North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Monumentous task of making a list of all DDoS Zombies.

  • From: Suresh Ramasubramanian
  • Date: Tue Feb 10 04:59:34 2004

Steve Birnbaum wrote:

So you want a major ISP to simply automatically disable accounts of its
users based only on automated detection of an IP address and timestamp in
something that APPEARS to be a complaint to an automated script?


You have two things confused from my previous mail.

1. Set up router / IDS acls that look for outbound / inbound traffic that is characteristic of worms (or whatever), and have the accounts deactivated based on that.

2. Set up your NOC to use a sensible ticket system optimized for incident handling (RTIR + RT3, and Abacus seem to be the only contenders so far according to a recent discussion I had with admins on another list).

A lot of the NOCs use ticketing systems that are either designed for customer service apps (like Kana), or sometimes - I kid you not - use IMAP accounts, excel (or at least csv) worksheets and a maze of shell and perl hacks that are somewhat, but not quite like, a ticketing system.

This system I described must have wired into it easy ways to grab user information from radius etc, append IPs to block into a text file that can be grabbed by a cronjob and synced into router ACLs after sanity checking etc.

And of course if the NOC guy is smart enough, he knows enough to weed out obviously bogus complaints [including the GWF / Goober With Firewall ones, as one of my friends once put it - the complaints generated by those fancy "software firewall" programs] before deactivating accounts.

There is a reason why there are humans (overworked, unfortunately) handling
abuse complaints.  Make it easy, sure...but make it easy for the human to be
Yes. I'm one such person as it happens. And all I ask it that it be made easy.