Interesting data. Do you filter or identify spoofed IP addresses?
Also, any data collected on more direct DoS attacks? Thanks. Rajesh. "--- begin message from Daniel Senie ---" > > > We have had enough regular attacks on our web farm to put together tools > that catalogue the attacks, report them to a central database, and post > them to a website. The data is extracted hourly for the website to cut down > on server / database loading. > > You can find our display of this data at: > > http://www.shame.denialinfo.com/ > > You have the option of viewing the data by IP address, Date of attack or > sorted by the number of attacks from a host. The attacking systems seem > well distributed around the world, though the extent to which that's a > result of open proxies is unclear. > > The data is aged out of the display (but not the database, just use select > options to pick the data) after a period of time. We have much more data > than we display on these pages, but this is enough for network operators to > see if they've got habitually misbehaving hosts on their networks or their > downstreams. > > Attacks we track include Nimda, Slapper and Formmail. Our servers are not > vulnerable to the attacks, but the attacks generate enough traffic to > result in a Denial of Service when they come in. We have considered a > number of measures for blackholing traffic from these sites, but have not > yet employed any of them. Building filter lists based on the dataset is > impractical. We age the data in expectation of using it in a blackhole > mechanism. We'd only want to block a host for a limited number of days > after the last attack registered, so that hosts that have been secured will > age off the list on their own. > > We'd be interested in comments and feedback on this mechanism, and hope > some folks find it useful.