Compromised Hosts?
Paul Vixie
vixie at vix.com
Mon Mar 22 02:34:23 UTC 2004
deepak at ai.net (Deepak Jain) writes:
> Would any broadband providers that received automated, detailed
> (time/date stamp, IP information) with hosts that are being used to
> attack (say as part of a DDOS attack) actually do anything about it?
while not a broadband provider, i would be interested in that information.
> Would the letter have to include information like "x.x.x.x/32 has
> been blackholed until further notice or contact with you" to be
> effective?
i'd like a dynamic update of a blackhole-style zone, please. while it
would not be my personal one (as shown in the following example), it would
be just like it.
naturally i would only share the update key with people whose judgement i
had confidence in -- deepak being an example of same. probably the zone
would only be accessible using a tsig query key that would also be known
only to a set of judgement-trusted people (maybe the same set, maybe not).
i run the script below as part of my maillog-watcher (when postfix signals
that a worm was rejected), and my http sham server (when it detects an
attempt to do something bad), and my smtp sham server (likewise). checking
just now i see 895028 entries auto-added to the list since inception (7 weeks
ago). imagine what we could accomplish with more judgement-trusted
contributors.
any interest? (this would probably show up as part of http://oarc.isc.org/
but before i propose it there i'm interested in field survey results.)
--------
#!/bin/sh
node=`echo $1 | awk -F. '{print $4 "." $3 "." $2 "." $1}'`; shift
zone="example.vix.com"
server="justanexample.vix.com"
ttl="1800"
nsupdate="/usr/local/bin/nsupdate"
keyfile="/var/named/rejectall/Kupdate-rejectall.+157+43810.key"
( echo server $server
echo zone $zone
echo prereq nxdomain $node.$zone
echo update add $node.$zone $ttl A 0.0.0.0
echo update add $node.$zone $ttl TXT created `date +%Y%m%d%H%M%S`
if [ $# -gt 0 ]; then echo update add $node.$zone $ttl TXT reason $@; fi
echo send ) | $nsupdate -k $keyfile /dev/stdin
exit $?
--------
--
Paul Vixie
More information about the NANOG
mailing list