North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Monumentous task of making a list of all DDoS Zombies.

  • From: Wayne Gustavus (nanog)
  • Date: Sat Feb 07 23:49:40 2004

> -----Original Message-----
> From: Suresh Ramasubramanian [mailto:[email protected]] 
> Sent: Saturday, February 07, 2004 9:58 PM
> To: Wayne Gustavus (nanog)
> Cc: 'Drew Weaver'; [email protected]
> Subject: Re: Monumentous task of making a list of all DDoS Zombies.
> 1. It is arguable whether dynamic IPs are to be treated as legitimate 
> mailhosts.  Your colleagues in VOL mailops might tell you something 
> similar too.

No argument there.  However, the thread was originally addressing a list of
DDoS Zombies, not illegitimate SMTP mailhosts.  Arguably zombies used to
DDoS attacks are treated differently than such hosts.  We address both

> 2. An expiring list, where entries inserted are quickly expired, and 
> stats used to add to other lists (such as MAPS DUL / SORBS DUHL) is a 
> good idea, and moreover, it's already been done.

Interesting approach.  It would be conceivable that if this resource was
Widely used, miscreants could use this service to DDoS there victims without
an army of zombies :-)  I still submit that it is more advisable to address
the root of the problem by finding the true host that generated attack
traffic.  Automating this process of matching dynamic IP to customer acct 
with a timestamp and remediation is the goal.  

Wayne Gustavus, CCIE #7426                        
Operations Engineering                    
Verizon Internet Services