North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Sean Donelan
  • Date: Sun Feb 08 02:05:27 2004

On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote:
> Another thing that helps with easier identification is a practice some
> ISPs have of inserting the MAC address of the host into the reverse DNS
> record, with a short TTL.  When a new host gets that IP, the MAC address
> changes too.  I have seen at least one ISP do this - and it makes it a
> whole lot easier for the ISP to quickly identify the host, rather than
> having to trawl through RADIUS logs or whatever else.

I've made proposals like this in the past, and have investigated some of
the issues.  I don't know if the world is ready to go that far yet.

In practice MAC address tracking only works for a few very specific ISP
architectures, such as when the ISP supplies the hardware used to connect
to the network.

Tracking MAC addresses ends up requiring having to trawl through RADIUS
logs because users don't like having to tell the ISP everytime they change
ethernet cards or computers.  Most end-user home routers now include
options to "clone" any MAC address to get around the MAC address
requirement of a former (bankrupt) cable ISP.

So you need to search which subscriber account was signed on with that
MAC address during the suspect time period. Vendors aren't always that
careful about assigning unique MAC addresses, and complaints aren't
always that careful about reporting the correct MAC addresses.  You
still need the time information to verify the subscriber was actually
online. For dialup users, which don't have ethernet MACs, do you
put the user's home phone number in the reverse DNS records?

How much privacy should users have or expect? One of the most common
requests from law enforcement is how can they get a "unlisted" IP
address.  The same way they get an unlisted credit card number.

Look at the hysteria over browser cookie "tracking" on the web.  The
"anti-Spyware" programs like to list lots of "spy" cookies which
anonymously track visitors to web sites. Instead of Doubleclick tracking
users with Cookies, they would be able to track the unique computers
from the MAC address in the reverse DNS record over time.

Or would this backfire, because then the hackers could find the vulnerable
computers again and again even if the IP address changes.  The hackers
could scan the ranges looking for known vulnerable MAC
addresses.  Look, someone with a MAC address assigned to equipment known
to be vulnerable.

The problems are similar if the ISP assigns some other "unique" identifier
to the subscriber and dynamically updates the reverse DNS record.

> Then, there's the little matter of ISPs implementing ingress filtering
> as per BCP38 / RFC 2827.  These DDoS zombies seem to also be used as a
> ready source of spoofed source addresses for attacks.

There are several ISPs which implement ingress filtering per
BCP38/RFC2827.  None of them have seen a change in the number of DDOS
attacks.  The people who track this kind of stuff say that most
attacks do not use spoofed addresses.

Unfortunately, the data is lacking about the effectiveness of any of
these solutions.  In the USA, the FDA requires drug producers to show
new drugs are safe and effective before being sold to the public.  There
is no such requirement for people selling security solutions.

   - Block access from IP addresses without rDNS

   - Insert MAC address into rDNS (negating previous block)

   - Implement BCP 38