North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Compromised Hosts?
On Mon, Mar 22, 2004 at 10:53:29AM -0600, Ejay Hire wrote: > > We get a lot of automated complaints. A human reads all of > them, and act on some of them. I'm particularly fond of the > dozen-a-week "Source quench" attack emails we get, where Joe > Guy's IDS identifies the single source quench packet from a > DSL Cpe as malicious. Perhaps next time we should give our > ICMP control messages friendlier names. :) If anyone had imagined a million windows twits with blackice and enough free time to e-mail every alias they could find sending in complaints (along with threats to report you to the FBI, CIA, and DHS, as well as sue you, your router vendor, and your dog) every time your evil webserver hacked them by responding to their port 80 connection when the ICMP spec was written, they would have named them ICMP NOT ECHO AN REPLY ATTACK etc. Perhaps if more people were RFC3514 compliant... :) Bottom line, it is remarkably difficult to take action based on random internet complaints. If there is a well known authoritive source for DoS tracking who wants to publish a list to ISP's fine, but don't expect the same reaction to random joe blow complainer. -- Richard A Steenbergen <email@example.com> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)