Attacker Data / Wall of Shame

Daniel Senie dts at senie.com
Wed Nov 6 04:10:47 UTC 2002


At 10:56 PM 11/5/2002, Christopher L. Morrow wrote:

>On Tue, 5 Nov 2002, Daniel Senie wrote:
>
> >
> > We have had enough regular attacks on our web farm to put together tools
> > that catalogue the attacks, report them to a central database, and post
> > them to a website. The data is extracted hourly for the website to cut down
> > on server / database loading.
> >
> > You can find our display of this data at:
> >
> >    http://www.shame.denialinfo.com/
> >
> > You have the option of viewing the data by IP address, Date of attack or
> > sorted by the number of attacks from a host. The attacking systems seem
> > well distributed around the world, though the extent to which that's a
> > result of open proxies is unclear.
>
>This is neat, BUT what exactly is a DoS attack in this definition? Is
>this:
>
>web proxy probes

No.

>web formmail submission attempts

yes.

>slapper/nimda/cr/crII probes

Yes.


>Just curious really.

Our servers are not vulnerable to the actual attacks, but the volume of the 
probe traffic, whether formmail, slapper or nimda and friends, constitue a 
denial of service in that they tie up our servers for a period of time and 
keep us from serving customer websites to legitimate users.

That we pay for bandwidth does not help matters. We have to rate limit 
incoming traffic to keep bandwidth within our targets and our customers' 
targets. The attack traffic overwhelms the legitimate traffic, though even 
if we didn't rate limit we'd still wind up with overwhelmed servers.




More information about the NANOG mailing list