nanog mailing list archives
Re: Monumentous task of making a list of all DDoS Zombies.
From: Suresh Ramasubramanian <suresh () outblaze com>
Date: Mon, 09 Feb 2004 08:27:14 +0530
Guðbjörn Hreinsson wrote:
ip ranges is sending worms and automatically disables those users... I see no gain from adding anything in DNS, like reverse records.
well, rDNS is just one way. If you have some relatively automated (and automatic, easy to trigger from your mailserver logs, your router / ids logs etc) system to disable users, without having your NOC guys manually paste stuff into a form / fire up your db and execute queries manually, then cool.
We perform this today, the problem is, what are the signs for "big problem" trojans and zombies? If there was a tool out there that could perform scanning
Well, sticking an IDS on outbound traffic might not scale - especially across a large dialup pool. But there are other things to do, such as filtering the commonly used methods of worm propogation (windows shares, port 25 outbound from your dynamic IPs ..)
purchase such a tool. Other than scanning for the open ports, I think these zombies are regular open proxies... but that may (will?) change in the
They are proxies on a random high port - but sometimes they do phone home to a particular source etc. Lots of people perform trojan analysis, and I assume a regular update of these, fed into a cut down version of an IDS, might help.
srs
Current thread:
- Re: Monumentous task of making a list of all DDoS Zombies., (continued)
- Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 07)
- Re: Monumentous task of making a list of all DDoS Zombies. Iljitsch van Beijnum (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Iljitsch van Beijnum (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Scott A Crosby (Feb 09)
- abusereporting (was Re: Monumentous task of making a list) Mikael Abrahamsson (Feb 08)
- Re: abusereporting Suresh Ramasubramanian (Feb 08)
- Re: abusereporting (was Re: Monumentous task of making a list) Steven M. Bellovin (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Guðbjörn Hreinsson (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Sean Donelan (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 08)
- RE: Monumentous task of making a list of all DDoS Zombies. Steve Birnbaum (Feb 10)
- Re: Monumentous task of making a list of all DDoS Zombies. Suresh Ramasubramanian (Feb 10)
- Re: Monumentous task of making a list of all DDoS Zombies. E.B. Dreger (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. Sean Donelan (Feb 08)
- Re: Monumentous task of making a list of all DDoS Zombies. E.B. Dreger (Feb 08)