RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Aaron Glenn [mailto:aaron.glenn@gmail.com] Sent: Thursday, December 02, 2004 2:52 PM To: Chad Skidmore Cc: nanog@merit.edu Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
To your other point, how do you know that other botnets are not being identified and taken down every day by network operators? I know for a fact that they are, they just are not nearly as public as
On Thu, 2 Dec 2004 12:55:02 -0800, Chad Skidmore <cskidmore@go180.net> wrote: this one so
those activities go largely unacknowledged.
I find that very hard to believe. After getting nailed (900Mbps/4000 unique hosts from the 1 second network capture we could get) by a relatively(?) small botnet, and doing all the hard work for them, not one of the 20 networks we contacted (9 being very very large) gave a flying peice of excriment as to what was going on.
It wasn't the first and probably won't be the last. Is that too small a fish to fry? Do ops only care when its 2Gbps of sustained traffic chocking their border routers, because I'm half way there...
</rant>
Regards, Aaron
Sorry your experience has been different, this is definitely one of those YMMV kinds of deals. That is a significant attack by most anyone's standards. Getting to the right security team usually ends up being the challenge. Once there however we have found many providers do a great job of dealing with attacks quickly. Use of BGP triggered blackholes can be a great help and going to the NOC/Abuse team with lots of good information from the start helps you get to the people that can pull the attack of quickly. You have to remember that, like all of us, larger service providers have their share of low clue factor customers. The quicker you can help them realize that you have a fairly high clue factor the quicker you'll get to folks on their side with a high clue factor. During times of outages, attacks, etc. it is easy to get agitated quickly and that often times doesn't help you get through the first couple of barrier noc techs. Anyway, just my $.02 worth and as we can see YMMV. Chad - ---------------------------- Chad E Skidmore One Eighty Networks, Inc. http://www.go180.net 509-688-8180 -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQa+fTk2RUJ5udBnvEQIMeACeOEuV1XA64yujh+hKEypGPedyL4kAoN0I tjq/VueRQrb0gjJ2aHxHy4KY =yFzW -----END PGP SIGNATURE-----
Sorry your experience has been different, this is definitely one of those YMMV kinds of deals. That is a significant attack by most anyone's standards. Getting to the right security team usually ends up being the challenge. Once there however we have found many providers do a great job of dealing with attacks quickly. Use of BGP triggered blackholes can be a great help and going to the NOC/Abuse team with lots of good information from the start helps you get to the people that can pull the attack of quickly. You have to remember that, like all of us, larger service providers have their share of low clue factor customers. The quicker you can help them realize that you have a fairly high clue factor the quicker you'll get to folks on their side with a high clue factor. During times of outages, attacks, etc. it is easy to get agitated quickly and that often times doesn't help you get through the first couple of barrier noc techs.
Okay, making this an operational issue. Say you are attacked. Say it isn't even a botnet. Say a new worm is out and you are getting traffic from 19 different class A's. Who do you call? What do you block? How can a noc team here help? "Please block any outgoing connections from your network to ours on port 25? Please?" I tried this once.. it doesn't help. I ended up blackholing an entire country just to mitigate it a bit, for a few hours. Any practical suggestions? Gadi.
participants (2)
-
Chad Skidmore
-
Gadi Evron