Re: Monumentous task of making a list of all DDoS Zombies.

[Suresh Ramasubramanian <suresh () outblaze com>]

Guðbjörn Hreinsson wrote:

> ip ranges is sending worms and automatically disables those users... I see
> no gain from adding anything in DNS, like reverse records.

well, rDNS is just one way.  If you have some relatively automated (and 
automatic, easy to trigger from your mailserver logs, your router / ids 
logs etc) system to disable users, without having your NOC guys manually 
paste stuff into a form / fire up your db and execute queries manually, 
then cool.

> We perform this today, the problem is, what are the signs for "big problem"
> trojans and zombies? If there was a tool out there that could perform
> scanning

Well, sticking an IDS on outbound traffic might not scale - especially 
across a large dialup pool.  But there are other things to do, such as 
filtering the commonly used methods of worm propogation (windows shares, 
port 25 outbound from your dynamic IPs ..)

> purchase such a tool. Other than scanning for the open ports, I think these
> zombies are regular open proxies... but that may (will?) change in the

They are proxies on a random high port - but sometimes they do phone 
home to a particular source etc.  Lots of people perform trojan 
analysis, and I assume a regular update of these, fed into a cut down 
version of an IDS, might help.

        srs