RE: Compromised Hosts?
We're a regional broadband (cable/dsl) provider with 100K+ subs and we do act on any notification regarding any one of our IP's participating in a DDOS. The most useful into is to state it is a DDOS, it is affecting service for you, the time/date and the IP of the source. Traffic details always help. Our downfall is that due to the number of "notifications", our abuse team sometimes gets behind; sometimes issues are not acted on until after the DDOS has ceased. Regardless, they are contacted, warned, their account is noted, and if the behavior occurs again, they are disconnected until they are cleaned. I think it's difficult for the national guys to do this mainly because of the number of complaints that are received; most e-mails are automated, most from innocent probes or misconfigured firewalls - very few contain useful info or are DDOS's. --Dan -- Daniel Ellis, CTO - PenTeleData (610)826-9293 "The only way to predict the future is to invent it." --Alan Kay -----Original Message----- From: Deepak Jain [mailto:deepak@ai.net] Sent: Sunday, March 21, 2004 7:26 PM To: nanog@merit.edu Subject: Compromised Hosts? Nanogers - Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it? Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective? If even 5% of these were acted upon, it might make a difference. The question is... would even 1% be? Thanks for your opinions, DJ
We get a lot of automated complaints. A human reads all of them, and act on some of them. I'm particularly fond of the dozen-a-week "Source quench" attack emails we get, where Joe Guy's IDS identifies the single source quench packet from a DSL Cpe as malicious. Perhaps next time we should give our ICMP control messages friendlier names. :) -Ejay
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Dan Ellis Sent: Sunday, March 21, 2004 6:51 PM To: nanog@merit.edu Subject: RE: Compromised Hosts?
We're a regional broadband (cable/dsl) provider with 100K+
subs and we do act on any notification regarding any one of our IP's participating in a DDOS. The most useful into is to state it is a DDOS, it is affecting service for you, the time/date and the IP of the source. Traffic details always help. Our downfall is that due to the number of "notifications", our abuse team sometimes gets behind; sometimes issues are not acted on until after the DDOS has
ceased. Regardless, they are contacted, warned, their account is noted, and if the behavior occurs again, they are disconnected until they are cleaned.
I think it's difficult for the national guys to do this mainly because of the number of complaints that are received; most e-mails are automated, most from innocent probes or misconfigured firewalls - very few contain useful info or are DDOS's.
--Dan
-- Daniel Ellis, CTO - PenTeleData (610)826-9293
"The only way to predict the future is to invent it." --Alan Kay
-----Original Message----- From: Deepak Jain [mailto:deepak@ai.net] Sent: Sunday, March 21, 2004 7:26 PM To: nanog@merit.edu Subject: Compromised Hosts?
Nanogers -
Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it?
Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective?
If even 5% of these were acted upon, it might make a
difference. The question is... would even 1% be?
Thanks for your opinions,
DJ
On Mon, Mar 22, 2004 at 10:53:29AM -0600, Ejay Hire wrote:
We get a lot of automated complaints. A human reads all of them, and act on some of them. I'm particularly fond of the dozen-a-week "Source quench" attack emails we get, where Joe Guy's IDS identifies the single source quench packet from a DSL Cpe as malicious. Perhaps next time we should give our ICMP control messages friendlier names. :)
If anyone had imagined a million windows twits with blackice and enough free time to e-mail every alias they could find sending in complaints (along with threats to report you to the FBI, CIA, and DHS, as well as sue you, your router vendor, and your dog) every time your evil webserver hacked them by responding to their port 80 connection when the ICMP spec was written, they would have named them ICMP NOT ECHO AN REPLY ATTACK etc. Perhaps if more people were RFC3514 compliant... :) Bottom line, it is remarkably difficult to take action based on random internet complaints. If there is a well known authoritive source for DoS tracking who wants to publish a list to ISP's fine, but don't expect the same reaction to random joe blow complainer. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
participants (3)
-
Dan Ellis
-
Ejay Hire
-
Richard A Steenbergen