Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Compromised Hosts?

  • From: Ejay Hire
  • Date: Mon Mar 22 11:59:29 2004

We get a lot of automated complaints.  A human reads all of
them, and act on some of them.  I'm particularly fond of the
dozen-a-week "Source quench" attack emails we get, where Joe
Guy's IDS identifies the single source quench packet from a
DSL Cpe as malicious.  Perhaps next time we should give our
ICMP control messages friendlier names.  :)


> -----Original Message-----
> From: []
> Behalf Of Dan Ellis
> Sent: Sunday, March 21, 2004 6:51 PM
> To:
> Subject: RE: Compromised Hosts?
> We're a regional broadband (cable/dsl) provider with 100K+

> subs and we do act on any notification regarding any one
> our IP's participating in a DDOS.  The most useful into is
> state it is a DDOS, it is affecting service for you, the 
> time/date and the IP of the source.  Traffic details
> help.  Our downfall is that due to the number of 
> "notifications", our abuse team sometimes gets behind; 
> sometimes issues are not acted on until after the DDOS has

> ceased.  Regardless, they are contacted, warned, their 
> account is noted, and if the behavior occurs again, they
> disconnected until they are cleaned.
> I think it's difficult for the national guys to do this 
> mainly because of the number of complaints that are
> most e-mails are automated, most from innocent probes or 
> misconfigured firewalls - very few contain useful info or
are DDOS's.
> --Dan
> --
> Daniel Ellis, CTO - PenTeleData
> (610)826-9293
>    "The only way to predict the future is to invent it."
>                                       --Alan Kay
>  -----Original Message-----
> From: 	Deepak Jain [] 
> Sent:	Sunday, March 21, 2004 7:26 PM
> To:
> Subject:	Compromised Hosts?
> Nanogers -
> 	Would any broadband providers that received
automated, detailed 
> (time/date stamp, IP information) with hosts that are
being used to 
> attack (say as part of a DDOS attack) actually do anything
about it?
> 	Would the letter have to include information like 
> "x.x.x.x/32 has been 
> blackholed until further notice or contact with you" to be
> 	If even 5% of these were acted upon, it might make a

> difference. The 
> question is... would even 1% be?
> Thanks for your opinions,
> DJ

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.