[67318] in North American Network Operators' Group
RE: Monumentous task of making a list of all DDoS Zombies.
daemon@ATHENA.MIT.EDU (Wayne Gustavus (nanog))
Sat Feb 7 23:46:45 2004
From: "Wayne Gustavus (nanog)" <nanog@wgustavus.com>
To: "'Suresh Ramasubramanian'" <suresh@outblaze.com>
Cc: "'Drew Weaver'" <drew.weaver@thenap.com>, <nanog@merit.edu>
Date: Sat, 7 Feb 2004 23:44:38 -0500
In-Reply-To: <4025A5D1.3090404@outblaze.com>
Errors-To: owner-nanog-outgoing@merit.edu
> -----Original Message-----
> From: Suresh Ramasubramanian [mailto:suresh@outblaze.com]=20
> Sent: Saturday, February 07, 2004 9:58 PM
> To: Wayne Gustavus (nanog)
> Cc: 'Drew Weaver'; nanog@merit.edu
> Subject: Re: Monumentous task of making a list of all DDoS Zombies.
>=20
<snip>
>=20
> 1. It is arguable whether dynamic IPs are to be treated as legitimate=20
> mailhosts. Your colleagues in VOL mailops might tell you something=20
> similar too.
No argument there. However, the thread was originally addressing a list =
of
DDoS Zombies, not illegitimate SMTP mailhosts. Arguably zombies used to
launch=20
DDoS attacks are treated differently than such hosts. We address both
types.
>=20
> 2. An expiring list, where entries inserted are quickly expired, and=20
> stats used to add to other lists (such as MAPS DUL / SORBS DUHL) is a=20
> good idea, and moreover, it's already been done.=20
http://cbl.abuseat.org
Interesting approach. It would be conceivable that if this resource was
Widely used, miscreants could use this service to DDoS there victims =
without
an army of zombies :-) I still submit that it is more advisable to =
address
the root of the problem by finding the true host that generated attack
traffic. Automating this process of matching dynamic IP to customer =
acct=20
with a timestamp and remediation is the goal. =20
__________________________________________________________=20
Wayne Gustavus, CCIE #7426 =20
Operations Engineering =20
Verizon Internet Services =20
___________________________________________________________=20
