[nsp-sec] How to get a global K-line?
John Kristoff
jtk at ultradns.net
Mon Mar 24 23:17:41 EDT 2008
On Mon, 24 Mar 2008 20:04:51 +0000
John Fraizer <john at op-sec.us> wrote:
> With that said, I can trace nearly 100% (7 9's) of our inbound DDoS
> activity to IRC flows just prior to the launch of the attacks.
If you can trace it after the attack, can you identify it before the
attack and generate real-time alerts on it or is the time interval
between IRC comms and DDoS too small?
> How would I go about nicely asking the *responsible* IRC operators to
> globally K-line our address space? Even just K-lines on the *legit*
> IRC nets would have a significant impact for me lately and I don't
> have to take the heat of having null'd a host. :)
Letting IRCD ops filter your clients for you doesn't seem like the
appropriate response to me. What you want is network nanny service
from someone who can take the blame when they filter something that
a higher up finds innocuous? :-)
> Any ideas?
Detect and alert on anomalous IRC traffic might be a short-term
hack.
John
More information about the nsp-security
mailing list