Re: Monumentous task of making a list of all DDoS Zombies.

[Iljitsch van Beijnum]

On 8-feb-04, at 10:05, Suresh Ramasubramanian wrote:

> > Coming up with new types of probes all the time to check for this 
> > would be a huge amount of work.
> Would that be any less work than clearing up the mess left by an 
> infestation of DDoS zombies? :)
Apples and oranges. You need to clean up the zombies regardless of 
whether they succeeded in attacking the victim or they were stopped.

> > I favor an approach where people no longer get to send data at high 
> > speed without the recipient's approval. Just sending data in the 
> > blind or any type of scanning could then trigger a severe rate limit 
> > or raise an alarm.
> It is fairly easy to work around rate limits by just scaling 
> laterally, and compromising a few million more boxes.  If the next 
> virus grabs 4M, or 20M boxes instead of just a measly 2M boxes, you 
> can rate limit all you like, bit it really won't help.
Help against what? You're right that if a million boxes send one 125 
byte packet per second to the same place, that's still a gigabit worth 
of traffic, that particular place is going to receive a gigabit worth 
of traffic. But how are you going to infect a million boxes if you can 
only scan one address per second?

And let's not be so blase assume that all DoS attacks are done with a 
million zombies at a time.