Attacker Data / Wall of Shame

Rajesh Talpade rrt at
Wed Nov 6 03:29:12 UTC 2002

Interesting data.

Do you filter or identify spoofed IP addresses?

Also, any data collected on more direct DoS attacks? 


"--- begin message from Daniel Senie ---"
> We have had enough regular attacks on our web farm to put together tools 
> that catalogue the attacks, report them to a central database, and post 
> them to a website. The data is extracted hourly for the website to cut down 
> on server / database loading.
> You can find our display of this data at:
> You have the option of viewing the data by IP address, Date of attack or 
> sorted by the number of attacks from a host. The attacking systems seem 
> well distributed around the world, though the extent to which that's a 
> result of open proxies is unclear.
> The data is aged out of the display (but not the database, just use select 
> options to pick the data) after a period of time. We have much more data 
> than we display on these pages, but this is enough for network operators to 
> see if they've got habitually misbehaving hosts on their networks or their 
> downstreams.
> Attacks we track include Nimda, Slapper and Formmail. Our servers are not 
> vulnerable to the attacks, but the attacks generate enough traffic to 
> result in a Denial of Service when they come in. We have considered a 
> number of measures for blackholing traffic from these sites, but have not 
> yet employed any of them. Building filter lists based on the dataset is 
> impractical. We age the data in expectation of using it in a blackhole 
> mechanism. We'd only want to block a host for a limited number of days 
> after the last attack registered, so that hosts that have been secured will 
> age off the list on their own.
> We'd be interested in comments and feedback on this mechanism, and hope 
> some folks find it useful.

More information about the NANOG mailing list