There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets, and I'd like to start blocking routing to those irresponsible AS's that haven't blocked their miscreant customers.
Its too early for such harsh measures. Unless you can live without most major consumer ISPs. I don't have the AS data handy. but here a quick list of the top 20 domains with number of Sapphire infected hosts: 948 uu.net ( 943 of which are 'da.uu.net' ) 796 attbi.com ( 501 are client.attbi.com. 295 client2.attbi.com. ) 490 qwest.net ( 488 are da.qwest.net ) 445 att.net ( 438 are dial-access.att.net) 416 rr.com 408 btopenworld.com 395 rasserver.net 376 comcast.net 333 ipt.aol.com 304 com.br 279 pacbell.net 272 tpnet.pl 267 dsl-verizon.net 259 net.au 253 ttd.es 243 cable.rogers.com 224 mindspring.com (152 are dialup.mindspring.com) 220 dyn.optonline.net 217 net.br 205 ne.jp
http://isc.sans.org/port_details.html?port=1434 -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
-- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org