North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Monumentous task of making a list of all DDoS Zombies.
Guðbjörn Hreinsson wrote:
well, rDNS is just one way. If you have some relatively automated (and automatic, easy to trigger from your mailserver logs, your router / ids logs etc) system to disable users, without having your NOC guys manually paste stuff into a form / fire up your db and execute queries manually, then cool.ip ranges is sending worms and automatically disables those users... I see no gain from adding anything in DNS, like reverse records.
Well, sticking an IDS on outbound traffic might not scale - especially across a large dialup pool. But there are other things to do, such as filtering the commonly used methods of worm propogation (windows shares, port 25 outbound from your dynamic IPs ..)We perform this today, the problem is, what are the signs for "big problem" trojans and zombies? If there was a tool out there that could perform scanning
They are proxies on a random high port - but sometimes they do phone home to a particular source etc. Lots of people perform trojan analysis, and I assume a regular update of these, fed into a cut down version of an IDS, might help.purchase such a tool. Other than scanning for the open ports, I think these zombies are regular open proxies... but that may (will?) change in the