North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Guðbjörn Hreinsson
  • Date: Sun Feb 08 12:22:34 2004

> I'm aware of these - but surely there's something about the user which
> you can stick into rDNS (hashed / encrypted if you like) that'll
> identify the user?
> The problem with trojans etc is that there so damn many of them, so the
> less time spent actually tracking down the user who was on IP X at time
> Y, the better it is for the ISP's staffers who handle complaints about
> these.

It's not that hard, I assume we are talking about dial-up, cable and xDSL
users? We already log all major radius events in a database and it's very
easy to look up users in that db, we have a web page for CSR's (customer
service representative's), additionally the mail server detects which of our
ip ranges is sending worms and automatically disables those users... I see
no gain from adding anything in DNS, like reverse records.

> Of course, prevention is better than cure, so another recourse the ISP
> has is to be proactive - setting up a scanner to sweep the host that
> comes up on an IP the moment the dhcp server assigns it.  If not a full
> blown portscan or anything, then at least a quick once-over that looks
> for signs of the current "big problem" trojans / zombies.

We perform this today, the problem is, what are the signs for "big problem"
trojans and zombies? If there was a tool out there that could perform
of computers AND knew about what to look for (does this malware operate
on fixed ports) AND could be automatically updated for new malware I would
purchase such a tool. Other than scanning for the open ports, I think these
zombies are regular open proxies... but that may (will?) change in the

> 4. Quick and immediate isolation of infected hosts - nullroute them, or
> maybe VLAN them into their own corner of the 'net, where the only thing
> they can access over http is an ISP support page saying "please un-root
> your computer, or contact us at 1-800-[foo] for help and more details"

We simply modify their passwords and log them the off today. There is also
an entry created in the incident tracking system. But, we have it as a
future goal
to let them access some pages, like HouseCall etc.