Attacker Data / Wall of Shame
Daniel Senie
dts at senie.com
Tue Nov 5 23:51:04 UTC 2002
We have had enough regular attacks on our web farm to put together tools
that catalogue the attacks, report them to a central database, and post
them to a website. The data is extracted hourly for the website to cut down
on server / database loading.
You can find our display of this data at:
http://www.shame.denialinfo.com/
You have the option of viewing the data by IP address, Date of attack or
sorted by the number of attacks from a host. The attacking systems seem
well distributed around the world, though the extent to which that's a
result of open proxies is unclear.
The data is aged out of the display (but not the database, just use select
options to pick the data) after a period of time. We have much more data
than we display on these pages, but this is enough for network operators to
see if they've got habitually misbehaving hosts on their networks or their
downstreams.
Attacks we track include Nimda, Slapper and Formmail. Our servers are not
vulnerable to the attacks, but the attacks generate enough traffic to
result in a Denial of Service when they come in. We have considered a
number of measures for blackholing traffic from these sites, but have not
yet employed any of them. Building filter lists based on the dataset is
impractical. We age the data in expectation of using it in a blackhole
mechanism. We'd only want to block a host for a limited number of days
after the last attack registered, so that hosts that have been secured will
age off the list on their own.
We'd be interested in comments and feedback on this mechanism, and hope
some folks find it useful.
-----------------------------------------------------------------
Daniel Senie dts at senie.com
Amaranth Networks Inc. http://www.amaranth.com
More information about the NANOG
mailing list