I tend to agree here. I have noticed so many attacks etc coming from APNIC as of recent that on our corp network we have an ACL to block a number of APNIC blocks. If there was a dynamic method to add null0 routes to identified zombies, I think that would help. IE. security company A provides a feed (BGP etc) to null route zombies that it has identified. But that opens a whole other can of worms..... J -----Original Message----- From: Petri Helenius [mailto:pete@he.iki.fi] Sent: Thursday, July 31, 2003 9:24 AM To: variable@ednet.co.uk; Rob Thomas Cc: NANOG Subject: Re: WANTED: ISPs with DDoS defense solutions I would say that because backdoored hosts are easily available in large quantities, spoofing does not make sense and usually alarms various systems more quickly than packets from legitimate addresses. Pete ----- Original Message ----- From: <variable@ednet.co.uk> To: "Rob Thomas" <robt@cymru.com> Cc: "NANOG" <nanog@merit.edu> Sent: Thursday, July 31, 2003 4:17 PM Subject: Re: WANTED: ISPs with DDoS defense solutions

On Wed, 30 Jul 2003, Rob Thomas wrote:

...

I've tracked 1787 DDoS attacks since 01 JAN 2003. Of that number, only 32 used spoofed sources. I rarely see spoofed attacks now.

Do you have any ideas as to why that is? Is it due to more providers doing source filtering? It wouldn't make sense for attackers to become less sophisticated unless they became more difficult to catch for other reasons (e.g. botnets getting bigger).

Rich