Monumentous task of making a list of all DDoS Zombies.
Suresh Ramasubramanian
suresh at outblaze.com
Mon Feb 9 02:52:41 UTC 2004
Sean Donelan wrote:
> But I still don't understand why an ISP unwilling to spend the money
> to trace uses with RADIUS or other existing methods; is going to want
> to spend money on interfacing their systems with Dynamic DNS servers and
All I'm saying, Sean, is that there should be a quick way (or even an
automated way) for the NOC to track down and deactivate trojaned hosts /
zombies etc on their network.
Put the MAC address in, or a hashed version of the guy's userid in, or
anything else you want [cf: EB Dreger's post].
Or query RADIUS or other methods if you like. As long as it can be
automated, and there's a way to immediately parse out the guy's userid
and deactivate it ... I don't particularly care. I just suggested one
method. Sure, there are several others.
> Digital rightes management, password guessing, IRC bans, mail blocks, etc
> could work much more effectively if ISPs provided a unique identifier for
> subscribers. If software and hardware vendors included a hard-coded
I never said that unique identifier had to be intelligible to anybody
other than the ISP. The 1984-esque scenario is interesting, but not
really what I was suggesting.
> As you point out, there are a lot of them. But the goal should be to
> NOT have the ISP's staffers handle individual complaints. Any "solution"
Your staff will still get a ton of complaints. If these can be parsed by
a script that looks for virus / trojan strings in the complaint,extracts
the IP (or has your NOC dude just click the IP in his ticketing system,
like in RT + IRTT) and the account just goes away - then fine.
As long as the user is still active and still able to login to your
network, you have a ddos zombie in there.
> I assume you are aware that one of the fastest growing trojan segments
> includes trojans which can not be detected by port scanners.
Yes. There are stealth trojans. But just looking for sudden peaks of
traffic, or other wormsign, might help in such a case.
> You are correct that prevention is better than the cure. Unfortunately
> you've misidentified the point of prevention. The software vendor is
> in the best position to prevent systems being compromised. A change at
You know, I would love it if I had a userbase that was all mac / *nix.
Or at least a userbase running windows that would take the time and
trouble to at least patch their systems and update their AV definitions
once in a while, and which would use something safer than IE + Outlook
to surf the web & read their email, like say Firebird + Thunderbird.
If you only have such model users on your network, let me know if you
are hiring and I'll immediately send you my CV :) But for want of that ...
> The number of spoofed packets received has very little to do with the
> number of sources of spoofed packets. But again, it points out the
> lack of hard data. Yesterday, a red car cut me off, so obviously the
> problem is red cars and we should prohibit all red cars.
Analogies do suck, don't they? Try that one with "street illegal souped
up muscle car" instead of "red car" and see if it holds. All I said was
that the guy running the mirror told me that he got a non trivial number
of DoS attempts from sources that used spoofed backets. And as far as I
know, there is no reason _not_ to filter spoofed source packets.
>>1. Easy identifying of hosts, at least to the ISP (to avoid privacy
>>concerns)
>
> By whom? Should anyone be able to identify any host any time, or is it
> only necessary for inter-connected providers to identify the next provider
Jesus. The ISP who is providing that IP should have some way to
immediately / automatically identify its users who have trojaned PCs and
lock them out, something tied to their ticketing system, or to an IDS
even, if they are into automated detection of trojans.
>>3. Proactive network sweeps
> Sweeps for what?
open proxies, open relays, those trojans that can be detected by
portscans .... but I guess that question was rhetorical.
> Of course you meant to say contact the person who sold you your computer
> for help fixing your computer. The police write tickets, they don't
> fix cars.
You got it. But then you need to call your ISP to get your IP
un-vlaned, or your account reactivated, surely?
>>5. Cooperation with law enforcement if necessary, to track down and
>>punish the DDoSer.
>
> Of course, the original issue was PTR records for spam, not DDOS. But
PTR records for just about everything. The topic seems to have drifted
this way (which is good, at least in the nanog context where discussions
about spam are apparently to be streng verboten).
> Which ISPs are not cooperating with law enforcement?
>
> In the US, if you receive harrassing or threatening phone calls, you have
> to file a police report. The telephone company only provides the
> information about the source of the calls to the police for followup.
Look, I do know the drill about handling subpoenas. But that's a bit
different from an ISP going after and suing a kiddie who targets their
network. Microsoft / SCO offering a bounty to go after the mydoom
author sounds like a joke, but yeah, we just might need more such jokes.
> How many people file police reports for spam, ddos, etc.
You would (or maybe wouldn't) be surprised.
srs
More information about the NANOG
mailing list