[69008] in North American Network Operators' Group
RE: Compromised Hosts?
daemon@ATHENA.MIT.EDU (Dan Ellis)
Sun Mar 21 19:51:14 2004
Date: Sun, 21 Mar 2004 19:50:41 -0500
From: "Dan Ellis" <ellis@corp.ptd.net>
To: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
We're a regional broadband (cable/dsl) provider with 100K+ subs and we =
do act on any notification regarding any one of our IP's participating =
in a DDOS. The most useful into is to state it is a DDOS, it is =
affecting service for you, the time/date and the IP of the source. =
Traffic details always help. Our downfall is that due to the number of =
"notifications", our abuse team sometimes gets behind; sometimes issues =
are not acted on until after the DDOS has ceased. Regardless, they are =
contacted, warned, their account is noted, and if the behavior occurs =
again, they are disconnected until they are cleaned.
I think it's difficult for the national guys to do this mainly because =
of the number of complaints that are received; most e-mails are =
automated, most from innocent probes or misconfigured firewalls - very =
few contain useful info or are DDOS's.
--Dan
--
Daniel Ellis, CTO - PenTeleData
(610)826-9293
"The only way to predict the future is to invent it."
--Alan Kay
-----Original Message-----
From: Deepak Jain [mailto:deepak@ai.net]=20
Sent: Sunday, March 21, 2004 7:26 PM
To: nanog@merit.edu
Subject: Compromised Hosts?
Nanogers -
Would any broadband providers that received automated, detailed=20
(time/date stamp, IP information) with hosts that are being used to=20
attack (say as part of a DDOS attack) actually do anything about it?
Would the letter have to include information like "x.x.x.x/32 has been=20
blackholed until further notice or contact with you" to be effective?
If even 5% of these were acted upon, it might make a difference. The=20
question is... would even 1% be?
Thanks for your opinions,
DJ
