Re: Attacker Data / Wall of Shame
At 10:56 PM 11/5/2002, Christopher L. Morrow wrote:
On Tue, 5 Nov 2002, Daniel Senie wrote:
We have had enough regular attacks on our web farm to put together tools that catalogue the attacks, report them to a central database, and post them to a website. The data is extracted hourly for the website to cut down on server / database loading.
You can find our display of this data at:
http://www.shame.denialinfo.com/
You have the option of viewing the data by IP address, Date of attack or sorted by the number of attacks from a host. The attacking systems seem well distributed around the world, though the extent to which that's a result of open proxies is unclear.
This is neat, BUT what exactly is a DoS attack in this definition? Is this:
web proxy probes
No.
web formmail submission attempts
yes.
slapper/nimda/cr/crII probes
Yes.
Just curious really.
Our servers are not vulnerable to the actual attacks, but the volume of the probe traffic, whether formmail, slapper or nimda and friends, constitue a denial of service in that they tie up our servers for a period of time and keep us from serving customer websites to legitimate users. That we pay for bandwidth does not help matters. We have to rate limit incoming traffic to keep bandwidth within our targets and our customers' targets. The attack traffic overwhelms the legitimate traffic, though even if we didn't rate limit we'd still wind up with overwhelmed servers.
participants (1)
-
Daniel Senie