On 22 Mar 2004 00:26 UTC Deepak Jain <deepak@ai.net> asked:
Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it?
We are a broadband provider and I am responsible for the abuse desk. If we have reason to believe that a host on our IP range is compromised it comes offline unless we are able to contact the customer immediately and satisfy ourselves that the compromise will be taken care of right away. We believe that is the only policy that can meet the established expectation that ISPs will behave as "Responsible Neighbours".
Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective?
Not here, anyway. We accept email, IRC, SMS, telephone, snailmail or fax: all we require to see is some verifiable evidence of the report. The problem with any fully-automated reports is that systems used to generate those reports have, generically, reputations for reporting false alarms. We feel we have to accept and discard false alarms in order to be sure not to miss the genuine reports. However the issue of blackholing x.x.x.x/32 might be ineffective since quite a few broadband providers are using DHCP for their IP assignments, (presumably so they can charge more for static IPs). Users, on finding a loss of connectivity, would almost always reboot, and/or restart their cablemodem or xDSL router until a new IP was assigned ... which would defeat the objective of the blackholing. For that the only effective remedy would be the inclusion of the entire DHCP range in any blacklist. Such a policy might attract some controversy in several quarters ...
If even 5% of these were acted upon, it might make a difference.
Sadly, any difference it did make would probably not be particularly noticeable, as a strict mathematical analysis reveals. -- Richard