nanog mailing list archives
Re: Compromised Hosts?
From: Richard A Steenbergen <ras () e-gerbil net>
Date: Mon, 22 Mar 2004 13:19:30 -0500
On Mon, Mar 22, 2004 at 10:53:29AM -0600, Ejay Hire wrote:
We get a lot of automated complaints. A human reads all of them, and act on some of them. I'm particularly fond of the dozen-a-week "Source quench" attack emails we get, where Joe Guy's IDS identifies the single source quench packet from a DSL Cpe as malicious. Perhaps next time we should give our ICMP control messages friendlier names. :)
If anyone had imagined a million windows twits with blackice and enough free time to e-mail every alias they could find sending in complaints (along with threats to report you to the FBI, CIA, and DHS, as well as sue you, your router vendor, and your dog) every time your evil webserver hacked them by responding to their port 80 connection when the ICMP spec was written, they would have named them ICMP NOT ECHO AN REPLY ATTACK etc. Perhaps if more people were RFC3514 compliant... :) Bottom line, it is remarkably difficult to take action based on random internet complaints. If there is a well known authoritive source for DoS tracking who wants to publish a list to ISP's fine, but don't expect the same reaction to random joe blow complainer. -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Current thread:
- Compromised Hosts? Deepak Jain (Mar 21)
- Re: Compromised Hosts? Dan Hollis (Mar 21)
- Re: Compromised Hosts? Paul Vixie (Mar 21)
- Re: Compromised Hosts? Mike Tancsa (Mar 21)
- Re: Compromised Hosts? Richard Cox (Mar 22)
- <Possible follow-ups>
- RE: Compromised Hosts? Dan Ellis (Mar 21)
- RE: Compromised Hosts? Ejay Hire (Mar 22)
- Re: Compromised Hosts? Richard A Steenbergen (Mar 22)
- RE: Compromised Hosts? Ejay Hire (Mar 22)