North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Monumentous task of making a list of all DDoS Zombies.
> I'm aware of these - but surely there's something about the user which > you can stick into rDNS (hashed / encrypted if you like) that'll > identify the user? > > The problem with trojans etc is that there so damn many of them, so the > less time spent actually tracking down the user who was on IP X at time > Y, the better it is for the ISP's staffers who handle complaints about > these. It's not that hard, I assume we are talking about dial-up, cable and xDSL users? We already log all major radius events in a database and it's very easy to look up users in that db, we have a web page for CSR's (customer service representative's), additionally the mail server detects which of our ip ranges is sending worms and automatically disables those users... I see no gain from adding anything in DNS, like reverse records. > Of course, prevention is better than cure, so another recourse the ISP > has is to be proactive - setting up a scanner to sweep the host that > comes up on an IP the moment the dhcp server assigns it. If not a full > blown portscan or anything, then at least a quick once-over that looks > for signs of the current "big problem" trojans / zombies. We perform this today, the problem is, what are the signs for "big problem" trojans and zombies? If there was a tool out there that could perform scanning of computers AND knew about what to look for (does this malware operate on fixed ports) AND could be automatically updated for new malware I would purchase such a tool. Other than scanning for the open ports, I think these zombies are regular open proxies... but that may (will?) change in the future. > 4. Quick and immediate isolation of infected hosts - nullroute them, or > maybe VLAN them into their own corner of the 'net, where the only thing > they can access over http is an ISP support page saying "please un-root > your computer, or contact us at 1-800-[foo] for help and more details" We simply modify their passwords and log them the off today. There is also an entry created in the incident tracking system. But, we have it as a future goal to let them access some pages, like HouseCall etc. Rgds, -GSH