North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: compromized host list available

  • From: Chris Kuethe
  • Date: Thu Jul 21 12:29:36 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Dn0qLB8s7Zmt+uRBsSIoQK71X46hhpL396mqcAXwO9g87eOdtCizbQrSth/mEHyfGqix6Ay4aWBj6fH89GgrZHAgtynV+S5yQR8G/t4PivR46l6t2Lfc3YIPjXyivW1WBKQpv5b1+SsuFCkc++zTQEST9+YyjfOEmcALEAP2JrI=

On 7/21/05, Joseph S D Yao <[email protected]> wrote:
> 
> On Wed, Jul 20, 2005 at 04:32:09PM -0700, Rick Wesson wrote:
> > Folks,
> >
> > I've developed a tool to pull together a bunch of information from
> > DNSRBLs and mix it with a BGP feed, the result is that upon request I
> > can generate a report of all the compromised hosts on your network as
> > seen by various DNSRBLs.
...
> Unless you have personally verified each entry, you would do well to add
> a disclaimer that DNSRBLs are not 100% reliable, eh?

Well there is that, but that should be implicit in pretty much every
report you get that $this or $that host is compromised. This is just a
convenient offering to say "someone out there thinks one of your
machines is holed. You might want to check that out." I'm good friends
with some fully-automated blackholing mechanisms, and even I'm not
crazy enough to just blackhole my own machines on someone else's
say-so.

CK


-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?