Monumentous task of making a list of all DDoS Zombies.

Wayne Gustavus (nanog) nanog at wgustavus.com
Sun Feb 8 04:44:38 UTC 2004


> -----Original Message-----
> From: Suresh Ramasubramanian [mailto:suresh at outblaze.com] 
> Sent: Saturday, February 07, 2004 9:58 PM
> To: Wayne Gustavus (nanog)
> Cc: 'Drew Weaver'; nanog at merit.edu
> Subject: Re: Monumentous task of making a list of all DDoS Zombies.
> 
<snip>
> 
> 1. It is arguable whether dynamic IPs are to be treated as legitimate 
> mailhosts.  Your colleagues in VOL mailops might tell you something 
> similar too.

No argument there.  However, the thread was originally addressing a list of
DDoS Zombies, not illegitimate SMTP mailhosts.  Arguably zombies used to
launch 
DDoS attacks are treated differently than such hosts.  We address both
types.

> 
> 2. An expiring list, where entries inserted are quickly expired, and 
> stats used to add to other lists (such as MAPS DUL / SORBS DUHL) is a 
> good idea, and moreover, it's already been done. 
http://cbl.abuseat.org

Interesting approach.  It would be conceivable that if this resource was
Widely used, miscreants could use this service to DDoS there victims without
an army of zombies :-)  I still submit that it is more advisable to address
the root of the problem by finding the true host that generated attack
traffic.  Automating this process of matching dynamic IP to customer acct 
with a timestamp and remediation is the goal.  



__________________________________________________________ 
Wayne Gustavus, CCIE #7426                        
Operations Engineering                    
Verizon Internet Services                       
___________________________________________________________ 




More information about the NANOG mailing list