Monumentous task of making a list of all DDoS Zombies.
Iljitsch van Beijnum
iljitsch at muada.com
Sun Feb 8 08:56:39 UTC 2004
On 8-feb-04, at 8:27, Suresh Ramasubramanian wrote:
> Of course, prevention is better than cure, so another recourse the ISP
> has is to be proactive - setting up a scanner to sweep the host that
> comes up on an IP the moment the dhcp server assigns it. If not a
> full blown portscan or anything, then at least a quick once-over that
> looks for signs of the current "big problem" trojans / zombies.
Coming up with new types of probes all the time to check for this would
be a huge amount of work.
I favor an approach where people no longer get to send data at high
speed without the recipient's approval. Just sending data in the blind
or any type of scanning could then trigger a severe rate limit or raise
an alarm.
>> There are several ISPs which implement ingress filtering per
>> BCP38/RFC2827. None of them have seen a change in the number of DDOS
>> attacks. The people who track this kind of stuff say that most
>> attacks do not use spoofed addresses.
> I have heard from someone who hosts one of the mirrors for a site that
> is a DDoS magnet. I recall his saying that a non trivial number of
> attacks coming at this mirror were from spoofed source addresses.
People need to make sure only packets with legitimate source addresses
escape from their network. Period.
Unfortunately, this type of action must be performed at the source and
some networks just can't be bothered.
More information about the NANOG
mailing list