Re: McColo: Are the 'Lights On" at Telia?

• From: Matthew Moyle-Croft
• Date: Sun Nov 16 00:15:41 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

Matthew Moyle-Croft wrote:


The difficulty is that local blocking is only useful to block C&C
communications from infected machine in _your_ netblock. It doesn't at
all stop inbound port 25 connections from infected machines elsewhere.

In some limited cases, you might see a benefit to blocking DNS queries
from their netblocks. Some "spam-by-compromised-machine" mechanisms
have the C&C doing the MX lookups for the victims. Mostly because the
"compromised machine" is merely a proxy, and _can't_ do the MXes. I
doubt these BOTnet C&Cs do. More efficient to have the BOTs themselves
doing it.

--
Matthew Moyle-Croft - Internode/Agile - Networks
Level 4, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: [email protected]  Web: http://www.on.net
Direct: +61-8-8228-2909		    Mobile: +61-419-900-366
Reception: +61-8-8228-2999          Fax: +61-8-8235-6909

• References:
  • McColo: Are the 'Lights On" at Telia? Paul Ferguson
  • Re: McColo: Are the 'Lights On" at Telia? Paul Ferguson
  • Re: McColo: Are the 'Lights On" at Telia? Matthew Moyle-Croft
  • Re: McColo: Are the 'Lights On" at Telia? Chris Lewis

• Prev by Date: Re: McColo: Are the 'Lights On" at Telia?
• Next by Date: Re: McColo: Are the 'Lights On" at Telia?
• Date Index
• Thread Index
• Author Index
• Historical