[67323] in North American Network Operators' Group
Re: Monumentous task of making a list of all DDoS Zombies.
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Sun Feb 8 04:06:06 2004
Date: Sun, 08 Feb 2004 14:35:30 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: nanog@merit.edu
In-Reply-To: <B58ECC80-5A14-11D8-9F25-000A95CD987A@muada.com>
Errors-To: owner-nanog-outgoing@merit.edu
Iljitsch van Beijnum wrote:
> Coming up with new types of probes all the time to check for this would
> be a huge amount of work.
Would that be any less work than clearing up the mess left by an
infestation of DDoS zombies? :)
> I favor an approach where people no longer get to send data at high
> speed without the recipient's approval. Just sending data in the blind
> or any type of scanning could then trigger a severe rate limit or raise
> an alarm.
It is fairly easy to work around rate limits by just scaling laterally,
and compromising a few million more boxes. If the next virus grabs 4M,
or 20M boxes instead of just a measly 2M boxes, you can rate limit all
you like, bit it really won't help.
> Unfortunately, this type of action must be performed at the source and
> some networks just can't be bothered.
Yup.
srs
