> There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets, > and I'd like to start blocking routing to those irresponsible AS's > that haven't blocked their miscreant customers.
Its too early for such harsh measures. Unless you can live without most major consumer ISPs. I don't have the AS data handy. but here a quick list of the top 20 domains with number of Sapphire infected hosts: 948 uu.net ( 943 of which are 'da.uu.net' ) 796 attbi.com ( 501 are client.attbi.com. 295 client2.attbi.com. ) 490 qwest.net ( 488 are da.qwest.net ) 445 att.net ( 438 are dial-access.att.net) 416 rr.com 408 btopenworld.com 395 rasserver.net 376 comcast.net 333 ipt.aol.com 304 com.br 279 pacbell.net 272 tpnet.pl 267 dsl-verizon.net 259 net.au 253 ttd.es 243 cable.rogers.com 224 mindspring.com (152 are dialup.mindspring.com) 220 dyn.optonline.net 217 net.br 205 ne.jp > > http://isc.sans.org/port_details.html?port=1434 > -- > William Allen Simpson > Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 > -- -------------------------------------------------------------------- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org