compromized host list available
Folks, I've developed a tool to pull together a bunch of information from DNSRBLs and mix it with a BGP feed, the result is that upon request I can generate a report of all the compromised hosts on your network as seen by various DNSRBLs. reports are available daily in pdf, text, csv, and excel. they are all a bit chunky but should be helpful. contact me off list, if you would like to get a daily report for your ASN. You will be required to prove you are associated with and responsible for the ASN you want a report for. The report are free so this isn't a commercial =) honestly I hope the stuff helps. -rick
On Wed, Jul 20, 2005 at 04:32:09PM -0700, Rick Wesson wrote:
Folks,
I've developed a tool to pull together a bunch of information from DNSRBLs and mix it with a BGP feed, the result is that upon request I can generate a report of all the compromised hosts on your network as seen by various DNSRBLs.
reports are available daily in pdf, text, csv, and excel. they are all a bit chunky but should be helpful.
contact me off list, if you would like to get a daily report for your ASN. You will be required to prove you are associated with and responsible for the ASN you want a report for.
The report are free so this isn't a commercial =) honestly I hope the stuff helps.
-rick
Unless you have personally verified each entry, you would do well to add a disclaimer that DNSRBLs are not 100% reliable, eh? -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
On 7/21/05, Joseph S D Yao <jsdy@center.osis.gov> wrote:
On Wed, Jul 20, 2005 at 04:32:09PM -0700, Rick Wesson wrote:
Folks,
I've developed a tool to pull together a bunch of information from DNSRBLs and mix it with a BGP feed, the result is that upon request I can generate a report of all the compromised hosts on your network as seen by various DNSRBLs.
...
Unless you have personally verified each entry, you would do well to add a disclaimer that DNSRBLs are not 100% reliable, eh?
Well there is that, but that should be implicit in pretty much every report you get that $this or $that host is compromised. This is just a convenient offering to say "someone out there thinks one of your machines is holed. You might want to check that out." I'm good friends with some fully-automated blackholing mechanisms, and even I'm not crazy enough to just blackhole my own machines on someone else's say-so. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
On 21 Jul 2005, at 12:02, Joseph S D Yao wrote:
Unless you have personally verified each entry, you would do well to add a disclaimer that DNSRBLs are not 100% reliable, eh?
Unless I'm mistaken (and my first report hasn't arrived yet, so maybe I am) this is more of a "heads up! the following addresses within your network are listed on DNSBLs" than anything else. I can't see why you'd add a disclaimer to a report like that. Joe
On Thu, Jul 21, 2005 at 12:31:13PM -0400, Joe Abley wrote: ...
Unless I'm mistaken (and my first report hasn't arrived yet, so maybe I am) this is more of a "heads up! the following addresses within your network are listed on DNSBLs" than anything else.
I can't see why you'd add a disclaimer to a report like that. ...
The announcement didn't state the intended use - which, given the ingenuity of some, is most reasonable. But there are those who will believe whatever they read, as long as it's in a report, and especially if the report is automatically generated. Must be true, then, eh? A report, eh? And done by one of them infallible computer dinguses, eh? ;-) [in case anyone needed it] -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
On Jul 21, 2005, at 12:35 PM, Joseph S D Yao wrote:
On Thu, Jul 21, 2005 at 12:31:13PM -0400, Joe Abley wrote: ...
Unless I'm mistaken (and my first report hasn't arrived yet, so maybe I am) this is more of a "heads up! the following addresses within your network are listed on DNSBLs" than anything else.
I can't see why you'd add a disclaimer to a report like that. ...
The announcement didn't state the intended use - which, given the ingenuity of some, is most reasonable. But there are those who will believe whatever they read, as long as it's in a report, and especially if the report is automatically generated. Must be true, then, eh? A report, eh? And done by one of them infallible computer dinguses, eh?
I don't see why the reliability/reputation of a dnsbl changes the trueness of "this host is listed in this dnsbl". That is, I agree with Joe :)
On Thu, Jul 21, 2005 at 12:48:27PM -0400, John Payne wrote: ...
I don't see why the reliability/reputation of a dnsbl changes the trueness of "this host is listed in this dnsbl".
That is, of course, all that the report says [per the announcement]. But who knows how it might be interpreted, especially by PHBs? ;-]
That is, I agree with Joe :)
O K . -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
The announcement didn't state the intended use - which, given the ingenuity of some, is most reasonable. But there are those who will believe whatever they read, as long as it's in a report, and especially if the report is automatically generated. Must be true, then, eh? A report, eh? And done by one of them infallible computer dinguses, eh?
did you receive or read it on the net? if so, question it. if you are a fool, you'll ignore any warnings. just gimme the list please randy
--- Joseph S D Yao <jsdy@center.osis.gov> wrote:
Unless you have personally verified each entry, you would do well to add a disclaimer that DNSRBLs are not 100% reliable, eh?
And what on the net is? :) Iâm all for people dealing with âbadly managedâ boxes at various levels. While some data may be stale/wrong, and DNSRBL isnât the "perfect" mechanism to distribute this information, it works "well enough". The internet was built on the (well proven) theory that things are unreliable, and we should do things that we think will help get more uptime, upses, back up gen sets, HSRP, alt-paths, alt-routes, back up data centers, etc. All of witch have at least one gotya. If you do not understand the limits if the tools That you are using, you might be a windows admin (if " fsck ây " describes how you deal with relationship issues you might be a unix admin :) , or you just canât be bothered. More tools and information are a good thing, but how/where you chose to use a sawzall is up to you. http://www.milwaukeetool.com/us/en/news.nsf/vwFeaturedProducts/4CBA61C6E299F... The packets that you allow across YOUR slice of the net are also up to you. I believe that this tool is best used as an "outsiders view" into your space to see what is going on _inside your network_ , based on the behavior observed by others. (hay rick, can you do a tool like this to help us (well me) with social skills?) If youâre the kind of person who complies when some one says "go BLEEP yourself" perhaps the internet is not a place for you, And perhaps blindly following the info that any tool gives out is not the best thing for you or your network. Use your brain, not just the tool. Missing the days of John Postel http://www.usc.edu/webcast/events/postel/ http://www.isoc.org/postel/ -charles http://www.catb.org/~esr/faqs/smart-questions.html
On Thu, Jul 21, 2005 at 10:10:27AM -0700, Charles Cala wrote: ...
More tools and information are a good thing, but how/where you chose to use a sawzall is up to you. http://www.milwaukeetool.com/us/en/news.nsf/vwFeaturedProducts/4CBA61C6E299F...
Yes, but I usually make sure that the safety attachments on my sawzall and other saws are well fastened on, and the saws fastened down in the correct compartment of my ladder truck. ;-) ...
If you???re the kind of person who complies when some one says "go BLEEP yourself" perhaps the internet is not a place for you, And perhaps blindly following the info that any tool gives out is not the best thing for you or your network. Use your brain, not just the tool. ...
There's more than just knowledgeable folks out there, these days!
Missing the days of John Postel
Aren't we all. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
participants (7)
-
Charles Cala -
Chris Kuethe -
Joe Abley -
John Payne -
Joseph S D Yao -
Randy Bush -
Rick Wesson