Monumentous task of making a list of all DDoS Zombies.

• Previous message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Next message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8-feb-04, at 10:05, Suresh Ramasubramanian wrote:

>> Coming up with new types of probes all the time to check for this 
>> would be a huge amount of work.

> Would that be any less work than clearing up the mess left by an 
> infestation of DDoS zombies? :)

Apples and oranges. You need to clean up the zombies regardless of 
whether they succeeded in attacking the victim or they were stopped.

>> I favor an approach where people no longer get to send data at high 
>> speed without the recipient's approval. Just sending data in the 
>> blind or any type of scanning could then trigger a severe rate limit 
>> or raise an alarm.

> It is fairly easy to work around rate limits by just scaling 
> laterally, and compromising a few million more boxes.  If the next 
> virus grabs 4M, or 20M boxes instead of just a measly 2M boxes, you 
> can rate limit all you like, bit it really won't help.

Help against what? You're right that if a million boxes send one 125 
byte packet per second to the same place, that's still a gigabit worth 
of traffic, that particular place is going to receive a gigabit worth 
of traffic. But how are you going to infect a million boxes if you can 
only scan one address per second?

And let's not be so blase assume that all DoS attacks are done with a 
million zombies at a time.

• Previous message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Next message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]