Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised Hosts?

  • From: Richard Cox
  • Date: Mon Mar 22 04:53:13 2004

On 22 Mar 2004 00:26 UTC Deepak Jain <deepak@ai.net> asked:

> Would any broadband providers that received automated, detailed
> (time/date stamp, IP information) with hosts that are being used to
> attack (say as part of a DDOS attack) actually do anything about it?

We are a broadband provider and I am responsible for the abuse desk.

If we have reason to believe that a host on our IP range is compromised
it comes offline unless we are able to contact the customer immediately
and satisfy ourselves that the compromise will be taken care of right
away.  We believe that is the only policy that can meet the established
expectation that ISPs will behave as "Responsible Neighbours".

> Would the letter have to include information like "x.x.x.x/32 has been
> blackholed until further notice or contact with you" to be effective?

Not here, anyway.  We accept email, IRC, SMS, telephone, snailmail or
fax: all we require to see is some verifiable evidence of the report.
The problem with any fully-automated reports is that systems used to
generate those reports have, generically, reputations for reporting
false alarms.  We feel we have to accept and discard false alarms in
order to be sure not to miss the genuine reports.

However the issue of blackholing x.x.x.x/32 might be ineffective since
quite a few broadband providers are using DHCP for their IP assignments,
(presumably so they can charge more for static IPs).  Users, on finding
a loss of connectivity, would almost always reboot, and/or restart their
cablemodem or xDSL router until a new IP was assigned ... which would
defeat the objective of the blackholing.  For that the only effective
remedy would be the inclusion of the entire DHCP range in any blacklist.
Such a policy might attract some controversy in several quarters ...

> If even 5% of these were acted upon, it might make a difference.

Sadly, any difference it did make would probably not be particularly
noticeable, as a strict mathematical analysis reveals.

-- 
Richard




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.