Monumentous task of making a list of all DDoS Zombies.

• Previous message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Next message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8-feb-04, at 8:27, Suresh Ramasubramanian wrote:

> Of course, prevention is better than cure, so another recourse the ISP 
> has is to be proactive - setting up a scanner to sweep the host that 
> comes up on an IP the moment the dhcp server assigns it.  If not a 
> full blown portscan or anything, then at least a quick once-over that 
> looks for signs of the current "big problem" trojans / zombies.

Coming up with new types of probes all the time to check for this would 
be a huge amount of work.

I favor an approach where people no longer get to send data at high 
speed without the recipient's approval. Just sending data in the blind 
or any type of scanning could then trigger a severe rate limit or raise 
an alarm.

>> There are several ISPs which implement ingress filtering per
>> BCP38/RFC2827.  None of them have seen a change in the number of DDOS
>> attacks.  The people who track this kind of stuff say that most
>> attacks do not use spoofed addresses.

> I have heard from someone who hosts one of the mirrors for a site that 
> is a DDoS magnet. I recall his saying that a non trivial number of 
> attacks coming at this mirror were from spoofed source addresses.

People need to make sure only packets with legitimate source addresses 
escape from their network. Period.

Unfortunately, this type of action must be performed at the source and 
some networks just can't be bothered.

• Previous message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Next message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]