[53232] in North American Network Operators' Group
Re: Attacker Data / Wall of Shame
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Tue Nov 5 22:57:46 2002
Date: Wed, 6 Nov 2002 03:56:55 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Daniel Senie <dts@senie.com>
Cc: <nanog@nanog.org>
In-Reply-To: <5.1.1.6.2.20021105183943.025147a0@mail.amaranth.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 5 Nov 2002, Daniel Senie wrote:
>
> We have had enough regular attacks on our web farm to put together tools
> that catalogue the attacks, report them to a central database, and post
> them to a website. The data is extracted hourly for the website to cut down
> on server / database loading.
>
> You can find our display of this data at:
>
> http://www.shame.denialinfo.com/
>
> You have the option of viewing the data by IP address, Date of attack or
> sorted by the number of attacks from a host. The attacking systems seem
> well distributed around the world, though the extent to which that's a
> result of open proxies is unclear.
This is neat, BUT what exactly is a DoS attack in this definition? Is
this:
web proxy probes
web formmail submission attempts
slapper/nimda/cr/crII probes
Just curious really.
>
> The data is aged out of the display (but not the database, just use select
> options to pick the data) after a period of time. We have much more data
> than we display on these pages, but this is enough for network operators to
> see if they've got habitually misbehaving hosts on their networks or their
> downstreams.
>
> Attacks we track include Nimda, Slapper and Formmail. Our servers are not
> vulnerable to the attacks, but the attacks generate enough traffic to
> result in a Denial of Service when they come in. We have considered a
> number of measures for blackholing traffic from these sites, but have not
> yet employed any of them. Building filter lists based on the dataset is
> impractical. We age the data in expectation of using it in a blackhole
> mechanism. We'd only want to block a host for a limited number of days
> after the last attack registered, so that hosts that have been secured will
> age off the list on their own.
>
> We'd be interested in comments and feedback on this mechanism, and hope
> some folks find it useful.
>
> -----------------------------------------------------------------
> Daniel Senie dts@senie.com
> Amaranth Networks Inc. http://www.amaranth.com
>
