Hows the mitigation going? We can argue semantics at Dallas NANOG.



 -----Original Message-----
From:   Jon Lewis [mailto:jlewis@lewis.org]
Sent:   Sun Dec 25 22:23:19 2005
To:     Barrett G. Lyon
Cc:     NANOG
Subject:        Re: Destructive botnet originating from California (was Japan)


On Sun, 25 Dec 2005, Barrett G. Lyon wrote:

> I would have sent out a clean list sorted via AS and IP, except I have been
> working from vacation on GPRS via my 1 bar of service on my cell phone.

What's vacation?

I gather Prolexic isn't a one man shop.  Nobody else had a better internet
connection and a few minutes to tidy up the data and make the post?

> If the right thing is to post this information to a more private list, then I
> would do so.  However, I think it has been benificial to get this information
> out to the public where they can actually do something about it.  I've been

I didn't say nanog wasn't a good place to post the info...or that there
aren't better places.  Just that if you want people to take action based
on the data, present it in a more reader-friendly and meaningful format.
Also, mixing IPs and PTRs in such a report is not a great idea.  I
actually did scan through the message looking for any of my prefix's and
$work's primary domain name.  If there was a PTR for some customer of ours
in their own domain, I didn't see it, but I also didn't look for it.
Posting data by ASN/IP totally avoids that issue and makes looking for
your ASN(s) trivial.

> getting emails from a lot of people thanking for the posts because they were
> able to identify a lot of messy traffic on their network and put an end to
> it.  Posting information like this to a private list may not have
> accomplished much.

I don't see a problem with posting it to both or as many appropriate lists
as you can find.  Nanog is kind of geo-specific though.  Other lists might
have much broader representation from the entire internet.

> This should be another thread completely, but I am wondering about the
> liability of the individual's who have owned machines that are attacking
> me/my clients.  I'm not a lawyer but I would assume that tort liability law
> could apply and find someone liable for allowing their machine to DDoS
> people.

IANAL either, but if I steal your car and run someone over with it, are
you liable?  Should you be?  Computers are "stolen" or at least
commandeered on the internet at an alarming rate because those who do it
know that odds are, they won't get caught.  And if they are caught, odds
are, nothing will happen.  And there's apparently considerable profit in
the sale of commandeered systems or services provided by them.  I doubt
you'll get anywhere trying to make an example of someone who's system was
hacked or even just "used improperly".  I really don't think this problem
can be solved by scaring sysadmins or corporations.  There will always be
security holes.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________