RE: Monumentous task of making a list of all DDoS Zombies.

["Wayne Gustavus (nanog)" <nanog () wgustavus com>]

This would essentially be impossible and not a good idea.  Large volumes of
hosts/zombies involved in such attacks originate from residential cable/dsl
subscribers.  This user base primarily uses dynamically assigned IP space.
Hence, the IP of tonight's attacker could be the IP of tomorrow's legitimate
user. 
 
This is the same reason that it is imperative that any complaints sent to
ISPs providing such services MUST have a time stamp (with timezone) along
with other information relative to the attack/abuse.  This is the only way
the ISPs can relate the IP with the actual enduser in order to contact them
for remediation.
 
 
 
 

___________________________________________________________
Wayne Gustavus, CCIE #7426                       
Operations Engineering                   
Verizon Internet Services                      
___________________________________________________________ 

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Drew
Weaver
Sent: Friday, February 06, 2004 4:15 PM
To: nanog () merit edu
Subject: Monumentous task of making a list of all DDoS Zombies.



            Is there a list maintained anywhere of all hosts that have been
identified as a DDoS zombie? Or attack box? We got hit with an attack from
more than 60 IPs last night and I'd like to add them to any list that anyone
has started.

 

Thanks,

-Drew