

Just curious really.


The data is aged out of the display (but not the database, just use select
options to pick the data) after a period of time. We have much more data
than we display on these pages, but this is enough for network operators to
see if they've got habitually misbehaving hosts on their networks or their
downstreams.

Attacks we track include Nimda, Slapper and Formmail. Our servers are not
vulnerable to the attacks, but the attacks generate enough traffic to
result in a Denial of Service when they come in. We have considered a
number of measures for blackholing traffic from these sites, but have not
yet employed any of them. Building filter lists based on the dataset is
impractical. We age the data in expectation of using it in a blackhole
mechanism. We'd only want to block a host for a limited number of days
after the last attack registered, so that hosts that have been secured will
age off the list on their own.

We'd be interested in comments and feedback on this mechanism, and hope
some folks find it useful.

-----------------------------------------------------------------
Daniel Senie                                        dts () senie com
Amaranth Networks Inc.                    http://www.amaranth.com

Current thread:

Attacker Data / Wall of Shame Daniel Senie (Nov 05)
- Re: Attacker Data / Wall of Shame Michael Painter (Nov 05)
  - Re: Attacker Data / Wall of Shame Johannes Ullrich (Nov 05)
- Re: Attacker Data / Wall of Shame Rajesh Talpade (Nov 05)
  - Re: Attacker Data / Wall of Shame Daniel Senie (Nov 05)
- Re: Attacker Data / Wall of Shame Christopher L. Morrow (Nov 05)
- Message not available
  - Re: Attacker Data / Wall of Shame Daniel Senie (Nov 05)