We're a regional broadband (cable/dsl) provider with 100K+ subs and we do act on any notification regarding any one of our IP's participating in a DDOS. The most useful into is to state it is a DDOS, it is affecting service for you, the time/date and the IP of the source. Traffic details always help. Our downfall is that due to the number of "notifications", our abuse team sometimes gets behind; sometimes issues are not acted on until after the DDOS has ceased. Regardless, they are contacted, warned, their account is noted, and if the behavior occurs again, they are disconnected until they are cleaned. I think it's difficult for the national guys to do this mainly because of the number of complaints that are received; most e-mails are automated, most from innocent probes or misconfigured firewalls - very few contain useful info or are DDOS's. --Dan -- Daniel Ellis, CTO - PenTeleData (610)826-9293 "The only way to predict the future is to invent it." --Alan Kay -----Original Message----- From: Deepak Jain [mailto:deepak@ai.net] Sent: Sunday, March 21, 2004 7:26 PM To: nanog@merit.edu Subject: Compromised Hosts? Nanogers - Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it? Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective? If even 5% of these were acted upon, it might make a difference. The question is... would even 1% be? Thanks for your opinions, DJ