North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Monumentous task of making a list of all DDoS Zombies.
- From: Suresh Ramasubramanian
- Date: Sat Feb 07 23:57:18 2004
Wayne Gustavus (nanog) wrote:
http://cbl.abuseat.org
Interesting approach. It would be conceivable that if this resource was
Widely used, miscreants could use this service to DDoS there victims without
an army of zombies :-) I still submit that it is more advisable to address
the root of the problem by finding the true host that generated attack
traffic. Automating this process of matching dynamic IP to customer acct
with a timestamp and remediation is the goal.
Timestamps are, of course, a solution - they definitely help in quickly
identifying compromised hosts.
Another thing that helps with easier identification is a practice some
ISPs have of inserting the MAC address of the host into the reverse DNS
record, with a short TTL. When a new host gets that IP, the MAC address
changes too. I have seen at least one ISP do this - and it makes it a
whole lot easier for the ISP to quickly identify the host, rather than
having to trawl through RADIUS logs or whatever else.
Then, there's the little matter of ISPs implementing ingress filtering
as per BCP38 / RFC 2827. These DDoS zombies seem to also be used as a
ready source of spoofed source addresses for attacks.
srs
|
