Monumentous task of making a list of all DDoS Zombies.
Suresh Ramasubramanian
suresh at outblaze.com
Sun Feb 8 07:27:49 UTC 2004
Sean Donelan wrote:
> In practice MAC address tracking only works for a few very specific ISP
> architectures, such as when the ISP supplies the hardware used to connect
> to the network.
I'm aware of these - but surely there's something about the user which
you can stick into rDNS (hashed / encrypted if you like) that'll
identify the user?
The problem with trojans etc is that there so damn many of them, so the
less time spent actually tracking down the user who was on IP X at time
Y, the better it is for the ISP's staffers who handle complaints about
these.
Of course, prevention is better than cure, so another recourse the ISP
has is to be proactive - setting up a scanner to sweep the host that
comes up on an IP the moment the dhcp server assigns it. If not a full
blown portscan or anything, then at least a quick once-over that looks
for signs of the current "big problem" trojans / zombies.
> There are several ISPs which implement ingress filtering per
> BCP38/RFC2827. None of them have seen a change in the number of DDOS
> attacks. The people who track this kind of stuff say that most
> attacks do not use spoofed addresses.
I have heard from someone who hosts one of the mirrors for a site that
is a DDoS magnet. I recall his saying that a non trivial number of
attacks coming at this mirror were from spoofed source addresses.
No, I don't claim that BCP38 is a magic bullet either. But I do put it
to you that the way to at least mitigate this menace include a
combination of several steps -
1. Easy identifying of hosts, at least to the ISP (to avoid privacy
concerns)
2. Sensible filtering practices
3. Proactive network sweeps
4. Quick and immediate isolation of infected hosts - nullroute them, or
maybe VLAN them into their own corner of the 'net, where the only thing
they can access over http is an ISP support page saying "please un-root
your computer, or contact us at 1-800-[foo] for help and more details"
5. Cooperation with law enforcement if necessary, to track down and
punish the DDoSer.
srs
More information about the NANOG
mailing list