North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Monumentous task of making a list of all DDoS Zombies.

  • From: Steve Birnbaum
  • Date: Tue Feb 10 04:50:54 2004

 
> Your staff will still get a ton of complaints. If these can 
> be parsed by a script that looks for virus / trojan strings in the 
> complaint,extracts the IP (or has your NOC dude just click the IP in his 
> ticketing system, like in RT + IRTT) and the account just goes away - then
fine.

So you want a major ISP to simply automatically disable accounts of its
users based only on automated detection of an IP address and timestamp in
something that APPEARS to be a complaint to an automated script?

Do you want to start a pool to see how long it will take before the
dictionary complaints start rolling in once such a system becomes publicly
known?

There is a reason why there are humans (overworked, unfortunately) handling
abuse complaints.  Make it easy, sure...but make it easy for the human to be
able to properly inspect the complaint to see if it's legitimate BEFORE
doing anything.

But to the original issue of accountability.  If an ISP can't write a simple
tool to take an IP address & timestamp and spit out a username from radius
logs, how do you expect them to implement a hash-based rdns tagging system?

Steve

----
Steve Birnbaum		SkyVision Global Networks
Phone: +44 20 83871750	Email: [email protected]
Note that it is never the fall that kills, it's the landing.