[nsp-sec] search by asn
Gabriel Iovino
giovino at ren-isac.net
Mon Apr 1 20:56:54 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 4/1/2013 6:23 PM, James A. T. Rice wrote:
> On Mon, 1 Apr 2013, John Kristoff wrote:
>
>> If I'm missing something else you'd really like to see, let me know.
>
> Perhaps the information for real prioritisation is best based upon the
> volume of traffic received from any given amplifier (the type of
> amplifier is certainly nice to know).
>
> We have a bunch of gaming server customers who regularly get DoSsed via
> DNS Amplification, I could contribute the traffic stats / netflow data /
> pcap data from the attacks if that's at all useful. Maybe others could
> do some of the above too? The badness of a given host could be
> normalised and used to give an aggregate score.
>
> ...
>
> Thoughts?
It's funny you mention this as I was just having a side conversation
with jtk on this very topic.
We obtained one days worth of data in the recent Spamhaus attack that
identified 37 open resolvers in .edu. We sent one notification saying
"these open resolvers were seen participating in a DDoS..." As of today,
17 of them or 45% are no longer open resolvers.
I believe there is a big difference when reporting on a open resolver
that *may* be used in an attack vs reporting on an a open resolver that
*was* used in an attack.
If one or more of you have consistent visibility into DDoS attacks
leveraging open resolvers and if we can get consistent reports of those,
I am sure the REN-ISAC can make a big dent in open resolvers in .edu. I
would like to think other CERTS (e.g. cert-fi) would have similar success.
Gabe
- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAlFaLNMACgkQwqygxIz+pTsE7gCgn4xGbFdioo4NlPVUVJqPlUMy
jnQAn1UIlpL/Qpp3j5x5UJFn1xO4Pn0W
=Hix8
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list