At 10:29 PM 11/5/2002, Rajesh Talpade wrote:
Interesting data.
Do you filter or identify spoofed IP addresses?
We block packets with source addresses which are obviously bogus (see recent IANA RFC for the list). Past that, note that these data are all derived from analysis of HTTP GET requests, which means the TCP 3-way handshake has completed and data has flowed before we detect the nature of the request/attack.
Also, any data collected on more direct DoS attacks?
We do collect a variety of data on other attacks, but this particular system was set up to catalog (and eventually blackhole) DoS attacks affecting our web servers. The Slapper attack, for example, goes after OpenSSL and chews a significant amount of CPU time on the servers.
Thanks. Rajesh.
"--- begin message from Daniel Senie ---"
We have had enough regular attacks on our web farm to put together tools that catalogue the attacks, report them to a central database, and post them to a website. The data is extracted hourly for the website to cut
down
on server / database loading.
You can find our display of this data at:
http://www.shame.denialinfo.com/
You have the option of viewing the data by IP address, Date of attack or sorted by the number of attacks from a host. The attacking systems seem well distributed around the world, though the extent to which that's a result of open proxies is unclear.
The data is aged out of the display (but not the database, just use select options to pick the data) after a period of time. We have much more data than we display on these pages, but this is enough for network operators to see if they've got habitually misbehaving hosts on their networks or their downstreams.
Attacks we track include Nimda, Slapper and Formmail. Our servers are not vulnerable to the attacks, but the attacks generate enough traffic to result in a Denial of Service when they come in. We have considered a number of measures for blackholing traffic from these sites, but have not yet employed any of them. Building filter lists based on the dataset is impractical. We age the data in expectation of using it in a blackhole mechanism. We'd only want to block a host for a limited number of days after the last attack registered, so that hosts that have been secured will age off the list on their own.
We'd be interested in comments and feedback on this mechanism, and hope some folks find it useful.