North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Suresh Ramasubramanian
  • Date: Sun Feb 08 22:00:07 2004

Guðbjörn Hreinsson wrote:

ip ranges is sending worms and automatically disables those users... I see
no gain from adding anything in DNS, like reverse records.
well, rDNS is just one way. If you have some relatively automated (and automatic, easy to trigger from your mailserver logs, your router / ids logs etc) system to disable users, without having your NOC guys manually paste stuff into a form / fire up your db and execute queries manually, then cool.

We perform this today, the problem is, what are the signs for "big problem"
trojans and zombies? If there was a tool out there that could perform
Well, sticking an IDS on outbound traffic might not scale - especially across a large dialup pool. But there are other things to do, such as filtering the commonly used methods of worm propogation (windows shares, port 25 outbound from your dynamic IPs ..)

purchase such a tool. Other than scanning for the open ports, I think these
zombies are regular open proxies... but that may (will?) change in the
They are proxies on a random high port - but sometimes they do phone home to a particular source etc. Lots of people perform trojan analysis, and I assume a regular update of these, fed into a cut down version of an IDS, might help.