RE: Compromised Hosts?

["Dan Ellis" <ellis () corp ptd net>]

We're a regional broadband (cable/dsl) provider with 100K+ subs and we do act on any notification regarding any one of 
our IP's participating in a DDOS.  The most useful into is to state it is a DDOS, it is affecting service for you, the 
time/date and the IP of the source.  Traffic details always help.  Our downfall is that due to the number of 
"notifications", our abuse team sometimes gets behind; sometimes issues are not acted on until after the DDOS has 
ceased.  Regardless, they are contacted, warned, their account is noted, and if the behavior occurs again, they are 
disconnected until they are cleaned.

I think it's difficult for the national guys to do this mainly because of the number of complaints that are received; 
most e-mails are automated, most from innocent probes or misconfigured firewalls - very few contain useful info or are 
DDOS's.

--Dan

--
Daniel Ellis, CTO - PenTeleData
(610)826-9293

   "The only way to predict the future is to invent it."
                                      --Alan Kay

 -----Original Message-----
From:   Deepak Jain [mailto:deepak () ai net] 
Sent:   Sunday, March 21, 2004 7:26 PM
To:     nanog () merit edu
Subject:        Compromised Hosts?



Nanogers -

        Would any broadband providers that received automated, detailed 
(time/date stamp, IP information) with hosts that are being used to 
attack (say as part of a DDOS attack) actually do anything about it?

        Would the letter have to include information like "x.x.x.x/32 has been 
blackholed until further notice or contact with you" to be effective?

        If even 5% of these were acted upon, it might make a difference. The 
question is... would even 1% be?

Thanks for your opinions,

DJ