North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Monumentous task of making a list of all DDoS Zombies.
On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote: > > In practice MAC address tracking only works for a few very specific ISP > > architectures, such as when the ISP supplies the hardware used to connect > > to the network. > > I'm aware of these - but surely there's something about the user which > you can stick into rDNS (hashed / encrypted if you like) that'll > identify the user? But I still don't understand why an ISP unwilling to spend the money to trace uses with RADIUS or other existing methods; is going to want to spend money on interfacing their systems with Dynamic DNS servers and new systems to generate DNS cookies. It increases their cost, and doesn't provide any additional information which they have in their existing systems. On the other hand, if we don't care too much for the privacy implications it would benefit 3rd parties wanting to keep track of individual computers. It would help ISPs, because 3rd parties could take more effective action on their own to ignore traffic from particular computers. Digital rightes management, password guessing, IRC bans, mail blocks, etc could work much more effectively if ISPs provided a unique identifier for subscribers. If software and hardware vendors included a hard-coded unique identifier in every computer, it would be even more effective. Intel has proposed this in the past. Microsoft has a GUID concept for its software. But is the world really ready for this level of identification and tracking? > The problem with trojans etc is that there so damn many of them, so the > less time spent actually tracking down the user who was on IP X at time > Y, the better it is for the ISP's staffers who handle complaints about > these. As you point out, there are a lot of them. But the goal should be to NOT have the ISP's staffers handle individual complaints. Any "solution" which requires staff to assess and respond individually is not an improvement. That's why I proposed the ICMP Go Away message. > Of course, prevention is better than cure, so another recourse the ISP > has is to be proactive - setting up a scanner to sweep the host that > comes up on an IP the moment the dhcp server assigns it. If not a full > blown portscan or anything, then at least a quick once-over that looks > for signs of the current "big problem" trojans / zombies. I assume you are aware that one of the fastest growing trojan segments includes trojans which can not be detected by port scanners. You are correct that prevention is better than the cure. Unfortunately you've misidentified the point of prevention. The software vendor is in the best position to prevent systems being compromised. A change at Microsoft can prevent 60-70 million computers a year from being vulnerable. As an ISP, even AOL can't fix that many computers. > I have heard from someone who hosts one of the mirrors for a site that > is a DDoS magnet. I recall his saying that a non trivial number of > attacks coming at this mirror were from spoofed source addresses. The number of spoofed packets received has very little to do with the number of sources of spoofed packets. But again, it points out the lack of hard data. Yesterday, a red car cut me off, so obviously the problem is red cars and we should prohibit all red cars. Is there any difference in the number of attacks between networks which have deployed BCP38 and networks which haven't? Or perhaps the problem is with the computers connected to the networks, not the networks. > No, I don't claim that BCP38 is a magic bullet either. But I do put it > to you that the way to at least mitigate this menace include a > combination of several steps - > > 1. Easy identifying of hosts, at least to the ISP (to avoid privacy > concerns) By whom? Should anyone be able to identify any host any time, or is it only necessary for inter-connected providers to identify the next provider in the chain? Should end-users be complaining to their own provider (i.e. the ISP they are paying money) or calling 3rd party ISPs which have no method to identify who is making the complaint? > 2. Sensible filtering practices Filter for what? What is considered sensible? > 3. Proactive network sweeps Sweeps for what? > 4. Quick and immediate isolation of infected hosts - nullroute them, or > maybe VLAN them into their own corner of the 'net, where the only thing > they can access over http is an ISP support page saying "please un-root > your computer, or contact us at 1-800-[foo] for help and more details" Of course you meant to say contact the person who sold you your computer for help fixing your computer. The police write tickets, they don't fix cars. > 5. Cooperation with law enforcement if necessary, to track down and > punish the DDoSer. Of course, the original issue was PTR records for spam, not DDOS. But this isn't the first time people have changed in the middle of a thread. Which ISPs are not cooperating with law enforcement? In the US, if you receive harrassing or threatening phone calls, you have to file a police report. The telephone company only provides the information about the source of the calls to the police for followup. How many people file police reports for spam, ddos, etc.