Monumentous task of making a list of all DDoS Zombies.

• Previous message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Next message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sean Donelan wrote:
> But I still don't understand why an ISP unwilling to spend the money
> to trace uses with RADIUS or other existing methods; is going to want
> to spend money on interfacing their systems with Dynamic DNS servers and

All I'm saying, Sean, is that there should be a quick way (or even an 
automated way) for the NOC to track down and deactivate trojaned hosts / 
zombies etc on their network.

Put the MAC address in, or a hashed version of the guy's userid in, or 
anything else you want [cf: EB Dreger's post].

Or query RADIUS or other methods if you like.  As long as it can be 
automated, and there's a way to immediately parse out the guy's userid 
and deactivate it ... I don't particularly care.  I just suggested one 
method.  Sure, there are several others.

> Digital rightes management, password guessing, IRC bans, mail blocks, etc
> could work much more effectively if ISPs provided a unique identifier for
> subscribers.  If software and hardware vendors included a hard-coded

I never said that unique identifier had to be intelligible to anybody 
other than the ISP.  The 1984-esque scenario is interesting, but not 
really what I was suggesting.

> As you point out, there are a lot of them.  But the goal should be to
> NOT have the ISP's staffers handle individual complaints.  Any "solution"

Your staff will still get a ton of complaints. If these can be parsed by 
a script that looks for virus / trojan strings in the complaint,extracts 
the IP (or has your NOC dude just click the IP in his ticketing system, 
like in RT + IRTT) and the account just goes away - then fine.

As long as the user is still active and still able to login to your 
network, you have a ddos zombie in there.

> I assume you are aware that one of the fastest growing trojan segments
> includes trojans which can not be detected by port scanners.

Yes. There are stealth trojans. But just looking for sudden peaks of 
traffic, or other wormsign, might help in such a case.

> You are correct that prevention is better than the cure.  Unfortunately
> you've misidentified the point of prevention.  The software vendor is
> in the best position to prevent systems being compromised.  A change at

You know, I would love it if I had a userbase that was all mac / *nix. 
Or at least a userbase running windows that would take the time and 
trouble to at least patch their systems and update their AV definitions 
once in a while, and which would use something safer than IE + Outlook 
to surf the web & read their email, like say Firebird + Thunderbird.

If you only have such model users on your network, let me know if you 
are hiring and I'll immediately send you my CV :)  But for want of that ...
> The number of spoofed packets received has very little to do with the
> number of sources of spoofed packets.  But again, it points out the
> lack of hard data.  Yesterday, a red car cut me off, so obviously the
> problem is red cars and we should prohibit all red cars.

Analogies do suck, don't they?  Try that one with "street illegal souped 
up muscle car" instead of "red car" and see if it holds.  All I said was 
that the guy running the mirror told me that he got a non trivial number 
of DoS attempts from sources that used spoofed backets.  And as far as I 
know, there is no reason _not_ to filter spoofed source packets.

>>1. Easy identifying of hosts, at least to the ISP (to avoid privacy
>>concerns)
> 
> By whom?  Should anyone be able to identify any host any time, or is it
> only necessary for inter-connected providers to identify the next provider

Jesus.  The ISP who is providing that IP should have some way to 
immediately / automatically identify its users who have trojaned PCs and 
lock them out, something tied to their ticketing system, or to an IDS 
even, if they are into automated detection of trojans.

>>3. Proactive network sweeps
> Sweeps for what?

open proxies, open relays, those trojans that can be detected by 
portscans .... but I guess that question was rhetorical.

> Of course you meant to say contact the person who sold you your computer
> for help fixing your computer.  The police write tickets, they don't
> fix cars.

You got it.  But then you need to call your ISP to get your IP 
un-vlaned, or your account reactivated, surely?

>>5. Cooperation with law enforcement if necessary, to track down and
>>punish the DDoSer.
> 
> Of course, the original issue was PTR records for spam, not DDOS.  But

PTR records for just about everything.  The topic seems to have drifted 
this way (which is good, at least in the nanog context where discussions 
about spam are apparently to be streng verboten).

> Which ISPs are not cooperating with law enforcement?
> 
> In the US, if you receive harrassing or threatening phone calls, you have
> to file a police report.  The telephone company only provides the
> information about the source of the calls to the police for followup.

Look, I do know the drill about handling subpoenas.  But that's a bit 
different from an ISP going after and suing a kiddie who targets their 
network.  Microsoft / SCO offering a bounty to go after the mydoom 
author sounds like a joke, but yeah, we just might need more such jokes.

> How many people file police reports for spam, ddos, etc.

You would (or maybe wouldn't) be surprised.

	srs

• Previous message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Next message (by thread): Monumentous task of making a list of all DDoS Zombies.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]