IDS mailing list archives
Re: DDOS Bot Blacklist
From: Kevin <kkadow () gmail com>
Date: Tue, 16 Nov 2004 01:55:41 -0600
I think such a blacklist could work, if operated by a trusted party, but offhand I can't think of any organization I would trust to run such a powerful blacklist. On Mon, 15 Nov 2004 00:36:34 -0500, Rob Shein <shoten () starpower net> wrote:
The further question that comes to my mind is who would enforce blocking based on this list?
A BGP feed, similar to the original "RBL" feeds, would make such a blacklist most useful to ISPs. The list would need to be managed and updated by a very trusted source before ISPs would be willing to subscribe to such a BGP feed.
It seems to me that if the subscribers to the list were anything other than ISPs, there would be little point to it. By the time you're blocking at your firewall, the DDoS traffic has already consumed what bandwidth it was meant to consume.
For the smallest of sites, pure bandwidth exhaustion is still a common mode of attack -- these would also be more likely to be "stateless" attacks, with easily spoofed source IPs. However for higher-profile target sites, I would venture that successful attacks are more sophisticated resource exhaustion, not relying on simply raw bandwidth to take down a site.
And this is, of course, in addition to your concerns about DHCP addressing and spoofed source addresses.
DHCP and dynamic addresses would require that any blacklist of Bots used to source DDoS would need to be dynamically populated and updated frequently. Kevin -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- DDOS Bot Blacklist Andy Cuff (Nov 14)
- RE: DDOS Bot Blacklist Rob Shein (Nov 15)
- Re: DDOS Bot Blacklist Kevin (Nov 16)
- RE: DDOS Bot Blacklist Andy Cuff (Nov 17)
- RE: DDOS Bot Blacklist Rob Shein (Nov 15)