On the subject of cooperation, has anyone set out to catalog where these attacks are coming from, at least in terms of compromised networks, and share said information? I know similar catalogs sprang up in response to smurfs ... is it time to start listing offending networks? Even better, does anyone know if the attacks are using something like TFN2K and using dummy addresses to obfuscate real attacking hosts? I see a lot of talk of attacked sites putting up router filters to stop attacks. Can anyone who knows let the rest of us in on what was filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP, SYN floods, or what? If this is a DDoS, the attack could probably be fingerprinted ... this would be very useful information if we are going to see more tomorrow. Do we know if the source addys are spoofed, and if an attacker could turn off spoofing, revealing the source of the traffic but getting around some filtering? I am making the assumption that the last three days' attacks were caused by the same person or persons. But the intent is the same regardless ... we can all go back and forth on NANOG about what might be happening, and wait for the feds to chase down the attacker(s), or people who have been attacked or might be attacked can compare notes and try to get an idea of where the attacks are coming from and exactly what they are. Any relevant info would be appreciated. Nobody knows who is next. -travis On Wed, 9 Feb 2000, Joe Shaw wrote:
Make it a law, and they will. But I don't think laws are the answer to cooperation. The Tier1's should take the time to work together on their own before they are forced to in a way they may not like.
-- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."
On Wed, 9 Feb 2000, Henry R. Linneweh wrote:
they should be made to co-operate with the backbone provider and not have much choice in the matter.