[ Quoting Petra Zeidler <zeidler@xlink.net> ]:
there seems to have been quite a wash of stealth portscans and/or pepsi attacks lately (stealth portscan: you portscan with 99% of the sender
Even worse (at least here): There's a modified Version of Pepsi5 around letting the attacker control his bot via ICMP which allow control even when the net is nearly down due to the UDP attacks.
cybercity.dk must have been seeing some of these attacks pass, first glance judging from http://stat.cybercity.dk/ripe/ and the fallout in de.xlink (where I positively know the addresses not to be routed) and de.zz (where most of the address space is handled by RIPE nowadays).
Same goes for de.IPF where these type of attacks caused quite a bit work and manpower to be wasted. The last few weeks I've been working fulltime just on these problems.
I'd like to have a chance to catch the perpetrators. This would need to be a multi-provider cooperation in the majority of cases. Do we have an appropriate forum to discuss this at the next RIPE meeting?
I'd vote for a WG focussing on these things. IIRC there have been plans on a RIPE-Security WG around RIPE-29 or 30. If there's a bigger interest on this topics what about a Security-BOF next RIPE? In general, net-abuse has become one of the major problems these days, included but not limited to attacks, scans, mailbombs, a.s.o. regards, Jonas Luster -- Gigabell AG / Frankfurt Signed / encrypted maol welcome Chief Security Engineer Key to be found on the known places j.luster@cert.gigabell.net Securing the net of the future