Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?)

[Don <don () calis blacksun org>]

> Put another way, anti-spoofing does three things: it makes reflector
> attacks harder, it makes it easier to use ACLs to block sources, and it
> helps people track down the bot and notify the admin. Are people actually
> successfully doing either of the latter two?
I think it's a time constraint- looking up, sorting and notifying admins 
about 10,000 attack sources isn't practical. I'd love to do it- but I 
don't have time. That said- if someone notifies me of a compromised host I 
immediately investigate- and I suspect so would everyone else on this 
list.

Has anyone put together a centralized system where you can send in 
a list of attacking bots, let it automatically sort by allocation, and 
then let it notify the appropriate admin with a list of [potentially] 
compromised hosts?

Then again: Considering how many admins don't care, how many end users 
don't care/know, and how quickly many of thee systems would get 
re-infected maybe it's all a bit pointless.

> I'd be surprised if there were much of either.  That leaves reflector 
> attacks.  Are those that large a portion of the attacks people are 
> seeing?
Everything I have seen of late has been legitimate traffic originating 
from across the globe. With tens of thousands of compromised hosts that's 
all it takes.

-Don