Re: DDOS Bot Blacklist

[Kevin <kkadow () gmail com>]

I think such a blacklist could work, if operated by a trusted party,
but offhand I can't think of any organization I would trust to run
such a powerful blacklist.

On Mon, 15 Nov 2004 00:36:34 -0500, Rob Shein <shoten () starpower net> wrote:
> The further question that comes to my mind is who would enforce blocking
> based on this list?

A BGP feed, similar to the original "RBL" feeds, would make such a
blacklist most useful to ISPs.  The list would need to be managed and
updated by a very trusted source before ISPs would be willing to
subscribe to such a BGP feed.

>  It seems to me that if the subscribers to the list were
> anything other than ISPs, there would be little point to it.  By the time
> you're blocking at your firewall, the DDoS traffic has already consumed what bandwidth it was meant to consume. 

For the smallest of sites, pure bandwidth exhaustion is still a common
mode of attack -- these would also be more likely to be "stateless"
attacks, with easily spoofed source IPs.  However for higher-profile
target sites, I would venture that successful attacks are more
sophisticated resource exhaustion, not relying on simply raw bandwidth
to take down a site.

> And this is, of course, in addition to
> your concerns about DHCP addressing and spoofed source addresses.

DHCP and dynamic addresses would require that any blacklist of Bots
used to source DDoS would need to be dynamically populated and updated
frequently.

Kevin

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------