[67317] in North American Network Operators' Group
Re: Monumentous task of making a list of all DDoS Zombies.
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Sat Feb 7 21:59:25 2004
Date: Sun, 08 Feb 2004 08:28:25 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: "Wayne Gustavus (nanog)" <nanog@wgustavus.com>
Cc: "'Drew Weaver'" <drew.weaver@thenap.com>, nanog@merit.edu
In-Reply-To: <001201c3ed9b$54871ac0$6400000a@wglaptop>
Errors-To: owner-nanog-outgoing@merit.edu
Wayne Gustavus (nanog) wrote:
> This would essentially be impossible and not a good idea. Large volumes
> of hosts/zombies involved in such attacks originate from residential
> cable/dsl subscribers. This user base primarily uses dynamically
> assigned IP space. Hence, the IP of tonight's attacker could be the IP
> of tomorrow's legitimate user.
1. It is arguable whether dynamic IPs are to be treated as legitimate
mailhosts. Your colleagues in VOL mailops might tell you something
similar too.
2. An expiring list, where entries inserted are quickly expired, and
stats used to add to other lists (such as MAPS DUL / SORBS DUHL) is a
good idea, and moreover, it's already been done. http://cbl.abuseat.org
srs
