[69027] in North American Network Operators' Group
RE: Compromised Hosts?
daemon@ATHENA.MIT.EDU (Ejay Hire)
Mon Mar 22 11:57:53 2004
From: "Ejay Hire" <ejay.hire@isdn.net>
To: "'Dan Ellis'" <ellis@corp.ptd.net>, <nanog@merit.edu>
Date: Mon, 22 Mar 2004 10:53:29 -0600
In-Reply-To: <E989917C9FF25240A201E888E83DF32F014629EF@EXCHANGE5.corp.ptd.net>
Errors-To: owner-nanog-outgoing@merit.edu
We get a lot of automated complaints. A human reads all of
them, and act on some of them. I'm particularly fond of the
dozen-a-week "Source quench" attack emails we get, where Joe
Guy's IDS identifies the single source quench packet from a
DSL Cpe as malicious. Perhaps next time we should give our
ICMP control messages friendlier names. :)
-Ejay
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]
On
> Behalf Of Dan Ellis
> Sent: Sunday, March 21, 2004 6:51 PM
> To: nanog@merit.edu
> Subject: RE: Compromised Hosts?
>
>
> We're a regional broadband (cable/dsl) provider with 100K+
> subs and we do act on any notification regarding any one
of
> our IP's participating in a DDOS. The most useful into is
to
> state it is a DDOS, it is affecting service for you, the
> time/date and the IP of the source. Traffic details
always
> help. Our downfall is that due to the number of
> "notifications", our abuse team sometimes gets behind;
> sometimes issues are not acted on until after the DDOS has
> ceased. Regardless, they are contacted, warned, their
> account is noted, and if the behavior occurs again, they
are
> disconnected until they are cleaned.
>
> I think it's difficult for the national guys to do this
> mainly because of the number of complaints that are
received;
> most e-mails are automated, most from innocent probes or
> misconfigured firewalls - very few contain useful info or
are DDOS's.
>
> --Dan
>
> --
> Daniel Ellis, CTO - PenTeleData
> (610)826-9293
>
> "The only way to predict the future is to invent it."
> --Alan Kay
>
> -----Original Message-----
> From: Deepak Jain [mailto:deepak@ai.net]
> Sent: Sunday, March 21, 2004 7:26 PM
> To: nanog@merit.edu
> Subject: Compromised Hosts?
>
>
>
> Nanogers -
>
> Would any broadband providers that received
automated, detailed
> (time/date stamp, IP information) with hosts that are
being used to
> attack (say as part of a DDOS attack) actually do anything
about it?
>
> Would the letter have to include information like
> "x.x.x.x/32 has been
> blackholed until further notice or contact with you" to be
effective?
>
> If even 5% of these were acted upon, it might make a
> difference. The
> question is... would even 1% be?
>
> Thanks for your opinions,
>
> DJ
>
>
>
