[93085] in North American Network Operators' Group
Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
daemon@ATHENA.MIT.EDU (Don)
Thu Oct 26 11:55:51 2006
Date: Thu, 26 Oct 2006 11:38:10 -0400 (EDT)
From: Don <don@calis.blacksun.org>
To: nanog@merit.edu
In-Reply-To: <20061026093324.f56f7f5d.smb@cs.columbia.edu>
Errors-To: owner-nanog@merit.edu
> Put another way, anti-spoofing does three things: it makes reflector
> attacks harder, it makes it easier to use ACLs to block sources, and it
> helps people track down the bot and notify the admin. Are people actually
> successfully doing either of the latter two?
I think it's a time constraint- looking up, sorting and notifying admins
about 10,000 attack sources isn't practical. I'd love to do it- but I
don't have time. That said- if someone notifies me of a compromised host I
immediately investigate- and I suspect so would everyone else on this
list.
Has anyone put together a centralized system where you can send in
a list of attacking bots, let it automatically sort by allocation, and
then let it notify the appropriate admin with a list of [potentially]
compromised hosts?
Then again: Considering how many admins don't care, how many end users
don't care/know, and how quickly many of thee systems would get
re-infected maybe it's all a bit pointless.
> I'd be surprised if there were much of either. That leaves reflector
> attacks. Are those that large a portion of the attacks people are
> seeing?
Everything I have seen of late has been legitimate traffic originating
from across the globe. With tens of thousands of compromised hosts that's
all it takes.
-Don
