> There are still 10K-20K hosts spewing M$SQL slammer/sapphire packets,
> and I'd like to start blocking routing to those irresponsible AS's
> that haven't blocked their miscreant customers.
Its too early for such harsh measures. Unless you can live without
most major consumer ISPs.
I don't have the AS data handy. but here a quick list of the top 20
domains with number of Sapphire infected hosts:
948 uu.net ( 943 of which are 'da.uu.net' )
796 attbi.com ( 501 are client.attbi.com. 295 client2.attbi.com. )
490 qwest.net ( 488 are da.qwest.net )
445 att.net ( 438 are dial-access.att.net)
416 rr.com
408 btopenworld.com
395 rasserver.net
376 comcast.net
333 ipt.aol.com
304 com.br
279 pacbell.net
272 tpnet.pl
267 dsl-verizon.net
259 net.au
253 ttd.es
243 cable.rogers.com
224 mindspring.com (152 are dialup.mindspring.com)
220 dyn.optonline.net
217 net.br
205 ne.jp
>
> http://isc.sans.org/port_details.html?port=1434
> --
> William Allen Simpson
> Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
>
--
--------------------------------------------------------------------
[EMAIL PROTECTED] Collaborative Intrusion Detection
join http://www.dshield.org
