We have had enough regular attacks on our web farm to put together tools that catalogue the attacks, report them to a central database, and post them to a website. The data is extracted hourly for the website to cut down on server / database loading. You can find our display of this data at: http://www.shame.denialinfo.com/ You have the option of viewing the data by IP address, Date of attack or sorted by the number of attacks from a host. The attacking systems seem well distributed around the world, though the extent to which that's a result of open proxies is unclear. The data is aged out of the display (but not the database, just use select options to pick the data) after a period of time. We have much more data than we display on these pages, but this is enough for network operators to see if they've got habitually misbehaving hosts on their networks or their downstreams. Attacks we track include Nimda, Slapper and Formmail. Our servers are not vulnerable to the attacks, but the attacks generate enough traffic to result in a Denial of Service when they come in. We have considered a number of measures for blackholing traffic from these sites, but have not yet employed any of them. Building filter lists based on the dataset is impractical. We age the data in expectation of using it in a blackhole mechanism. We'd only want to block a host for a limited number of days after the last attack registered, so that hosts that have been secured will age off the list on their own. We'd be interested in comments and feedback on this mechanism, and hope some folks find it useful. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com