nanog mailing list archives

Re: Monumentous task of making a list of all DDoS Zombies.

From: Guðbjörn Hreinsson <gsh () centrum is>
Date: Sun, 8 Feb 2004 17:18:53 -0000

I'm aware of these - but surely there's something about the user which
you can stick into rDNS (hashed / encrypted if you like) that'll
identify the user?

The problem with trojans etc is that there so damn many of them, so the
less time spent actually tracking down the user who was on IP X at time
Y, the better it is for the ISP's staffers who handle complaints about
these.


It's not that hard, I assume we are talking about dial-up, cable and xDSL
users? We already log all major radius events in a database and it's very
easy to look up users in that db, we have a web page for CSR's (customer
service representative's), additionally the mail server detects which of our
ip ranges is sending worms and automatically disables those users... I see
no gain from adding anything in DNS, like reverse records.

Of course, prevention is better than cure, so another recourse the ISP
has is to be proactive - setting up a scanner to sweep the host that
comes up on an IP the moment the dhcp server assigns it.  If not a full
blown portscan or anything, then at least a quick once-over that looks
for signs of the current "big problem" trojans / zombies.


We perform this today, the problem is, what are the signs for "big problem"
trojans and zombies? If there was a tool out there that could perform
scanning
of computers AND knew about what to look for (does this malware operate
on fixed ports) AND could be automatically updated for new malware I would
purchase such a tool. Other than scanning for the open ports, I think these
zombies are regular open proxies... but that may (will?) change in the
future.

4. Quick and immediate isolation of infected hosts - nullroute them, or
maybe VLAN them into their own corner of the 'net, where the only thing
they can access over http is an ISP support page saying "please un-root
your computer, or contact us at 1-800-[foo] for help and more details"


We simply modify their passwords and log them the off today. There is also
an entry created in the incident tracking system. But, we have it as a
future goal
to let them access some pages, like HouseCall etc.



Rgds,
-GSH

Current thread:

Re: Monumentous task of making a list of all DDoS Zombies., (continued)
- - - Re: Monumentous task of making a list of all DDoS Zombies. Sean Donelan (Feb 07)
    - Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 07)
    - Re: Monumentous task of making a list of all DDoS Zombies. Iljitsch van Beijnum (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Iljitsch van Beijnum (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Scott A Crosby (Feb 09)
    - abusereporting (was Re: Monumentous task of making a list) Mikael Abrahamsson (Feb 08)
    - Re: abusereporting Suresh Ramasubramanian (Feb 08)
    - Re: abusereporting (was Re: Monumentous task of making a list) Steven M. Bellovin (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Guðbjörn Hreinsson (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Sean Donelan (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 08)
    - RE: Monumentous task of making a list of all DDoS Zombies. Steve Birnbaum (Feb 10)
    - Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 10)
    - Re: Monumentous task of making a list of all DDoS Zombies. E.B. Dreger (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. Sean Donelan (Feb 08)
    - Re: Monumentous task of making a list of all DDoS Zombies. E.B. Dreger (Feb 08)