Monumentous task of making a list of all DDoS Zombies.
Wayne Gustavus (nanog)
nanog at wgustavus.com
Sun Feb 8 04:44:38 UTC 2004
> -----Original Message-----
> From: Suresh Ramasubramanian [mailto:suresh at outblaze.com]
> Sent: Saturday, February 07, 2004 9:58 PM
> To: Wayne Gustavus (nanog)
> Cc: 'Drew Weaver'; nanog at merit.edu
> Subject: Re: Monumentous task of making a list of all DDoS Zombies.
>
<snip>
>
> 1. It is arguable whether dynamic IPs are to be treated as legitimate
> mailhosts. Your colleagues in VOL mailops might tell you something
> similar too.
No argument there. However, the thread was originally addressing a list of
DDoS Zombies, not illegitimate SMTP mailhosts. Arguably zombies used to
launch
DDoS attacks are treated differently than such hosts. We address both
types.
>
> 2. An expiring list, where entries inserted are quickly expired, and
> stats used to add to other lists (such as MAPS DUL / SORBS DUHL) is a
> good idea, and moreover, it's already been done.
http://cbl.abuseat.org
Interesting approach. It would be conceivable that if this resource was
Widely used, miscreants could use this service to DDoS there victims without
an army of zombies :-) I still submit that it is more advisable to address
the root of the problem by finding the true host that generated attack
traffic. Automating this process of matching dynamic IP to customer acct
with a timestamp and remediation is the goal.
__________________________________________________________
Wayne Gustavus, CCIE #7426
Operations Engineering
Verizon Internet Services
___________________________________________________________
More information about the NANOG
mailing list