RE: How many backbones here are filtering the makelovenotspam scr eensaver site?

Chad_Skidmore5 · December 2, 2004, 11:03pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: Aaron Glenn [mailto:aaron.glenn@gmail.com]
Sent: Thursday, December 02, 2004 2:52 PM
To: Chad Skidmore
Cc: nanog@merit.edu
Subject: Re: How many backbones here are filtering the
makelovenotspam scr eensaver site?

> To your other point, how do you know that other botnets are
not being
> identified and taken down every day by network operators? I
know for a
> fact that they are, they just are not nearly as public as
this one so
> those activities go largely unacknowledged.

I find that very hard to believe. After getting nailed
(900Mbps/4000 unique hosts from the 1 second network capture
we could get) by a
relatively(?) small botnet, and doing all the hard work for
them, not one of the 20 networks we contacted (9 being very
very large) gave a flying peice of excriment as to what was going
on.

It wasn't the first and probably won't be the last. Is that
too small a fish to fry? Do ops only care when its 2Gbps of
sustained traffic chocking their border routers, because I'm
half way there...

</rant>

Regards,
Aaron

Sorry your experience has been different, this is definitely one of
those YMMV kinds of deals. That is a significant attack by most
anyone's standards. Getting to the right security team usually ends
up being the challenge. Once there however we have found many
providers do a great job of dealing with attacks quickly. Use of BGP
triggered blackholes can be a great help and going to the NOC/Abuse
team with lots of good information from the start helps you get to
the people that can pull the attack of quickly. You have to remember
that, like all of us, larger service providers have their share of
low clue factor customers. The quicker you can help them realize
that you have a fairly high clue factor the quicker you'll get to
folks on their side with a high clue factor. During times of
outages, attacks, etc. it is easy to get agitated quickly and that
often times doesn't help you get through the first couple of barrier
noc techs.

Anyway, just my $.02 worth and as we can see YMMV.

Chad

- ----------------------------
Chad E Skidmore
One Eighty Networks, Inc.
http://www.go180.net
509-688-8180

Gadi_Evron1 · December 2, 2004, 11:20pm

Sorry your experience has been different, this is definitely one of
those YMMV kinds of deals. That is a significant attack by most
anyone's standards. Getting to the right security team usually ends
up being the challenge. Once there however we have found many
providers do a great job of dealing with attacks quickly. Use of BGP
triggered blackholes can be a great help and going to the NOC/Abuse
team with lots of good information from the start helps you get to
the people that can pull the attack of quickly. You have to remember
that, like all of us, larger service providers have their share of
low clue factor customers. The quicker you can help them realize
that you have a fairly high clue factor the quicker you'll get to
folks on their side with a high clue factor. During times of
outages, attacks, etc. it is easy to get agitated quickly and that
often times doesn't help you get through the first couple of barrier
noc techs.

Okay, making this an operational issue. Say you are attacked. Say it isn't even a botnet. Say a new worm is out and you are getting traffic from 19 different class A's.

Who do you call? What do you block?

How can a noc team here help?

"Please block any outgoing connections from your network to ours on port 25? Please?" I tried this once.. it doesn't help. I ended up blackholing an entire country just to mitigate it a bit, for a few hours.

Any practical suggestions?

Gadi.