BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)

Don don at calis.blacksun.org
Thu Oct 26 15:38:10 UTC 2006

> Put another way, anti-spoofing does three things: it makes reflector
> attacks harder, it makes it easier to use ACLs to block sources, and it
> helps people track down the bot and notify the admin. Are people actually
> successfully doing either of the latter two?
I think it's a time constraint- looking up, sorting and notifying admins 
about 10,000 attack sources isn't practical. I'd love to do it- but I 
don't have time. That said- if someone notifies me of a compromised host I 
immediately investigate- and I suspect so would everyone else on this 

Has anyone put together a centralized system where you can send in 
a list of attacking bots, let it automatically sort by allocation, and 
then let it notify the appropriate admin with a list of [potentially] 
compromised hosts?

Then again: Considering how many admins don't care, how many end users 
don't care/know, and how quickly many of thee systems would get 
re-infected maybe it's all a bit pointless.

> I'd be surprised if there were much of either.  That leaves reflector 
> attacks.  Are those that large a portion of the attacks people are 
> seeing?
Everything I have seen of late has been legitimate traffic originating 
from across the globe. With tens of thousands of compromised hosts that's 
all it takes.


More information about the NANOG mailing list