[cm2187]

Out of curiosity, what are the follow ups of an attack like that? The perpetrators are probably using their own servers or compromised clients or servers. Would DNS Simple follow up on this with the abuse/complaint dept of the ISP of the attackers? Are ISP typically responsive to abuse and complaints? If they are not is there any way to black list blocks of IPs assigned to ISP who do not care about being the source of DDoS attacks?

Investing in anti DDoS devices is important but even more important is for the perpetrators to face the consequences of their acts (or anyone who lets his machine being used by pirates - terminating or suspending their contract would be a fair response).

[iancarroll]

I was looking at http://map.ipviking.com earlier and it was apparent it was a botnet, most likely innocent home users with a virus.

[brownbat]

It'd be nice if IPs involved in botnet DDoS's could go into a public registry, then get a banner from Google saying, "Hey, you might have a virus, someone reported you to this list."

Abuse would be tricky, you might be able to limit it by letting only a few DDoS mitigation providers populate the list.

[llasram]

This is actually one of the main uses for the ISP/telco product appliance sold by my employer, Damballa. The appliance reports client IPs which appear to be infected with malware to the ISP, who then reports this their affected customers by whatever mechanism the ISP prefers.

This particular DDoS I actually believe is _not_ due to a botnet, or at least believe there is insufficient evidence either way. The attack appears to be using a technique/infrastructure I’ve been passively tracking for nearly a year, wherein the attack DNS requests are spoofed to appear from seemingly-random clients and sent to open recursive DNS servers across the Internet. This makes the attack look like a botnet to superficial analysis on the target side, but this isn’t necessarily the case. In the small amount of time I’ve so-far invested in trying to track down the origin, I have yet to observe generation of the initial query packets.

[thaumaturgy]

> banner from Google saying, "Hey, you might have a virus, someone reported you to this list."

Unfortunately this is already in use with some malicious ads as well as phone scams to get people to give remote access to overseas tech centers that then scam them into paying good money for nothing.

To date the only tech line about this is, "nobody legitimate will ever contact you to tell you you're infected with a virus."

So I don't know how you could develop trust in that environment.

[Xylakant]

A lot of ISPs for example in Germany reuse IP addresses and force a reconnect every 24 hours. I don't think showing me banners because the previous "owner" of the IP had a virus is going to improve the situation.

Other people share a network behind a NATed IP which is also a problem. They'd all receive a banner, check their computer and a test would come up negative.

[cm2187]

Google wouldn't know but the ISP would know who was behind a particular IP at a specific time. They are the ones who should police their network when there are abuses.

[Xylakant]

The original proposal was that google delivers the ads. So google would have to contact my ISP who would then have to return whether or not I was using any of the given "spammy" IPs at the time that they were spammy - or my ISP would have to deliver the banner.

No thanks.

[coldpie]

Remember to keep any machine under your control up to date! I'm looking at you, XP die-hards. If you're able to, monitor your network traffic periodically as well.

[bobbykjack]

It's easy to toss out statements like "monitor your network traffic"; do you have any good suggestions for how an average developer with relatively little understanding of networking can go about doing so?

[coldpie]

Well, my router with dd-wrt just gives me a traffic diagram. I don't check it super often, admittedly. I wonder if it could be modified to signal a warning somehow?

[jamespo]

Glasswire for Windows or Little Snitch for Mac?