North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS Hijacking by Cox
doing it[1]. If you're interested in finding people that Undernet detects as being open proxies or such like, put an IDS rule looking for ":[^ ]* 465 [^ ]* :AUTO ". I'd love to see this. Undernet tried doing something similar a few years ago and it didn't really seem to pan out the way we'd hoped. Having this hosted by some independent third party would be great. Are there any trusted security organisations that are interested in running this? It's fairly easy to parse undernet's logs into some kind of sane format that can be submitted. Rather than use IDS to snoop for our "user banned" messages, let IRC One of the problems here is that responsible networks are happy to report and deal with these drones. The kiddies learn this pretty quickly and just set up an IRC server on a hacked box somewhere and use that. These are the bot networks that are used by kiddies that have graduated from annoying to dangerous. The ISP would then be able to use the database as a geiger counter and > erify the "user is a bot" claim, and maybe take some abuse response if > the user is actually infected with a spambot or floodbot.
People are busy keeping these up to date all the time as you point out. And unfortunately also relies on someone maintaining a database, that could be costly, and would all be a waste if no ISP was able to utilize > it to actually isolate bot-infected computers, or if no IRC network > actually reported to the DB. IRC networks in general are extremely keen to do anything they can to get rid of these bots. The interesting question is if ISP's would sign on to such a service. them harder to find and ban.[2] Also the constant reconnects themselves can almost overwhelm a server. I almost want to submit patches to the Yeah, many servers run a script that counts number of incoming syns, and if they exceed a certain threshold firewall the source IP. Firewall rules are just impossible to implement across all servers on most IRC Yeah, but automated "if you see too many syn's from a certain source ip, just firewall it" systems give a fairly reasonable approximation to this. botnet codebases to implement exponential back off, or infact /any/ kind of reasonable delay between connection attempts. Yeah some already do this. That and just ratelimit limit syn's (if you ban 10k clients off your network, they all try and reconnect immediately usually to the first server in their list...)
|