Monumentous task of making a list of all DDoS Zombies.
Suresh Ramasubramanian
suresh at outblaze.com
Mon Feb 9 02:57:14 UTC 2004
Guðbjörn Hreinsson wrote:
> ip ranges is sending worms and automatically disables those users... I see
> no gain from adding anything in DNS, like reverse records.
well, rDNS is just one way. If you have some relatively automated (and
automatic, easy to trigger from your mailserver logs, your router / ids
logs etc) system to disable users, without having your NOC guys manually
paste stuff into a form / fire up your db and execute queries manually,
then cool.
> We perform this today, the problem is, what are the signs for "big problem"
> trojans and zombies? If there was a tool out there that could perform
> scanning
Well, sticking an IDS on outbound traffic might not scale - especially
across a large dialup pool. But there are other things to do, such as
filtering the commonly used methods of worm propogation (windows shares,
port 25 outbound from your dynamic IPs ..)
> purchase such a tool. Other than scanning for the open ports, I think these
> zombies are regular open proxies... but that may (will?) change in the
They are proxies on a random high port - but sometimes they do phone
home to a particular source etc. Lots of people perform trojan
analysis, and I assume a regular update of these, fed into a cut down
version of an IDS, might help.
srs
More information about the NANOG
mailing list