We get a lot of automated complaints. A human reads all of
them, and act on some of them. I'm particularly fond of the
dozen-a-week "Source quench" attack emails we get, where Joe
Guy's IDS identifies the single source quench packet from a
DSL Cpe as malicious. Perhaps next time we should give our
ICMP control messages friendlier names. 
-Ejay
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]
On
Behalf Of Dan Ellis
Sent: Sunday, March 21, 2004 6:51 PM
To: nanog@merit.edu
Subject: RE: Compromised Hosts?
We're a regional broadband (cable/dsl) provider with 100K+
subs and we do act on any notification regarding any one
of
our IP's participating in a DDOS. The most useful into is
to
state it is a DDOS, it is affecting service for you, the
time/date and the IP of the source. Traffic details
always
help. Our downfall is that due to the number of
"notifications", our abuse team sometimes gets behind;
sometimes issues are not acted on until after the DDOS has
ceased. Regardless, they are contacted, warned, their
account is noted, and if the behavior occurs again, they
are
disconnected until they are cleaned.
I think it's difficult for the national guys to do this
mainly because of the number of complaints that are
received;
most e-mails are automated, most from innocent probes or
misconfigured firewalls - very few contain useful info or
are DDOS's.
--Dan
--
Daniel Ellis, CTO - PenTeleData
(610)826-9293
"The only way to predict the future is to invent it."
--Alan Kay
From: Deepak Jain [mailto:deepak@ai.net]
Sent: Sunday, March 21, 2004 7:26 PM
To: nanog@merit.edu
Subject: Compromised Hosts?
Nanogers -
Would any broadband providers that received
automated, detailed
(time/date stamp, IP information) with hosts that are
being used to
attack (say as part of a DDOS attack) actually do anything
about it?
Would the letter have to include information like
"x.x.x.x/32 has been
blackholed until further notice or contact with you" to be
effective?
