BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)
don at calis.blacksun.org
Thu Oct 26 15:38:10 UTC 2006
> Put another way, anti-spoofing does three things: it makes reflector
> attacks harder, it makes it easier to use ACLs to block sources, and it
> helps people track down the bot and notify the admin. Are people actually
> successfully doing either of the latter two?
I think it's a time constraint- looking up, sorting and notifying admins
about 10,000 attack sources isn't practical. I'd love to do it- but I
don't have time. That said- if someone notifies me of a compromised host I
immediately investigate- and I suspect so would everyone else on this
Has anyone put together a centralized system where you can send in
a list of attacking bots, let it automatically sort by allocation, and
then let it notify the appropriate admin with a list of [potentially]
Then again: Considering how many admins don't care, how many end users
don't care/know, and how quickly many of thee systems would get
re-infected maybe it's all a bit pointless.
> I'd be surprised if there were much of either. That leaves reflector
> attacks. Are those that large a portion of the attacks people are
Everything I have seen of late has been legitimate traffic originating
from across the globe. With tens of thousands of compromised hosts that's
all it takes.
More information about the NANOG