North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Monumentous task of making a list of all DDoS Zombies.
On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote: > Another thing that helps with easier identification is a practice some > ISPs have of inserting the MAC address of the host into the reverse DNS > record, with a short TTL. When a new host gets that IP, the MAC address > changes too. I have seen at least one ISP do this - and it makes it a > whole lot easier for the ISP to quickly identify the host, rather than > having to trawl through RADIUS logs or whatever else. I've made proposals like this in the past, and have investigated some of the issues. I don't know if the world is ready to go that far yet. In practice MAC address tracking only works for a few very specific ISP architectures, such as when the ISP supplies the hardware used to connect to the network. Tracking MAC addresses ends up requiring having to trawl through RADIUS logs because users don't like having to tell the ISP everytime they change ethernet cards or computers. Most end-user home routers now include options to "clone" any MAC address to get around the MAC address requirement of a former (bankrupt) cable ISP. So you need to search which subscriber account was signed on with that MAC address during the suspect time period. Vendors aren't always that careful about assigning unique MAC addresses, and complaints aren't always that careful about reporting the correct MAC addresses. You still need the time information to verify the subscriber was actually online. For dialup users, which don't have ethernet MACs, do you put the user's home phone number in the reverse DNS records? How much privacy should users have or expect? One of the most common requests from law enforcement is how can they get a "unlisted" IP address. The same way they get an unlisted credit card number. Look at the hysteria over browser cookie "tracking" on the web. The "anti-Spyware" programs like to list lots of "spy" cookies which anonymously track visitors to web sites. Instead of Doubleclick tracking users with Cookies, they would be able to track the unique computers from the MAC address in the reverse DNS record over time. Or would this backfire, because then the hackers could find the vulnerable computers again and again even if the IP address changes. The hackers could scan the in-addr.arpa ranges looking for known vulnerable MAC addresses. Look, someone with a MAC address assigned to equipment known to be vulnerable. The problems are similar if the ISP assigns some other "unique" identifier to the subscriber and dynamically updates the reverse DNS record. > Then, there's the little matter of ISPs implementing ingress filtering > as per BCP38 / RFC 2827. These DDoS zombies seem to also be used as a > ready source of spoofed source addresses for attacks. There are several ISPs which implement ingress filtering per BCP38/RFC2827. None of them have seen a change in the number of DDOS attacks. The people who track this kind of stuff say that most attacks do not use spoofed addresses. Unfortunately, the data is lacking about the effectiveness of any of these solutions. In the USA, the FDA requires drug producers to show new drugs are safe and effective before being sold to the public. There is no such requirement for people selling security solutions. - Block access from IP addresses without rDNS Data? - Insert MAC address into rDNS (negating previous block) Data? - Implement BCP 38 Data?