|
North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Monumentous task of making a list of all DDoS Zombies.
- From: Suresh Ramasubramanian
- Date: Tue Feb 10 04:59:34 2004
Steve Birnbaum wrote:
So you want a major ISP to simply automatically disable accounts of its
users based only on automated detection of an IP address and timestamp in
something that APPEARS to be a complaint to an automated script?
Hi
You have two things confused from my previous mail.
1. Set up router / IDS acls that look for outbound / inbound traffic
that is characteristic of worms (or whatever), and have the accounts
deactivated based on that.
2. Set up your NOC to use a sensible ticket system optimized for
incident handling (RTIR + RT3, and Abacus seem to be the only contenders
so far according to a recent discussion I had with admins on another
list).
A lot of the NOCs use ticketing systems that are either designed for
customer service apps (like Kana), or sometimes - I kid you not - use
IMAP accounts, excel (or at least csv) worksheets and a maze of shell
and perl hacks that are somewhat, but not quite like, a ticketing system.
This system I described must have wired into it easy ways to grab user
information from radius etc, append IPs to block into a text file that
can be grabbed by a cronjob and synced into router ACLs after sanity
checking etc.
And of course if the NOC guy is smart enough, he knows enough to weed
out obviously bogus complaints [including the GWF / Goober With Firewall
ones, as one of my friends once put it - the complaints generated by
those fancy "software firewall" programs] before deactivating accounts.
There is a reason why there are humans (overworked, unfortunately) handling
abuse complaints. Make it easy, sure...but make it easy for the human to be
Yes. I'm one such person as it happens. And all I ask it that it be
made easy.
srs
|
|
|
