[67798] in North American Network Operators' Group
Re: BL of Compromised Hosts?
daemon@ATHENA.MIT.EDU (Daniel Senie)
Sun Feb 22 14:24:56 2004
Date: Sun, 22 Feb 2004 14:24:12 -0500
To: Deepak Jain <deepak@ai.net>, nanog@merit.edu
From: Daniel Senie <dts@senie.com>
In-Reply-To: <4038D4F6.9050200@ai.net>
Errors-To: owner-nanog-outgoing@merit.edu
At 11:12 AM 2/22/2004, Deepak Jain wrote:
>Would anyone be interested in receiving a text or BGP feed of IPs of hosts
>known/suspected to be compromised and used as parts of DDOS attacks? Would
>anyone be interested in contributing their BGP views?
>
>We have (and I'm sure we're not isolated) been seeing attacks from several
>thousand/tens of thousands of unique hosts generated >2Gb/s, >1Mpps attacks.
>
>I am not necessarily suggesting that providers use this list to blackhole
>at their edge, but its certainly a good candidate for that. It could
>alternatively be used by access providers to notify their customers or
>filter on their customers. I am sure it would also be a good list to use
>to deny traffic to SMTP servers from/to.
>
>I'm not really an activist, so if there is real interest, I will be glad
>to set it up and contribute our own significant list of sources.
>
>If this is already done and I don't have a good set of skills with Google,
>please let me know.
We're doing this internally, watching for various types of attack probes
(SQL Slammer, Mydoom, dictionary attacks over SMTP, Nimda, etc.) and lock
out source addresses via BGP blackholing for those who are persistent. All
blocks age out over time so that systems that get fixed are removed by
virtue of the attacks stopping. At any given time we have blocks against
800 to 2000 systems.
At present we don't make this available to anyone outside, though it
wouldn't be that hard to do.
