- * Our security team remains functional. Ignoring incidents creates bad habits in the security team.
- * It creates memory of how we are attacked. We need to know how we are attacked, so our defenses are anchored in reality.
- * It greatly reduces the amount of attack. The number of attacks drop off sharply a couple weeks after we begin religiously reporting attacking IPs. We have tested this effect several times. When we stop reporting, it ramps up. When we start, it drops to about 1/10th it's prior levels.
- * It notifies the owner/ISP of the remote computer that they are attacking. Usually they are also innocent victims.
- * In the last few years, the percentage of remote resolutions has been climbing. Currently, about 1/2 of the reported non-Chinese incidents appear to result in remote resolution.
We utilize some automation to handle the load. We have a few honey-pots. We also monitor our dark IPs. We learned to distinguish DoS backscatter, and the various types of frequently spoofed attacks. We thought that an enterprising hacker would attempt to spoof an important Internet resource and cause us to auto-immune ourselves to death. So we whitelisted a bunch of critical external IPs and looked for critical spoofing. In the last 10 years the amount of spoofed attack has dropped drastically. We recently found an incident where an attacker spoofed a critical Google resource and tried to get us to block it. That is the only time we have detected that kind of spoofed attack.
We have found that most attackers (even governments) don't like to have their attack methods documented and publicized. We have found that some ISPs turn evil and knowingly host attack, but they are quickly and easily blocked until they go broke or come to their senses.
We have found many institutional scans. The best of these groups provide timely assistance to those who are making mistakes. In our view, the best groups include the ShadowServer Foundation, EFF, and the Chaos Computer Club. The worst of these groups are simply feeding on the mistakes of others. The worst groups provide no assistance to others. The worst groups actually have motivation to preserve or enhance the problems of others.
More info is available here: