North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Iljitsch van Beijnum
  • Date: Sun Feb 08 03:59:11 2004

On 8-feb-04, at 8:27, Suresh Ramasubramanian wrote:

Of course, prevention is better than cure, so another recourse the ISP has is to be proactive - setting up a scanner to sweep the host that comes up on an IP the moment the dhcp server assigns it. If not a full blown portscan or anything, then at least a quick once-over that looks for signs of the current "big problem" trojans / zombies.
Coming up with new types of probes all the time to check for this would be a huge amount of work.

I favor an approach where people no longer get to send data at high speed without the recipient's approval. Just sending data in the blind or any type of scanning could then trigger a severe rate limit or raise an alarm.

There are several ISPs which implement ingress filtering per
BCP38/RFC2827.  None of them have seen a change in the number of DDOS
attacks.  The people who track this kind of stuff say that most
attacks do not use spoofed addresses.

I have heard from someone who hosts one of the mirrors for a site that is a DDoS magnet. I recall his saying that a non trivial number of attacks coming at this mirror were from spoofed source addresses.
People need to make sure only packets with legitimate source addresses escape from their network. Period.

Unfortunately, this type of action must be performed at the source and some networks just can't be bothered.