Nanogers -
Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it?
Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective?
If even 5% of these were acted upon, it might make a difference. The question is... would even 1% be?
Thanks for your opinions,
DJ
Most of them dont even do anything when you send them registered postal
mail. Why would they do anything about automated email? They ignore
regular manual emails, I imagine they would doubly ignore automated ones.
-Dan
deepak@ai.net (Deepak Jain) writes:
Would any broadband providers that received automated, detailed
(time/date stamp, IP information) with hosts that are being used to
attack (say as part of a DDOS attack) actually do anything about it?
while not a broadband provider, i would be interested in that information.
Would the letter have to include information like "x.x.x.x/32 has
been blackholed until further notice or contact with you" to be
effective?
i'd like a dynamic update of a blackhole-style zone, please. while it
would not be my personal one (as shown in the following example), it would
be just like it.
naturally i would only share the update key with people whose judgement i
had confidence in -- deepak being an example of same. probably the zone
would only be accessible using a tsig query key that would also be known
only to a set of judgement-trusted people (maybe the same set, maybe not).
i run the script below as part of my maillog-watcher (when postfix signals
that a worm was rejected), and my http sham server (when it detects an
attempt to do something bad), and my smtp sham server (likewise). checking
just now i see 895028 entries auto-added to the list since inception (7 weeks
ago). imagine what we could accomplish with more judgement-trusted
contributors.
any interest? (this would probably show up as part of http://oarc.isc.org/
but before i propose it there i'm interested in field survey results.)
Nanogers -
Would any broadband providers that received automated, detailed (time/date stamp, IP information) with hosts that are being used to attack (say as part of a DDOS attack) actually do anything about it?
think is to make it as clear and as easy to for the provider to act on the issue. So include things like, source IP,port, dest IP,port, time stamps in GMT. Note that the time is actually accurate--i.e. your clocks are NTP sync'd and make that clear in the report.
Would the letter have to include information like "x.x.x.x/32 has been blackholed until further notice or contact with you" to be effective?
No.
---Mike
On 22 Mar 2004 00:26 UTC Deepak Jain <deepak@ai.net> asked:
Would any broadband providers that received automated, detailed
(time/date stamp, IP information) with hosts that are being used to
attack (say as part of a DDOS attack) actually do anything about it?
We are a broadband provider and I am responsible for the abuse desk.
If we have reason to believe that a host on our IP range is compromised
it comes offline unless we are able to contact the customer immediately
and satisfy ourselves that the compromise will be taken care of right
away. We believe that is the only policy that can meet the established
expectation that ISPs will behave as "Responsible Neighbours".
Would the letter have to include information like "x.x.x.x/32 has been
blackholed until further notice or contact with you" to be effective?
Not here, anyway. We accept email, IRC, SMS, telephone, snailmail or
fax: all we require to see is some verifiable evidence of the report.
The problem with any fully-automated reports is that systems used to
generate those reports have, generically, reputations for reporting
false alarms. We feel we have to accept and discard false alarms in
order to be sure not to miss the genuine reports.
However the issue of blackholing x.x.x.x/32 might be ineffective since
quite a few broadband providers are using DHCP for their IP assignments,
(presumably so they can charge more for static IPs). Users, on finding
a loss of connectivity, would almost always reboot, and/or restart their
cablemodem or xDSL router until a new IP was assigned ... which would
defeat the objective of the blackholing. For that the only effective
remedy would be the inclusion of the entire DHCP range in any blacklist.
Such a policy might attract some controversy in several quarters ...
If even 5% of these were acted upon, it might make a difference.
Sadly, any difference it did make would probably not be particularly
noticeable, as a strict mathematical analysis reveals.