> I use proxycheck to manually check hosts for open proxies
> (http://www.corpit.ru/mjt/proxycheck.html)… you could script this (or
> a similar tool) and run scans of your entire network.
That's what I would suggest. You could also reactively test your customers
when they make a connection to your webserver or mailserver.
that won't catch the case where a proxy is open and is being abused but
the resulting traffic is directed outside of the local isp, which is going
to be the common case since parasites don't like to endanger their hosts.
every network owner should routinely scan/probe every address they are
responsible for, looking for everything from ntpd vulnerabilities to
sendmail or bind vulnerabilities to open proxies to open relays to etc.
by "routinely" i mean every day. if something's found, block it 'til it's
fixed. this will save you huge money in abuse@ staffing costs, as well
as giving you "n'ya n'ya" rights when you meet uunet at the nanog bar :-).
this is as important as having abuse@ and noc@ mailboxes, or doing uRPF
on customer edges. if you're an ISP and your customer agreement doesn't
explicitly demand the ability to do this testing, then have it updated.
i now think that http://www.icann.org/committees/security/sac004.htm was
not nearly draconian enough, even though it claims...
3 - DDoS Vector
3.1. The typical vector for DDoS launches is a personal computer (PC)
running operating system and application software that purposely trades
off security for convenience. These computers are usually poorly
managed, such that there are weak passwords or no passwords, known
security "holes" that are never patched or closed, and services offered
to the global Internet that the owner has no knowledge and no use for.
3.2. From the point of view of almost any single purveyor -- or consumer
-- of operating system and application software, convenience will almost
always have more perceived value than security. It is only when viewed
in the aggregate that the value of security becomes obviously higher
than the value of convenience.
3.3. With the advent of high speed "always on" connections, these PCs
add up to either an enormous global threat, or a bonanza of freely
retargetable resources, depending upon one's point of view.
3.4. Bad actors, in teams or acting alone, exert constant background
effort to locate these hosts, probe them for known weaknesses, and
subvert them in any way possible. There are software "kits" available
that make all of this trivially easy, so no actual technical skill is
needed to locate, subvert, and direct an army of thousands of high
...to be aware of this problem.