North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Suresh Ramasubramanian
  • Date: Sun Feb 08 02:29:54 2004

Sean Donelan wrote:
In practice MAC address tracking only works for a few very specific ISP
architectures, such as when the ISP supplies the hardware used to connect
to the network.
I'm aware of these - but surely there's something about the user which you can stick into rDNS (hashed / encrypted if you like) that'll identify the user?

The problem with trojans etc is that there so damn many of them, so the less time spent actually tracking down the user who was on IP X at time Y, the better it is for the ISP's staffers who handle complaints about these.

Of course, prevention is better than cure, so another recourse the ISP has is to be proactive - setting up a scanner to sweep the host that comes up on an IP the moment the dhcp server assigns it. If not a full blown portscan or anything, then at least a quick once-over that looks for signs of the current "big problem" trojans / zombies.

There are several ISPs which implement ingress filtering per
BCP38/RFC2827.  None of them have seen a change in the number of DDOS
attacks.  The people who track this kind of stuff say that most
attacks do not use spoofed addresses.
I have heard from someone who hosts one of the mirrors for a site that is a DDoS magnet. I recall his saying that a non trivial number of attacks coming at this mirror were from spoofed source addresses.

No, I don't claim that BCP38 is a magic bullet either. But I do put it to you that the way to at least mitigate this menace include a combination of several steps -

1. Easy identifying of hosts, at least to the ISP (to avoid privacy concerns)

2. Sensible filtering practices

3. Proactive network sweeps

4. Quick and immediate isolation of infected hosts - nullroute them, or maybe VLAN them into their own corner of the 'net, where the only thing they can access over http is an ISP support page saying "please un-root your computer, or contact us at 1-800-[foo] for help and more details"

5. Cooperation with law enforcement if necessary, to track down and punish the DDoSer.