[60068] in North American Network Operators' Group
RE: WANTED: ISPs with DDoS defense solutions
daemon@ATHENA.MIT.EDU (McBurnett, Jim)
Thu Jul 31 09:30:10 2003
Date: Thu, 31 Jul 2003 09:27:34 -0400
From: "McBurnett, Jim" <jmcburnett@msmgmt.com>
To: "Petri Helenius" <pete@he.iki.fi>, <variable@ednet.co.uk>,
"Rob Thomas" <robt@cymru.com>
Cc: "NANOG" <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
I tend to agree here.
I have noticed so many attacks etc coming from=20
APNIC as of recent that on our corp network we have an ACL=20
to block a number of APNIC blocks.
If there was a dynamic method to add null0 routes to
identified zombies, I think that would help.
IE. security company A provides a feed (BGP etc)
to null route zombies that it has identified.
But that opens a whole other can of worms.....
J
-----Original Message-----
From: Petri Helenius [mailto:pete@he.iki.fi]
Sent: Thursday, July 31, 2003 9:24 AM
To: variable@ednet.co.uk; Rob Thomas
Cc: NANOG
Subject: Re: WANTED: ISPs with DDoS defense solutions
I would say that because backdoored hosts are easily available in large
quantities, spoofing does not make sense and usually alarms various =
systems
more quickly than packets from legitimate addresses.
Pete
----- Original Message -----=20
From: <variable@ednet.co.uk>
To: "Rob Thomas" <robt@cymru.com>
Cc: "NANOG" <nanog@merit.edu>
Sent: Thursday, July 31, 2003 4:17 PM
Subject: Re: WANTED: ISPs with DDoS defense solutions
>=20
> On Wed, 30 Jul 2003, Rob Thomas wrote:
>=20
> > I've tracked 1787 DDoS attacks since 01 JAN 2003. Of that number,
> > only 32 used spoofed sources. I rarely see spoofed attacks now.
>=20
> Do you have any ideas as to why that is? Is it due to more providers=20
> doing source filtering? It wouldn't make sense for attackers to =
become=20
> less sophisticated unless they became more difficult to catch for =
other=20
> reasons (e.g. botnets getting bigger).
>=20
> Rich
>=20
>=20
