We're a regional broadband (cable/dsl) provider with 100K+ subs and we do act on any
notification regarding any one of our IP's participating in a DDOS. The most useful
into is to state it is a DDOS, it is affecting service for you, the time/date and the
IP of the source. Traffic details always help. Our downfall is that due to the
number of "notifications", our abuse team sometimes gets behind; sometimes issues are
not acted on until after the DDOS has ceased. Regardless, they are contacted, warned,
their account is noted, and if the behavior occurs again, they are disconnected until
they are cleaned.
I think it's difficult for the national guys to do this mainly because of the number
of complaints that are received; most e-mails are automated, most from innocent probes
or misconfigured firewalls - very few contain useful info or are DDOS's.
--Dan
--
Daniel Ellis, CTO - PenTeleData
(610)826-9293
"The only way to predict the future is to invent it."
--Alan Kay
-----Original Message-----
From: Deepak Jain [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 21, 2004 7:26 PM
To: [EMAIL PROTECTED]
Subject: Compromised Hosts?
Nanogers -
Would any broadband providers that received automated, detailed
(time/date stamp, IP information) with hosts that are being used to
attack (say as part of a DDOS attack) actually do anything about it?
Would the letter have to include information like "x.x.x.x/32 has been
blackholed until further notice or contact with you" to be effective?
If even 5% of these were acted upon, it might make a difference. The
question is... would even 1% be?
Thanks for your opinions,
DJ
