[67301] in North American Network Operators' Group
RE: Monumentous task of making a list of all DDoS Zombies.
daemon@ATHENA.MIT.EDU (Wayne Gustavus (nanog))
Sat Feb 7 11:57:47 2004
From: "Wayne Gustavus (nanog)" <nanog@wgustavus.com>
To: "'Drew Weaver'" <drew.weaver@thenap.com>, <nanog@merit.edu>
Date: Sat, 7 Feb 2004 11:56:28 -0500
In-Reply-To: <75634F04BFCFD511BF69009027DC8649ACC912@mailman.thenap.com>
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_0013_01C3ED71.6BB112C0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
This would essentially be impossible and not a good idea. Large volumes =
of
hosts/zombies involved in such attacks originate from residential =
cable/dsl
subscribers. This user base primarily uses dynamically assigned IP =
space.
Hence, the IP of tonight's attacker could be the IP of tomorrow's =
legitimate
user.=20
=20
This is the same reason that it is imperative that any complaints sent =
to
ISPs providing such services MUST have a time stamp (with timezone) =
along
with other information relative to the attack/abuse. This is the only =
way
the ISPs can relate the IP with the actual enduser in order to contact =
them
for remediation.
=20
=20
=20
=20
___________________________________________________________
Wayne Gustavus, CCIE #7426 =20
Operations Engineering =20
Verizon Internet Services =20
___________________________________________________________=20
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of =
Drew
Weaver
Sent: Friday, February 06, 2004 4:15 PM
To: nanog@merit.edu
Subject: Monumentous task of making a list of all DDoS Zombies.
Is there a list maintained anywhere of all hosts that have =
been
identified as a DDoS zombie? Or attack box? We got hit with an attack =
from
more than 60 IPs last night and I'd like to add them to any list that =
anyone
has started.
=20
Thanks,
-Drew
=20
------=_NextPart_000_0013_01C3ED71.6BB112C0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in =
1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue>
<DIV><SPAN class=3D364484816-07022004><FONT face=3D"Lucida Console" =
color=3D#0000ff=20
size=3D2>This would essentially be impossible and not a good idea. =
Large=20
volumes of hosts/zombies involved in such attacks originate from =
residential=20
cable/dsl subscribers. This user base primarily uses =
dynamically=20
assigned IP space. Hence, the IP of tonight's attacker could be =
the IP of=20
tomorrow's legitimate user. </FONT></SPAN></DIV>
<DIV><SPAN class=3D364484816-07022004><FONT face=3D"Lucida Console" =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D364484816-07022004><FONT face=3D"Lucida Console" =
color=3D#0000ff=20
size=3D2>This is the same reason that it is imperative that any =
complaints sent to=20
ISPs providing such services MUST have a time stamp (with timezone) =
along with=20
other information relative to the attack/abuse. This is the only =
way the=20
ISPs can relate the IP with the actual enduser in order to contact them =
for=20
remediation.</FONT></SPAN></DIV>
<DIV><SPAN class=3D364484816-07022004><FONT face=3D"Lucida Console" =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D364484816-07022004></SPAN> </DIV>
<DIV> </DIV>
<DIV> </DIV><!-- Converted from text/plain format -->
<P><FONT=20
size=3D2>___________________________________________________________<BR>W=
ayne=20
Gustavus, CCIE=20
#7426 &n=
bsp; <BR=
>Operations=20
Engineering &n=
bsp; <BR>Verizon=20
Internet=20
Services  =
; <BR>__=
_________________________________________________________=20
</FONT></P>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B>=20
owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] <B>On Behalf Of =
</B>Drew=20
Weaver<BR><B>Sent:</B> Friday, February 06, 2004 4:15 PM<BR><B>To:</B> =
nanog@merit.edu<BR><B>Subject:</B> Monumentous task of making a list =
of all=20
DDoS Zombies.<BR><BR></FONT></DIV>
<DIV class=3DSection1>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"> =
=20
Is there a list maintained anywhere of all hosts that have been =
identified as=20
a DDoS zombie? Or attack box? We got hit with an attack from more than =
60 IPs=20
last night and I'd like to add them to any list that anyone has=20
started.</SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT> </P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Thanks,</SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">-Drew</SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"></SPAN></FONT> </P></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0013_01C3ED71.6BB112C0--
