Your staff will still get a ton of complaints. If these can
be parsed by a script that looks for virus / trojan strings in the
complaint,extracts the IP (or has your NOC dude just click the IP in his
ticketing system, like in RT + IRTT) and the account just goes away - then
fine.
So you
Steve Birnbaum wrote:
So you want a major ISP to simply automatically disable accounts of its
users based only on automated detection of an IP address and timestamp in
something that APPEARS to be a complaint to an automated script?
Hi
You have two things confused from my previous mail.
1. Set
On Sun, 8 Feb 2004 18:12:46 +0100, Iljitsch van Beijnum [EMAIL PROTECTED] writes:
But how are you going to infect a million boxes if you can
only scan one address per second?
With a random scanning worm, the expected time could be as low as
about a day.
Assuming the random scanning model
On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote:
Another thing that helps with easier identification is a practice some
ISPs have of inserting the MAC address of the host into the reverse DNS
record, with a short TTL. When a new host gets that IP, the MAC address
changes too. I have seen
Sean Donelan wrote:
In practice MAC address tracking only works for a few very specific ISP
architectures, such as when the ISP supplies the hardware used to connect
to the network.
I'm aware of these - but surely there's something about the user which
you can stick into rDNS (hashed / encrypted
Iljitsch van Beijnum wrote:
Coming up with new types of probes all the time to check for this would
be a huge amount of work.
Would that be any less work than clearing up the mess left by an
infestation of DDoS zombies? :)
I favor an approach where people no longer get to send data at high
On 8-feb-04, at 10:05, Suresh Ramasubramanian wrote:
Coming up with new types of probes all the time to check for this
would be a huge amount of work.
Would that be any less work than clearing up the mess left by an
infestation of DDoS zombies? :)
Apples and oranges. You need to clean up the
I'm aware of these - but surely there's something about the user which
you can stick into rDNS (hashed / encrypted if you like) that'll
identify the user?
The problem with trojans etc is that there so damn many of them, so the
less time spent actually tracking down the user who was on IP X
SD Date: Sun, 8 Feb 2004 02:01:29 -0500 (EST)
SD From: Sean Donelan
SD Instead of Doubleclick tracking users with Cookies, they
SD would be able to track the unique computers from the MAC
SD address in the reverse DNS record over time.
A MAC address is six octets. Append time past Epoch when
On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote:
In practice MAC address tracking only works for a few very specific ISP
architectures, such as when the ISP supplies the hardware used to connect
to the network.
I'm aware of these - but surely there's something about the user which
you
On Sun, 8 Feb 2004, E.B. Dreger wrote:
SD Instead of Doubleclick tracking users with Cookies, they
SD would be able to track the unique computers from the MAC
SD address in the reverse DNS record over time.
A MAC address is six octets. Append time past Epoch when IP was
assigned; that's
SD Date: Sun, 8 Feb 2004 17:43:34 -0500 (EST)
SD From: Sean Donelan
SD Again, why does an ISP need to spend the money and as you
SD point out the extra hassle, to do this? ISPs already have
SD all the information they need to trace a subscriber from the
SD IP address and timestamp.
I'm not
Iljitsch van Beijnum wrote:
traffic. But how are you going to infect a million boxes if you can only
scan one address per second?
Maybe just infect a million windows boxes on your network with a trojan,
and then have the trojan phone home (say to an irc channel or a central
controlling server)
Sean Donelan wrote:
But I still don't understand why an ISP unwilling to spend the money
to trace uses with RADIUS or other existing methods; is going to want
to spend money on interfacing their systems with Dynamic DNS servers and
All I'm saying, Sean, is that there should be a quick way (or even
Guðbjörn Hreinsson wrote:
ip ranges is sending worms and automatically disables those users... I see
no gain from adding anything in DNS, like reverse records.
well, rDNS is just one way. If you have some relatively automated (and
automatic, easy to trigger from your mailserver logs, your
Title: Message
This would essentially be impossible and not a good idea. Large
volumes of hosts/zombies involved in such attacks originate from residential
cable/dsl subscribers. This user baseprimarily uses dynamically
assigned IP space. Hence, the IP of tonight's attacker could be the IP
It need be neither momentous nor monumental -
Just say it's 0.0.0.0 / 0 with some occasional exceptions.
Regards
Marshall Eubanks
On Sat, 7 Feb 2004 11:56:28 -0500
Wayne Gustavus (nanog) [EMAIL PROTECTED] wrote:
This would essentially be impossible and not a good idea. Large volumes of
-Original Message-
From: Suresh Ramasubramanian [mailto:[EMAIL PROTECTED]
Sent: Saturday, February 07, 2004 9:58 PM
To: Wayne Gustavus (nanog)
Cc: 'Drew Weaver'; [EMAIL PROTECTED]
Subject: Re: Monumentous task of making a list of all DDoS Zombies.
snip
1. It is arguable
Wayne Gustavus (nanog) wrote:
http://cbl.abuseat.org
Interesting approach. It would be conceivable that if this resource was
Widely used, miscreants could use this service to DDoS there victims without
an army of zombies :-) I still submit that it is more advisable to address
the root of the
You probably want to make a list of vulnerable
hosts that fall to exploits like this:http://server-ip-here/scripts/../../winnt/system32/ping.exe
MostDDoS zombies will use spoofed IP packets
to attack its victim, so filtering the source will not relief your
pain.
Rubens
- Original
20 matches
Mail list logo