North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Monumentous task of making a list of all DDoS Zombies.
Sean Donelan wrote:
I'm aware of these - but surely there's something about the user which you can stick into rDNS (hashed / encrypted if you like) that'll identify the user?In practice MAC address tracking only works for a few very specific ISP architectures, such as when the ISP supplies the hardware used to connect to the network.
The problem with trojans etc is that there so damn many of them, so the less time spent actually tracking down the user who was on IP X at time Y, the better it is for the ISP's staffers who handle complaints about these.
Of course, prevention is better than cure, so another recourse the ISP has is to be proactive - setting up a scanner to sweep the host that comes up on an IP the moment the dhcp server assigns it. If not a full blown portscan or anything, then at least a quick once-over that looks for signs of the current "big problem" trojans / zombies.
I have heard from someone who hosts one of the mirrors for a site that is a DDoS magnet. I recall his saying that a non trivial number of attacks coming at this mirror were from spoofed source addresses.There are several ISPs which implement ingress filtering per BCP38/RFC2827. None of them have seen a change in the number of DDOS attacks. The people who track this kind of stuff say that most attacks do not use spoofed addresses.
No, I don't claim that BCP38 is a magic bullet either. But I do put it to you that the way to at least mitigate this menace include a combination of several steps -
1. Easy identifying of hosts, at least to the ISP (to avoid privacy concerns)
2. Sensible filtering practices
3. Proactive network sweeps
4. Quick and immediate isolation of infected hosts - nullroute them, or maybe VLAN them into their own corner of the 'net, where the only thing they can access over http is an ISP support page saying "please un-root your computer, or contact us at 1-800-[foo] for help and more details"
5. Cooperation with law enforcement if necessary, to track down and punish the DDoSer.