Monumentous task of making a list of all DDoS Zombies.
Suresh Ramasubramanian
suresh at outblaze.com
Tue Feb 10 09:56:57 UTC 2004
Steve Birnbaum wrote:
>
> So you want a major ISP to simply automatically disable accounts of its
> users based only on automated detection of an IP address and timestamp in
> something that APPEARS to be a complaint to an automated script?
>
Hi
You have two things confused from my previous mail.
1. Set up router / IDS acls that look for outbound / inbound traffic
that is characteristic of worms (or whatever), and have the accounts
deactivated based on that.
2. Set up your NOC to use a sensible ticket system optimized for
incident handling (RTIR + RT3, and Abacus seem to be the only contenders
so far according to a recent discussion I had with admins on another
list).
A lot of the NOCs use ticketing systems that are either designed for
customer service apps (like Kana), or sometimes - I kid you not - use
IMAP accounts, excel (or at least csv) worksheets and a maze of shell
and perl hacks that are somewhat, but not quite like, a ticketing system.
This system I described must have wired into it easy ways to grab user
information from radius etc, append IPs to block into a text file that
can be grabbed by a cronjob and synced into router ACLs after sanity
checking etc.
And of course if the NOC guy is smart enough, he knows enough to weed
out obviously bogus complaints [including the GWF / Goober With Firewall
ones, as one of my friends once put it - the complaints generated by
those fancy "software firewall" programs] before deactivating accounts.
> There is a reason why there are humans (overworked, unfortunately) handling
> abuse complaints. Make it easy, sure...but make it easy for the human to be
Yes. I'm one such person as it happens. And all I ask it that it be
made easy.
srs
More information about the NANOG
mailing list