North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Monumentous task of making a list of all DDoS Zombies.
Steve Birnbaum wrote: HiSo you want a major ISP to simply automatically disable accounts of its users based only on automated detection of an IP address and timestamp in something that APPEARS to be a complaint to an automated script? You have two things confused from my previous mail. 1. Set up router / IDS acls that look for outbound / inbound traffic that is characteristic of worms (or whatever), and have the accounts deactivated based on that. 2. Set up your NOC to use a sensible ticket system optimized for incident handling (RTIR + RT3, and Abacus seem to be the only contenders so far according to a recent discussion I had with admins on another list). A lot of the NOCs use ticketing systems that are either designed for customer service apps (like Kana), or sometimes - I kid you not - use IMAP accounts, excel (or at least csv) worksheets and a maze of shell and perl hacks that are somewhat, but not quite like, a ticketing system. This system I described must have wired into it easy ways to grab user information from radius etc, append IPs to block into a text file that can be grabbed by a cronjob and synced into router ACLs after sanity checking etc. And of course if the NOC guy is smart enough, he knows enough to weed out obviously bogus complaints [including the GWF / Goober With Firewall ones, as one of my friends once put it - the complaints generated by those fancy "software firewall" programs] before deactivating accounts. Yes. I'm one such person as it happens. And all I ask it that it be made easy.There is a reason why there are humans (overworked, unfortunately) handling abuse complaints. Make it easy, sure...but make it easy for the human to be srs
|