Arbor Networks DoS defense product
Dan Hollis
goemon at anime.net
Thu May 16 05:49:18 UTC 2002
On 15 May 2002, Johannes B. Ullrich wrote:
> > What about scans done
> > from different networks other than that which the supposed attacker is
> > originating from.
> Well, then these networks are marked as "attackers", which is ok. The
> can clean up their systems and enjoy full access again.
Yes. Part of such blackholing would be hoped to have a "behaviour
modification" effect the same way that RBL does.
Many NOCs/admins are too apathetic/lazy/incompetent/toothless to do
anything about shutting down compromised boxes/script kiddies. Blackholing
them from the net would provide motivation. And some protection against
those attackers.
When management can no longer download their pr0n you can damn well bet
they will "want it fixed NOW" and will give whatever authorization
required to do it.
Well, you get the point. :P
It's not intended to be perfect.
It's intended to make life more difficult for attackers, and to reduce
impact of attacks at least a little bit. And motivate lazy networks to fix
their broken shit.
-Dan
--
[-] Omae no subete no kichi wa ore no mono da. [-]
More information about the NANOG
mailing list