Compromised Hosts?

Richard A Steenbergen ras at e-gerbil.net
Mon Mar 22 18:19:30 UTC 2004


On Mon, Mar 22, 2004 at 10:53:29AM -0600, Ejay Hire wrote:
> 
> We get a lot of automated complaints.  A human reads all of
> them, and act on some of them.  I'm particularly fond of the
> dozen-a-week "Source quench" attack emails we get, where Joe
> Guy's IDS identifies the single source quench packet from a
> DSL Cpe as malicious.  Perhaps next time we should give our
> ICMP control messages friendlier names.  :)

If anyone had imagined a million windows twits with
blackice and enough free time to e-mail every alias
they could find sending in complaints (along with
threats to report you to the FBI, CIA, and DHS, as
well as sue you, your router vendor, and your dog)  
every time your evil webserver hacked them by
responding to their port 80 connection when the ICMP
spec was written, they would have named them ICMP NOT
ECHO AN REPLY ATTACK etc. Perhaps if more people were 
RFC3514 compliant... :)

Bottom line, it is remarkably difficult to take action 
based on random internet complaints. If there is a 
well known authoritive source for DoS tracking who 
wants to publish a list to ISP's fine, but don't 
expect the same reaction to random joe blow 
complainer.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



More information about the NANOG mailing list