Nanogers - Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it? Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective? If even 5% of these were acted upon, it might make a difference. The question is... would even 1% be? Thanks for your opinions, DJ
On Sun, 21 Mar 2004, Deepak Jain wrote:
Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it?
Most of them dont even do anything when you send them registered postal mail. Why would they do anything about automated email? They ignore regular manual emails, I imagine they would doubly ignore automated ones. -Dan
deepak@ai.net (Deepak Jain) writes:
Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it?
while not a broadband provider, i would be interested in that information.
Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective?
i'd like a dynamic update of a blackhole-style zone, please. while it would not be my personal one (as shown in the following example), it would be just like it. naturally i would only share the update key with people whose judgement i had confidence in -- deepak being an example of same. probably the zone would only be accessible using a tsig query key that would also be known only to a set of judgement-trusted people (maybe the same set, maybe not). i run the script below as part of my maillog-watcher (when postfix signals that a worm was rejected), and my http sham server (when it detects an attempt to do something bad), and my smtp sham server (likewise). checking just now i see 895028 entries auto-added to the list since inception (7 weeks ago). imagine what we could accomplish with more judgement-trusted contributors. any interest? (this would probably show up as part of http://oarc.isc.org/ but before i propose it there i'm interested in field survey results.) -------- #!/bin/sh node=`echo $1 | awk -F. '{print $4 "." $3 "." $2 "." $1}'`; shift zone="example.vix.com" server="justanexample.vix.com" ttl="1800" nsupdate="/usr/local/bin/nsupdate" keyfile="/var/named/rejectall/Kupdate-rejectall.+157+43810.key" ( echo server $server echo zone $zone echo prereq nxdomain $node.$zone echo update add $node.$zone $ttl A 0.0.0.0 echo update add $node.$zone $ttl TXT created `date +%Y%m%d%H%M%S` if [ $# -gt 0 ]; then echo update add $node.$zone $ttl TXT reason $@; fi echo send ) | $nsupdate -k $keyfile /dev/stdin exit $? -------- -- Paul Vixie
At 07:26 PM 21/03/2004, Deepak Jain wrote:
Nanogers -
Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it?
From my experiences, some are much better than others. The main thing I think is to make it as clear and as easy to for the provider to act on the issue. So include things like, source IP,port, dest IP,port, time stamps in GMT. Note that the time is actually accurate--i.e. your clocks are NTP sync'd and make that clear in the report.
Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective?
No. ---Mike
On 22 Mar 2004 00:26 UTC Deepak Jain <deepak@ai.net> asked:
Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it?
We are a broadband provider and I am responsible for the abuse desk. If we have reason to believe that a host on our IP range is compromised it comes offline unless we are able to contact the customer immediately and satisfy ourselves that the compromise will be taken care of right away. We believe that is the only policy that can meet the established expectation that ISPs will behave as "Responsible Neighbours".
Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective?
Not here, anyway. We accept email, IRC, SMS, telephone, snailmail or fax: all we require to see is some verifiable evidence of the report. The problem with any fully-automated reports is that systems used to generate those reports have, generically, reputations for reporting false alarms. We feel we have to accept and discard false alarms in order to be sure not to miss the genuine reports. However the issue of blackholing x.x.x.x/32 might be ineffective since quite a few broadband providers are using DHCP for their IP assignments, (presumably so they can charge more for static IPs). Users, on finding a loss of connectivity, would almost always reboot, and/or restart their cablemodem or xDSL router until a new IP was assigned ... which would defeat the objective of the blackholing. For that the only effective remedy would be the inclusion of the entire DHCP range in any blacklist. Such a policy might attract some controversy in several quarters ...
If even 5% of these were acted upon, it might make a difference.
Sadly, any difference it did make would probably not be particularly noticeable, as a strict mathematical analysis reveals. -- Richard
participants (5)
-
Dan Hollis
-
Deepak Jain
-
Mike Tancsa
-
Paul Vixie
-
Richard Cox