North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Compromised Hosts?
We get a lot of automated complaints. A human reads all of them, and act on some of them. I'm particularly fond of the dozen-a-week "Source quench" attack emails we get, where Joe Guy's IDS identifies the single source quench packet from a DSL Cpe as malicious. Perhaps next time we should give our ICMP control messages friendlier names. :) -Ejay > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Dan Ellis > Sent: Sunday, March 21, 2004 6:51 PM > To: [email protected] > Subject: RE: Compromised Hosts? > > > We're a regional broadband (cable/dsl) provider with 100K+ > subs and we do act on any notification regarding any one of > our IP's participating in a DDOS. The most useful into is to > state it is a DDOS, it is affecting service for you, the > time/date and the IP of the source. Traffic details always > help. Our downfall is that due to the number of > "notifications", our abuse team sometimes gets behind; > sometimes issues are not acted on until after the DDOS has > ceased. Regardless, they are contacted, warned, their > account is noted, and if the behavior occurs again, they are > disconnected until they are cleaned. > > I think it's difficult for the national guys to do this > mainly because of the number of complaints that are received; > most e-mails are automated, most from innocent probes or > misconfigured firewalls - very few contain useful info or are DDOS's. > > --Dan > > -- > Daniel Ellis, CTO - PenTeleData > (610)826-9293 > > "The only way to predict the future is to invent it." > --Alan Kay > > -----Original Message----- > From: Deepak Jain [mailto:[email protected]] > Sent: Sunday, March 21, 2004 7:26 PM > To: [email protected] > Subject: Compromised Hosts? > > > > Nanogers - > > Would any broadband providers that received automated, detailed > (time/date stamp, IP information) with hosts that are being used to > attack (say as part of a DDOS attack) actually do anything about it? > > Would the letter have to include information like > "x.x.x.x/32 has been > blackholed until further notice or contact with you" to be effective? > > If even 5% of these were acted upon, it might make a > difference. The > question is... would even 1% be? > > Thanks for your opinions, > > DJ > > >
|