<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV><SPAN class=364484816-07022004><FONT face="Lucida Console" color=#0000ff
size=2>This would essentially be impossible and not a good idea. Large
volumes of hosts/zombies involved in such attacks originate from residential
cable/dsl subscribers. This user base primarily uses dynamically
assigned IP space. Hence, the IP of tonight's attacker could be the IP of
tomorrow's legitimate user. </FONT></SPAN></DIV>
<DIV><SPAN class=364484816-07022004><FONT face="Lucida Console" color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=364484816-07022004><FONT face="Lucida Console" color=#0000ff
size=2>This is the same reason that it is imperative that any complaints sent to
ISPs providing such services MUST have a time stamp (with timezone) along with
other information relative to the attack/abuse. This is the only way the
ISPs can relate the IP with the actual enduser in order to contact them for
remediation.</FONT></SPAN></DIV>
<DIV><SPAN class=364484816-07022004><FONT face="Lucida Console" color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=364484816-07022004></SPAN> </DIV>
<DIV> </DIV>
<DIV> </DIV><!-- Converted from text/plain format -->
<P><FONT
size=2>___________________________________________________________<BR>Wayne
Gustavus, CCIE
#7426 <BR>Operations
Engineering <BR>Verizon
Internet
Services <BR>___________________________________________________________
</FONT></P>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] <B>On Behalf Of </B>Drew
Weaver<BR><B>Sent:</B> Friday, February 06, 2004 4:15 PM<BR><B>To:</B>
nanog@merit.edu<BR><B>Subject:</B> Monumentous task of making a list of all
DDoS Zombies.<BR><BR></FONT></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">
Is there a list maintained anywhere of all hosts that have been identified as
a DDoS zombie? Or attack box? We got hit with an attack from more than 60 IPs
last night and I'd like to add them to any list that anyone has
started.</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Thanks,</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">-Drew</SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P></DIV></BLOCKQUOTE></BODY></HTML>