Re: Monumentous task of making a list of all DDoS Zombies.

[Suresh Ramasubramanian <suresh () outblaze com>]

Steve Birnbaum wrote:

> So you want a major ISP to simply automatically disable accounts of its
> users based only on automated detection of an IP address and timestamp in
> something that APPEARS to be a complaint to an automated script?

Hi

You have two things confused from my previous mail.

1. Set up router / IDS acls that look for outbound / inbound traffic 
that is characteristic of worms (or whatever), and have the accounts 
deactivated based on that.

2. Set up your NOC to use a sensible ticket system optimized for 
incident handling (RTIR + RT3, and Abacus seem to be the only contenders 
so far according to a recent discussion I had with admins on another 
list).

A lot of the NOCs use ticketing systems that are either designed for 
customer service apps (like Kana), or sometimes - I kid you not - use 
IMAP accounts, excel (or at least csv) worksheets and a maze of shell 
and perl hacks that are somewhat, but not quite like, a ticketing system.

This system I described must have wired into it easy ways to grab user 
information from radius etc, append IPs to block into a text file that 
can be grabbed by a cronjob and synced into router ACLs  after sanity 
checking etc.

And of course if the NOC guy is smart enough, he knows enough to weed 
out obviously bogus complaints [including the GWF / Goober With Firewall 
ones, as one of my friends once put it - the complaints generated by 
those fancy "software firewall" programs] before deactivating accounts.

> There is a reason why there are humans (overworked, unfortunately) handling
> abuse complaints.  Make it easy, sure...but make it easy for the human to be

Yes.  I'm one such person as it happens.  And all I ask it that it be 
made easy.

        srs