On Thu, 24 Feb 2000 23:03:44 EST, Brian Wallingford said:
Specifically, what have Merit, and presumably yourself done that any reasonably clued ISP hasn't? Aside from responsible subneting, and standard non-intrusive filtering, what can be done? It seems to me that beyond that, the burden of safeguarding data falls on the end-user.
Sorry to preach to the choir, but... ;) "reasonably clued" seems to be too much to ask from far too many ISPs. Smurf came along in what, 1996? And www.pulltheplug.com and www.netscan.org both are finding enough networks STILL vulnerable that they find it interesting to tabulate. The guys at pulltheplug.com found an x.x.131.63 address that returned 1,924 replies on a PING. Truly scary, that many hosts on a /26 ;) I truly hope that something is SERIOUSLY broken in pulltheplug's methodology, except... For bonus points, trying to 'dig' for the SOA for the PTR zone gets a 'servfail', although the x.x.130.x and x.x.132.x PTR SOA's map to the same ns.<nameremoved>.net machine. You have to get down to 53rd on pulltheplug's list before you get to under 200 replies. And the guy hasn't started on arin/ripe/apnic allocated space yet. If ISPs and users had clues, we wouldn't have as big a potential DDoS problem. Oh, and this just in: The network staff at JMU (a university up the road from us) have found an in-the-wild Windows trin00. Details at: http://www.jmu.edu/info-security/engineering/issues/wintrino.htm And there's an estimate 76M hosts on the Internet. Probably 80% of them are Windows. It's gonna be a LONG summer, guys.... Valdis Kletnieks Operating Systems Analyst Virginia Tech