Re: botnet reporting by AS - what about you?
I was on it and unsubscribed. They wouldn't disclose the collection or validation process at that time. This made it useless for the most part as its hard to act on someones word without some idea of how they are getting their data and avoiding collateral damage. I'm not saying there aren't valid zombies on it, but my criteria for a list that identifies rogues includes trust. I have lists I felt were more trustworthy than DA. Things may have changed. Martin -----Original Message----- From: Christopher L. Morrow [mailto:christopher.morrow@mci.com] Sent: Fri Aug 12 23:56:53 2005 To: Fergie (Paul Ferguson) Cc: nanog@merit.edu Subject: Re: botnet reporting by AS - what about you? On Sat, 13 Aug 2005, Fergie (Paul Ferguson) wrote:
Chris,
I can assure you that the Drone Army project is not run that way, and is quite useful, effective, etc.
The folks behind the DA Project are certainly professionals... ...and the infromation is quite useable, parse-able, and genuine.
cool, among the 800k+ complaints we see a month (yes, 800k) there are quite a few completely useless ones :( Anything sent in as a complaint has to have complete and useful information, else it's hard/impossible to action properly. It'd help if the format it was sent in was also machine parseable :) With 800k+ complaints/month I'm not sure people want to spend time figuring each one out, a script/machine should be doing as much as possible.
- ferg
-- "Christopher L. Morrow" <christopher.morrow@mci.com> wrote:
perhaps we could back up and ask:
1) why are you not using the arin/ripe/apnic/japnic/krnic/lacnic poc's for these asn's? certainly some are not up to date, but there are a large number that are... 2) what is this for again? 3) are you planning on sending something to these poc's? 4) what are you planning on sending to them? 5) how often should they expect to see something, and from 'whom'? 6) looked at the INCH working group in IETF, thought about using some of these evolving standards for your alerts/messags/missives? 7) please don't send in bmp files of traceroutes (make the info you send in complete and usable... 'I saw a bot on ip 12' is not useable, as an fyi)
-Chris
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
On Sat, 13 Aug 2005, Hannigan, Martin wrote:
I was on it and unsubscribed. They wouldn't disclose the collection or validation process at that time. This made it useless for the most part as its hard to act on someones word without some idea of how they are getting their data and avoiding collateral damage.
this was part of my point ;( It's hard to call up a customer and say: "someone told me that you were bad, could you stop please?" normally they hangup after saying something uncooth and about 'you are crazy'... :( I may be crazy, but most of the abuse folks aren't. there has to be complete info in the complaint: 1) logs 2) timestamps 3) timezones they should be in some structured (see inch-wg/rid for some almost-standards-based examples) text-based format that is easily parsable by machines.
participants (2)
-
Christopher L. Morrow
-
Hannigan, Martin