It need be neither momentous nor monumental - Just say it's 0.0.0.0 / 0 with some occasional exceptions. Regards Marshall Eubanks On Sat, 7 Feb 2004 11:56:28 -0500 "Wayne Gustavus (nanog)" <nanog@wgustavus.com> wrote:
This would essentially be impossible and not a good idea. Large volumes of hosts/zombies involved in such attacks originate from residential cable/dsl subscribers. This user base primarily uses dynamically assigned IP space. Hence, the IP of tonight's attacker could be the IP of tomorrow's legitimate user.
This is the same reason that it is imperative that any complaints sent to ISPs providing such services MUST have a time stamp (with timezone) along with other information relative to the attack/abuse. This is the only way the ISPs can relate the IP with the actual enduser in order to contact them for remediation.
___________________________________________________________ Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services ___________________________________________________________
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Drew Weaver Sent: Friday, February 06, 2004 4:15 PM To: nanog@merit.edu Subject: Monumentous task of making a list of all DDoS Zombies.
Is there a list maintained anywhere of all hosts that have been identified as a DDoS zombie? Or attack box? We got hit with an attack from more than 60 IPs last night and I'd like to add them to any list that anyone has started.
Thanks,
-Drew