-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of J. Oquendo Sent: Thursday, October 07, 2004 1:11 AM To: nanog@merit.edu Subject: short Botnet list and Cashing in on DoS
I've been slowly compiling a list of known botnets should anyone care to filter, or check them in your netblocks if someone in your range is passing off garbage, etc. Information has been passed from others admins having to deal with these pest. Care to pass on a host that you're seeing I'll post it for others to see as well. Perhaps when I have spare time, I may or may not throw up something where admins can check, add, hosts they're seeing. Don't know if I want my connection getting toasted for doing so, but it could be something informative, a-la spamhaus. Bothaus anyone?
The problem with that is the list rapidly updates and must be maintained with some level of frequency and there's a level of trust involved in it as well. Going after the bots is lesser effort. The controllers are a priority. -M< -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations & Infrastructure hannigan@verisign.com
On Thu, 7 Oct 2004, Hannigan, Martin wrote:
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of J. Oquendo Sent: Thursday, October 07, 2004 1:11 AM To: nanog@merit.edu Subject: short Botnet list and Cashing in on DoS
I've been slowly compiling a list of known botnets should anyone care to filter, or check them in your netblocks if someone in your range is passing off garbage, etc. Information has been passed from others admins having to deal with these pest. Care to pass on a host that you're seeing I'll post it for others to see as well. Perhaps when I have spare time, I may or may not throw up something where admins can check, add, hosts they're seeing. Don't know if I want my connection getting toasted for doing so, but it could be something informative, a-la spamhaus. Bothaus anyone?
The problem with that is the list rapidly updates and must be maintained with some level of frequency and there's a level of trust involved in it as well.
Going after the bots is lesser effort. The controllers are a priority.
And it's in this arena that honeypots become most valuable, although if I personally were going to do something like this, I'd be logged in from a login from a login over a netzero dialup over a previously-discovered open-proxy. The beauty is that script-kiddies aren't that intelligent. -Dan
-M<
-- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations & Infrastructure hannigan@verisign.com
-- "It doesn't matter where I live, because I live in dataspace. That's my hometown." -Steve Roberts, Builder of BEHEMOTH --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Going after the bots is lesser effort. The controllers are a priority.
That's not happening. AV companies are mostly interested in hyping the latest worm or semi-worm. Drone armies, hundreds of thousands large (no exaggeration) are just too much of an effort with 1000+ new Trojan horses coming out every month. Also, there are virtually no resources directed at this problem except for a _few_ numbered concerned individuals from various corporate security teams and a few people who use IRC networks, world-wide. As long as so many computers are out there for the taking, it is almost an impossible war. Maybe it would be possible to check if any users from a location you are in-charge of are connecting to these IP's and sending them an automated email about their security plus a deal on an AV product (whatever it is worth for this)? I doubt many here have the time to even consider such an effort, even with the deal. There are easier ways, such as seeing who in a said network connects out with recognized signatures.. again, I doubt many would bother. Spam, viruses, it all revolves around the same problem. The users en-masse are a serious risk on the macro level. Besides, with so many drones around and infected machines - who needs a proxy to be anonymous? Gadi Evron.
..., a-la spamhaus. Bothaus anyone?
The problem with that is the list rapidly updates and must be maintained with some level of frequency and there's a level of trust involved in it as well.
i consider www.cymru.com to be an excellent beginning toward that goalset.
Going after the bots is lesser effort. The controllers are a priority.
wide scale BCP38 conformity is the only way any of this will ever happen. -- Paul Vixie
participants (5)
-
Dan Mahoney, System Admin -
Gadi Evron -
Hannigan, Martin -
Paul Vixie -
Randy Bush