North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Sean Donelan
  • Date: Sun Feb 08 17:23:55 2004

On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote:
> > In practice MAC address tracking only works for a few very specific ISP
> > architectures, such as when the ISP supplies the hardware used to connect
> > to the network.
>
> I'm aware of these - but surely there's something about the user which
> you can stick into rDNS (hashed / encrypted if you like) that'll
> identify the user?

But I still don't understand why an ISP unwilling to spend the money
to trace uses with RADIUS or other existing methods; is going to want
to spend money on interfacing their systems with Dynamic DNS servers and
new systems to generate DNS cookies.  It increases their cost, and
doesn't provide any additional information which they have in their
existing systems.

On the other hand, if we don't care too much for the privacy implications
it would benefit 3rd parties wanting to keep track of individual
computers.  It would help ISPs, because 3rd parties could take more
effective action on their own to ignore traffic from particular computers.

Digital rightes management, password guessing, IRC bans, mail blocks, etc
could work much more effectively if ISPs provided a unique identifier for
subscribers.  If software and hardware vendors included a hard-coded
unique identifier in every computer, it would be even more effective.
Intel has proposed this in the past.  Microsoft has a GUID concept for
its software.

But is the world really ready for this level of identification and
tracking?

> The problem with trojans etc is that there so damn many of them, so the
> less time spent actually tracking down the user who was on IP X at time
> Y, the better it is for the ISP's staffers who handle complaints about
> these.

As you point out, there are a lot of them.  But the goal should be to
NOT have the ISP's staffers handle individual complaints.  Any "solution"
which requires staff to assess and respond individually is not an
improvement.

That's why I proposed the ICMP Go Away message.


> Of course, prevention is better than cure, so another recourse the ISP
> has is to be proactive - setting up a scanner to sweep the host that
> comes up on an IP the moment the dhcp server assigns it.  If not a full
> blown portscan or anything, then at least a quick once-over that looks
> for signs of the current "big problem" trojans / zombies.

I assume you are aware that one of the fastest growing trojan segments
includes trojans which can not be detected by port scanners.

You are correct that prevention is better than the cure.  Unfortunately
you've misidentified the point of prevention.  The software vendor is
in the best position to prevent systems being compromised.  A change at
Microsoft can prevent 60-70 million computers a year from being
vulnerable.  As an ISP, even AOL can't fix that many computers.


> I have heard from someone who hosts one of the mirrors for a site that
> is a DDoS magnet. I recall his saying that a non trivial number of
> attacks coming at this mirror were from spoofed source addresses.

The number of spoofed packets received has very little to do with the
number of sources of spoofed packets.  But again, it points out the
lack of hard data.  Yesterday, a red car cut me off, so obviously the
problem is red cars and we should prohibit all red cars.

Is there any difference in the number of attacks between networks which
have deployed BCP38 and networks which haven't?  Or perhaps the problem
is with the computers connected to the networks, not the networks.


> No, I don't claim that BCP38 is a magic bullet either.  But I do put it
> to you that the way to at least mitigate this menace include a
> combination of several steps -
>
> 1. Easy identifying of hosts, at least to the ISP (to avoid privacy
> concerns)

By whom?  Should anyone be able to identify any host any time, or is it
only necessary for inter-connected providers to identify the next provider
in the chain?  Should end-users be complaining to their own provider (i.e.
the ISP they are paying money) or calling 3rd party ISPs which have no
method to identify who is making the complaint?


> 2. Sensible filtering practices

Filter for what?  What is considered sensible?


> 3. Proactive network sweeps

Sweeps for what?


> 4. Quick and immediate isolation of infected hosts - nullroute them, or
> maybe VLAN them into their own corner of the 'net, where the only thing
> they can access over http is an ISP support page saying "please un-root
> your computer, or contact us at 1-800-[foo] for help and more details"

Of course you meant to say contact the person who sold you your computer
for help fixing your computer.  The police write tickets, they don't
fix cars.

> 5. Cooperation with law enforcement if necessary, to track down and
> punish the DDoSer.

Of course, the original issue was PTR records for spam, not DDOS.  But
this isn't the first time people have changed in the middle of a thread.

Which ISPs are not cooperating with law enforcement?

In the US, if you receive harrassing or threatening phone calls, you have
to file a police report.  The telephone company only provides the
information about the source of the calls to the police for followup.

How many people file police reports for spam, ddos, etc.