Would anyone be interested in receiving a text or BGP feed of IPs of hosts known/suspected to be compromised and used as parts of DDOS attacks? Would anyone be interested in contributing their BGP views? We have (and I'm sure we're not isolated) been seeing attacks from several thousand/tens of thousands of unique hosts generated >2Gb/s,
1Mpps attacks.
I am not necessarily suggesting that providers use this list to blackhole at their edge, but its certainly a good candidate for that. It could alternatively be used by access providers to notify their customers or filter on their customers. I am sure it would also be a good list to use to deny traffic to SMTP servers from/to. I'm not really an activist, so if there is real interest, I will be glad to set it up and contribute our own significant list of sources. If this is already done and I don't have a good set of skills with Google, please let me know. Thanks in advance, Deepak Jain AiNET
Hi Deepak, Check http://www.cymru.com/BGP/bogon-rs.html They are doing a good job in this issue. Regards, Daniel On Sunday 22 February 2004 17:12, Deepak Jain wrote:
Would anyone be interested in receiving a text or BGP feed of IPs of hosts known/suspected to be compromised and used as parts of DDOS attacks? Would anyone be interested in contributing their BGP views?
We have (and I'm sure we're not isolated) been seeing attacks from several thousand/tens of thousands of unique hosts generated >2Gb/s,
1Mpps attacks.
I am not necessarily suggesting that providers use this list to blackhole at their edge, but its certainly a good candidate for that. It could alternatively be used by access providers to notify their customers or filter on their customers. I am sure it would also be a good list to use to deny traffic to SMTP servers from/to.
I'm not really an activist, so if there is real interest, I will be glad to set it up and contribute our own significant list of sources.
If this is already done and I don't have a good set of skills with Google, please let me know.
Thanks in advance,
Deepak Jain AiNET
## On 2004-02-22 19:20 +0100 Daniel Concepcion typed: DC> DC> DC> Hi Deepak, DC> DC> Check DC> http://www.cymru.com/BGP/bogon-rs.html DC> They are doing a good job in this issue. Not quite - That is a list of BOGON networks (such as non-allocated, private(RFC1918), ... ) You're probably thinking of a non-public service run by the same people you may want to ask them off-list about that DC> DC> Regards, DC> Daniel DC> DC> > DC> > If this is already done and I don't have a good set of skills with DC> > Google, please let me know. non-public stuff shouldn't be on Google ... -- Rafi DC> > DC> > Thanks in advance, DC> > DC> > Deepak Jain DC> > AiNET DC>
At 11:12 AM 2/22/2004, Deepak Jain wrote:
Would anyone be interested in receiving a text or BGP feed of IPs of hosts known/suspected to be compromised and used as parts of DDOS attacks? Would anyone be interested in contributing their BGP views?
We have (and I'm sure we're not isolated) been seeing attacks from several thousand/tens of thousands of unique hosts generated >2Gb/s, >1Mpps attacks.
I am not necessarily suggesting that providers use this list to blackhole at their edge, but its certainly a good candidate for that. It could alternatively be used by access providers to notify their customers or filter on their customers. I am sure it would also be a good list to use to deny traffic to SMTP servers from/to.
I'm not really an activist, so if there is real interest, I will be glad to set it up and contribute our own significant list of sources.
If this is already done and I don't have a good set of skills with Google, please let me know.
We're doing this internally, watching for various types of attack probes (SQL Slammer, Mydoom, dictionary attacks over SMTP, Nimda, etc.) and lock out source addresses via BGP blackholing for those who are persistent. All blocks age out over time so that systems that get fixed are removed by virtue of the attacks stopping. At any given time we have blocks against 800 to 2000 systems. At present we don't make this available to anyone outside, though it wouldn't be that hard to do.
On Sun, Feb 22, 2004 at 11:12:38AM -0500, Deepak Jain wrote:
Would anyone be interested in receiving a text or BGP feed of IPs of hosts known/suspected to be compromised and used as parts of DDOS attacks? Would anyone be interested in contributing their BGP views?
Hey Deepak, It's not a BGP feed, but take a look at: http://www.spamhaus.org/xbl/index.lasso
"Avleen" == Avleen Vig <lists-nanog@silverwraith.com> writes:
Would anyone be interested in receiving a text or BGP feed of IPs of hosts known/suspected to be compromised and used as parts of DDOS attacks? Would anyone be interested in contributing their BGP views?
Avleen> Hey Deepak, Avleen> It's not a BGP feed, but take a look at: Avleen> http://www.spamhaus.org/xbl/index.lasso It also has nothing to do with DDoS attacks; it's intended use is only for blocking email traffic. The XBL incorporates the CBL, and the CBL team does not support the use of its data for purposes other than blocking incoming SMTP traffic. The reason for this is that the CBL lists a very large number of dynamic IPs, and has a very long expiration time (months). Accordingly, using it to block general traffic will have a high false-positive rate. -- Andrew, Supernews http://www.supernews.com
participants (6)
-
Andrew - Supernews -
Avleen Vig -
Daniel Concepcion -
Daniel Senie -
Deepak Jain -
Rafi Sadowsky