North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Destructive botnet originating from California (was Japan)

  • From: Barrett G. Lyon
  • Date: Sun Dec 25 18:49:52 2005

I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone. Cleaning up lists is rather painful for me in that situation. I'm pretty sure Rob Thomas cleaned up the list and added it to Team Cymru's stuff.

As a side note, I did apply to nsp-sec a while back and I was told to do something like download SNORT or join a snort discussion list. I though that was pretty telling, I run into a lot of information daily and this was messy enough for me to post to NANOG about it. I was just trying to the the right thing.

If the right thing is to post this information to a more private list, then I would do so. However, I think it has been benificial to get this information out to the public where they can actually do something about it. I've been getting emails from a lot of people thanking for the posts because they were able to identify a lot of messy traffic on their network and put an end to it. Posting information like this to a private list may not have accomplished much. I think the data should most certainly go on the Team Cymru list, but why not to a large public form putting in the faces of the people that are responsible?

This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. I'm not a lawyer but I would assume that tort liability law could apply and find someone liable for allowing their machine to DDoS people. There is no precedence for this, but maybe a few law suits could set one? I'm not saying I (Prolexic) would do this, but if someone sued the owners of the machines in civil court and won, maybe that would put a hell of a lot more pressure on people that run a dirty network or machine. It may place responsibility on some of these people that say, "we don't care what our users do". Have bots? Go to court... I'm really interested on comments on this, has anyone tried?


On Dec 25, 2005, at 2:36 PM, Jon Lewis wrote:

On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote:

The first rule of nsp-sec is, you do not talk about nsp-sec
The second rule of nsp-sec is, you DO NOT talk about nsp-sec

There's nothing secret about the existence or purpose of the list.

I don't know enough about Barrett to guess as to whether or not he'd qualify.

Also, I was considering emailing Barrett privately, but since there seems to be so much misinformation going around, others will probably benefit from this. If you want to send out list of IPs suspected of being bots or really any other class of insecure/0wn3d systems, to make it easier for those who care to find their IPs in your list, run it through the Team Cymru whois server first.

Then sort the list numerically by ASN. That way, people can scroll through it, or search by ASN, and quickly determine if there's any further action worth taking.

It's also a really good idea to include timestamps, ideally exact ones in GMT per IP. In this case (unix bots) it's not as likely, but typical windows bots frequently show up on end-user systems with dynamic IPs. Telling me one of my dial pool IPs was a bot "recently" is not as useful as telling me it was a bot 2005-12-25 02:30:45 GMT.

Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ for PGP public key_________