Attacker Data / Wall of Shame

Daniel Senie dts at
Wed Nov 6 04:00:59 UTC 2002

At 10:29 PM 11/5/2002, Rajesh Talpade wrote:
>Interesting data.
>Do you filter or identify spoofed IP addresses?

We block packets with source addresses which are obviously bogus (see 
recent IANA RFC for the list). Past that, note that these data are all 
derived from analysis of HTTP GET requests, which means the TCP 3-way 
handshake has completed and data has flowed before we detect the nature of 
the request/attack.

>Also, any data collected on more direct DoS attacks?

We do collect a variety of data on other attacks, but this particular 
system was set up to catalog (and eventually blackhole) DoS attacks 
affecting our web servers. The Slapper attack, for example, goes after 
OpenSSL and chews a significant amount of CPU time on the servers.

>"--- begin message from Daniel Senie ---"
> >
> >
> > We have had enough regular attacks on our web farm to put together tools
> > that catalogue the attacks, report them to a central database, and post
> > them to a website. The data is extracted hourly for the website to cut 
> down
> > on server / database loading.
> >
> > You can find our display of this data at:
> >
> >
> >
> > You have the option of viewing the data by IP address, Date of attack or
> > sorted by the number of attacks from a host. The attacking systems seem
> > well distributed around the world, though the extent to which that's a
> > result of open proxies is unclear.
> >
> > The data is aged out of the display (but not the database, just use select
> > options to pick the data) after a period of time. We have much more data
> > than we display on these pages, but this is enough for network 
> operators to
> > see if they've got habitually misbehaving hosts on their networks or their
> > downstreams.
> >
> > Attacks we track include Nimda, Slapper and Formmail. Our servers are not
> > vulnerable to the attacks, but the attacks generate enough traffic to
> > result in a Denial of Service when they come in. We have considered a
> > number of measures for blackholing traffic from these sites, but have not
> > yet employed any of them. Building filter lists based on the dataset is
> > impractical. We age the data in expectation of using it in a blackhole
> > mechanism. We'd only want to block a host for a limited number of days
> > after the last attack registered, so that hosts that have been secured 
> will
> > age off the list on their own.
> >
> > We'd be interested in comments and feedback on this mechanism, and hope
> > some folks find it useful.

More information about the NANOG mailing list