On Mon, Aug 14, 2017 at 8:41 AM, Derek Atkins <derek@xxxxxxxxx> wrote: >> After analyzing the attack pattern, I've added a new long-term measure > When you have time, could you elaborate on what long-term countermeasure > you put into place? Enquiring minds want to know. Good morning everyone (adjusted for your local timezone as appropriate)... I've had several requests of this type this morning. The attack against Mailman was sophisticated. It spoke not only to a good understanding of Mailman, but also, possibly, to a good understanding of what we have done to block attacks in the past. It was automated, yes, and widely distributed... but it was well adapted to the current state of Mailman today. The attack pattern suggests to me that the primary goal was not so much flooding a few (obviously fake) target addresses with email, but, rather, forcing email providers to block the IETF (and any other impacted users) to prevent the flood of mail we were generating as a result of the attack. Although to my great disappointment I don't have the luxury of participating in the IETF as a contributor, I do take the IETF's mission very seriously. I've learned in my years of associating with many of you that the IETF faces strong opposition from individuals, groups and governments who do *not* want global communications and connectivity to work... and that the IETF takes its ability to reach out to - and include - individuals around the world who want to participate - very seriously. As a result, I personally consider this attack to be both directed, and serious. I know that everyone is interested in what I found and what I did, and I get that.. I would be too!. On the other hand, *I* (and my small team) are the ones who get woken up at 3 in the morning local time (inevitably!) to deal with these types of things. And I have no illusions that the botnet authors and users are going to just "go away" - as with the spammers, it's a constant battle of "us vs them"... and I really don't feel like enabling their childishness anymore. So, needless to say, I am hesitant to just openly describe attack countermeasures on a public list. :-) I'm sorry for that - I truly am - because as I said *I* would want to know, too. Although in this case it's not a big deal, just a tweak or two, but adjustments that, were they published, would be much easier for the bot authors to "adjust for". For all of these reasons, I'm not comfortable just unilaterally exposing the IETF's defenses here... and I hope that you will all understand this. I am preparing a summary report to the TMC outlining what was done, and I need to leave it to them to determine if - and how best - to present the information to interested persons. Thanks for your support as we deal with the ongoing threats to the IETF. Glen -- Glen Barney IT Director AMS (IETF Secretariat)