North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Compromised Hosts?

  • From: Ejay Hire
  • Date: Mon Mar 22 11:59:29 2004

We get a lot of automated complaints.  A human reads all of
them, and act on some of them.  I'm particularly fond of the
dozen-a-week "Source quench" attack emails we get, where Joe
Guy's IDS identifies the single source quench packet from a
DSL Cpe as malicious.  Perhaps next time we should give our
ICMP control messages friendlier names.  :)

-Ejay

> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
On 
> Behalf Of Dan Ellis
> Sent: Sunday, March 21, 2004 6:51 PM
> To: [email protected]
> Subject: RE: Compromised Hosts?
> 
> 
> We're a regional broadband (cable/dsl) provider with 100K+

> subs and we do act on any notification regarding any one
of 
> our IP's participating in a DDOS.  The most useful into is
to 
> state it is a DDOS, it is affecting service for you, the 
> time/date and the IP of the source.  Traffic details
always 
> help.  Our downfall is that due to the number of 
> "notifications", our abuse team sometimes gets behind; 
> sometimes issues are not acted on until after the DDOS has

> ceased.  Regardless, they are contacted, warned, their 
> account is noted, and if the behavior occurs again, they
are 
> disconnected until they are cleaned.
> 
> I think it's difficult for the national guys to do this 
> mainly because of the number of complaints that are
received; 
> most e-mails are automated, most from innocent probes or 
> misconfigured firewalls - very few contain useful info or
are DDOS's.
> 
> --Dan
> 
> --
> Daniel Ellis, CTO - PenTeleData
> (610)826-9293
> 
>    "The only way to predict the future is to invent it."
>                                       --Alan Kay
> 
>  -----Original Message-----
> From: 	Deepak Jain [mailto:[email protected]] 
> Sent:	Sunday, March 21, 2004 7:26 PM
> To:	[email protected]
> Subject:	Compromised Hosts?
> 
> 
> 
> Nanogers -
> 
> 	Would any broadband providers that received
automated, detailed 
> (time/date stamp, IP information) with hosts that are
being used to 
> attack (say as part of a DDOS attack) actually do anything
about it?
> 
> 	Would the letter have to include information like 
> "x.x.x.x/32 has been 
> blackholed until further notice or contact with you" to be
effective?
> 
> 	If even 5% of these were acted upon, it might make a

> difference. The 
> question is... would even 1% be?
> 
> Thanks for your opinions,
> 
> DJ
> 
> 
>