North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Monumentous task of making a list of all DDoS Zombies.
- From: Suresh Ramasubramanian
- Date: Sun Feb 08 02:29:54 2004
Sean Donelan wrote:
I'm aware of these - but surely there's something about the user which
you can stick into rDNS (hashed / encrypted if you like) that'll
identify the user?
In practice MAC address tracking only works for a few very specific ISP
architectures, such as when the ISP supplies the hardware used to connect
to the network.
The problem with trojans etc is that there so damn many of them, so the
less time spent actually tracking down the user who was on IP X at time
Y, the better it is for the ISP's staffers who handle complaints about
Of course, prevention is better than cure, so another recourse the ISP
has is to be proactive - setting up a scanner to sweep the host that
comes up on an IP the moment the dhcp server assigns it. If not a full
blown portscan or anything, then at least a quick once-over that looks
for signs of the current "big problem" trojans / zombies.
I have heard from someone who hosts one of the mirrors for a site that
is a DDoS magnet. I recall his saying that a non trivial number of
attacks coming at this mirror were from spoofed source addresses.
There are several ISPs which implement ingress filtering per
BCP38/RFC2827. None of them have seen a change in the number of DDOS
attacks. The people who track this kind of stuff say that most
attacks do not use spoofed addresses.
No, I don't claim that BCP38 is a magic bullet either. But I do put it
to you that the way to at least mitigate this menace include a
combination of several steps -
1. Easy identifying of hosts, at least to the ISP (to avoid privacy
2. Sensible filtering practices
3. Proactive network sweeps
4. Quick and immediate isolation of infected hosts - nullroute them, or
maybe VLAN them into their own corner of the 'net, where the only thing
they can access over http is an ISP support page saying "please un-root
your computer, or contact us at 1-800-[foo] for help and more details"
5. Cooperation with law enforcement if necessary, to track down and
punish the DDoSer.