-----Original Message----- From: Suresh Ramasubramanian [mailto:suresh@outblaze.com] Sent: Saturday, February 07, 2004 9:58 PM To: Wayne Gustavus (nanog) Cc: 'Drew Weaver'; nanog@merit.edu Subject: Re: Monumentous task of making a list of all DDoS Zombies.
<snip>
1. It is arguable whether dynamic IPs are to be treated as legitimate mailhosts. Your colleagues in VOL mailops might tell you something similar too.
No argument there. However, the thread was originally addressing a list of DDoS Zombies, not illegitimate SMTP mailhosts. Arguably zombies used to launch DDoS attacks are treated differently than such hosts. We address both types.
2. An expiring list, where entries inserted are quickly expired, and stats used to add to other lists (such as MAPS DUL / SORBS DUHL) is a good idea, and moreover, it's already been done.
http://cbl.abuseat.org Interesting approach. It would be conceivable that if this resource was Widely used, miscreants could use this service to DDoS there victims without an army of zombies :-) I still submit that it is more advisable to address the root of the problem by finding the true host that generated attack traffic. Automating this process of matching dynamic IP to customer acct with a timestamp and remediation is the goal. __________________________________________________________ Wayne Gustavus, CCIE #7426 Operations Engineering Verizon Internet Services ___________________________________________________________