nanog mailing list archives

RE: Compromised Hosts?

From: "Ejay Hire" <ejay.hire () isdn net>
Date: Mon, 22 Mar 2004 10:53:29 -0600


We get a lot of automated complaints.  A human reads all of
them, and act on some of them.  I'm particularly fond of the
dozen-a-week "Source quench" attack emails we get, where Joe
Guy's IDS identifies the single source quench packet from a
DSL Cpe as malicious.  Perhaps next time we should give our
ICMP control messages friendlier names.  :)

-Ejay

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]

On

Behalf Of Dan Ellis
Sent: Sunday, March 21, 2004 6:51 PM
To: nanog () merit edu
Subject: RE: Compromised Hosts?


We're a regional broadband (cable/dsl) provider with 100K+

subs and we do act on any notification regarding any one

of

our IP's participating in a DDOS.  The most useful into is

to

state it is a DDOS, it is affecting service for you, the 
time/date and the IP of the source.  Traffic details

always

help.  Our downfall is that due to the number of 
"notifications", our abuse team sometimes gets behind; 
sometimes issues are not acted on until after the DDOS has

ceased.  Regardless, they are contacted, warned, their 
account is noted, and if the behavior occurs again, they

are

disconnected until they are cleaned.

I think it's difficult for the national guys to do this 
mainly because of the number of complaints that are

received;

most e-mails are automated, most from innocent probes or 
misconfigured firewalls - very few contain useful info or

are DDOS's.


--Dan

--
Daniel Ellis, CTO - PenTeleData
(610)826-9293

   "The only way to predict the future is to invent it."
                                      --Alan Kay

 -----Original Message-----
From:         Deepak Jain [mailto:deepak () ai net] 
Sent: Sunday, March 21, 2004 7:26 PM
To:   nanog () merit edu
Subject:      Compromised Hosts?



Nanogers -

      Would any broadband providers that received

automated, detailed

(time/date stamp, IP information) with hosts that are

being used to

attack (say as part of a DDOS attack) actually do anything

about it?


      Would the letter have to include information like 
"x.x.x.x/32 has been 
blackholed until further notice or contact with you" to be

effective?


      If even 5% of these were acted upon, it might make a

difference. The 
question is... would even 1% be?

Thanks for your opinions,

DJ

Current thread:

Compromised Hosts? Deepak Jain (Mar 21)
- Re: Compromised Hosts? Dan Hollis (Mar 21)
- Re: Compromised Hosts? Paul Vixie (Mar 21)
- Re: Compromised Hosts? Mike Tancsa (Mar 21)
- Re: Compromised Hosts? Richard Cox (Mar 22)
- <Possible follow-ups>
- RE: Compromised Hosts? Dan Ellis (Mar 21)
  - RE: Compromised Hosts? Ejay Hire (Mar 22)
    - Re: Compromised Hosts? Richard A Steenbergen (Mar 22)