Re: DDOS Bot Blacklist

From: Kevin (kkadow_at_gmail.com)
Date: 11/16/04

  • Next message: Lily: "need your help about IPS and IDS,thanks" 
    Date: Tue, 16 Nov 2004 01:55:41 -0600
To: Rob Shein <shoten@starpower.net>

    I think such a blacklist could work, if operated by a trusted party,
    but offhand I can't think of any organization I would trust to run
    such a powerful blacklist.

    On Mon, 15 Nov 2004 00:36:34 -0500, Rob Shein <shoten@starpower.net> wrote:
    > The further question that comes to my mind is who would enforce blocking
    > based on this list?

    A BGP feed, similar to the original "RBL" feeds, would make such a
    blacklist most useful to ISPs. The list would need to be managed and
    updated by a very trusted source before ISPs would be willing to
    subscribe to such a BGP feed.

    > It seems to me that if the subscribers to the list were
    > anything other than ISPs, there would be little point to it. By the time
    > you're blocking at your firewall, the DDoS traffic has already consumed what bandwidth it was meant to consume.

    For the smallest of sites, pure bandwidth exhaustion is still a common
    mode of attack -- these would also be more likely to be "stateless"
    attacks, with easily spoofed source IPs. However for higher-profile
    target sites, I would venture that successful attacks are more
    sophisticated resource exhaustion, not relying on simply raw bandwidth
    to take down a site.

    > And this is, of course, in addition to
    > your concerns about DHCP addressing and spoofed source addresses.

    DHCP and dynamic addresses would require that any blacklist of Bots
    used to source DDoS would need to be dynamically populated and updated
    frequently.

    Kevin

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Lily: "need your help about IPS and IDS,thanks"