Compromised Hosts?
Dan Ellis
ellis at corp.ptd.net
Mon Mar 22 00:50:41 UTC 2004
We're a regional broadband (cable/dsl) provider with 100K+ subs and we do act on any notification regarding any one of our IP's participating in a DDOS. The most useful into is to state it is a DDOS, it is affecting service for you, the time/date and the IP of the source. Traffic details always help. Our downfall is that due to the number of "notifications", our abuse team sometimes gets behind; sometimes issues are not acted on until after the DDOS has ceased. Regardless, they are contacted, warned, their account is noted, and if the behavior occurs again, they are disconnected until they are cleaned.
I think it's difficult for the national guys to do this mainly because of the number of complaints that are received; most e-mails are automated, most from innocent probes or misconfigured firewalls - very few contain useful info or are DDOS's.
--Dan
--
Daniel Ellis, CTO - PenTeleData
(610)826-9293
"The only way to predict the future is to invent it."
--Alan Kay
-----Original Message-----
From: Deepak Jain [mailto:deepak at ai.net]
Sent: Sunday, March 21, 2004 7:26 PM
To: nanog at merit.edu
Subject: Compromised Hosts?
Nanogers -
Would any broadband providers that received automated, detailed
(time/date stamp, IP information) with hosts that are being used to
attack (say as part of a DDOS attack) actually do anything about it?
Would the letter have to include information like "x.x.x.x/32 has been
blackholed until further notice or contact with you" to be effective?
If even 5% of these were acted upon, it might make a difference. The
question is... would even 1% be?
Thanks for your opinions,
DJ
More information about the NANOG
mailing list