Re: IRC Bot list (cross posting)
[ Edited and resent, the first appears to have vanished in transit ] I concede the point that operational tracking of botnets doesn't belong here, and I offer apologies to Martin, and the list in general, for not counting to ten before replying to his email. However, simply suppressing discussion of the topics isn't a good way to foster a cooperative working environment. I'd like to thank those few folks who corrected me, today. I was wrong in what I felt was appropriate, and I shouldn't have gone off in the manner I did. Moving to a more productive stance for this thread: How many people have subbed in the past month? The past year? There's stuff in the FAQ about what's directly relevent to this particular list, but there are a million related sub-topics with low level chatter that would overwhelm a single list, like this one. Is there a helpful resource that references these lists, to give subscribers a better grasp on topic specific lists that other nanog users deem productive, clue packed and useful? - billn
On Wed, 2005-02-09 at 22:04 -0800, Bill Nash wrote:
Moving to a more productive stance for this thread: How many people have subbed in the past month? The past year? There's stuff in the FAQ about what's directly relevent to this particular list, but there are a million related sub-topics with low level chatter that would overwhelm a single list, like this one. Is there a helpful resource that references these lists, to give subscribers a better grasp on topic specific lists that other nanog users deem productive, clue packed and useful?
I don't know how relevant this is to your question, but since it was part of the Subject here it goes: The botlist MUST have been interesting to a sizable number of NANOG'ers. At least 305 people (different IPs) downloaded the version that I posted here last night. -Jim P.
On Thu, 10 Feb 2005, Jim Popovitch wrote:
I don't know how relevant this is to your question, but since it was part of the Subject here it goes: The botlist MUST have been interesting to a sizable number of NANOG'ers. At least 305 people (different IPs) downloaded the version that I posted here last night.
Yes, there are number of good netadmins who want to make sure they don't have one of these bots on their network (and number of bad guys who want to see entire list), but if you consider total number of networks in the world, 305 is not all that many and I doubt most of the bots on that list were killed because people found the list at nanog... However since there was shown enough of the interest from people on nanog@ to help in killing bots and knowing about it, may I suggest that people who are doing the tracking setup the following: 1. Website where person can come and enter ip address block or domain and see number of bots on that network (but not actual ip addresses). 2. After that the person should be able to register (entering full name and contact data and company he/she works) and can than get access to see entire list of ip addresses for particular company (and possibly even do more and mark ips that have been taken care of). 3. Additionally there could be regular post on nanog@ (once/week or once/month depending how much nanog can tolerate) reminding of the website and with summary including total number of botnet ip addresses listed in the database, plus possibly list of 10 networks that have largest number of unhandled bots. So, Gadi, are you taking notes? -- William Leibzon Elan Networks william@elan.net
On Thu, Feb 10, 2005 at 12:09:48AM -0800, william(at)elan.net wrote:
However since there was shown enough of the interest from people on nanog@ to help in killing bots and knowing about it, may I suggest that people who are doing the tracking setup the following:
For the DNSBLs that list things like proxies, most of them also offer to sent notifications to AS or netblock contacts, so if you're interested in that then contact them too.
On Thu, 10 Feb 2005 00:09:48 PST, "william(at)elan.net" said:
2. After that the person should be able to register (entering full name and contact data and company he/she works) and can than get access to see entire list of ip addresses for particular company (and possibly even do more and mark ips that have been taken care of).
If you're listing IP's, it helps if you also attach a timestamp so those of us with large dialup and DHCP pools have a snowball's chance. (Make note - a "taken care of" page *also* needs the timestamp so we can check the right one off).
On 10 Feb 2005, at 10:03, Valdis.Kletnieks@vt.edu wrote:
On Thu, 10 Feb 2005 00:09:48 PST, "william(at)elan.net" said:
2. After that the person should be able to register (entering full name and contact data and company he/she works) and can than get access to see entire list of ip addresses for particular company (and possibly even do more and mark ips that have been taken care of).
If you're listing IP's, it helps if you also attach a timestamp so those of us with large dialup and DHCP pools have a snowball's chance. (Make note - a "taken care of" page *also* needs the timestamp so we can check the right one off).
And, for those who are not used to troubleshooting incidents with people in distant timezones, specify the timezone somewhere (e.g. "all dates/times are UTC", "all dates/times are UTC-8"). People should also remember that just because it's February 10 in my timezone right now doesn't mean it's not February 11 elsewhere -- so, dates need timezones too, even if no time is specified. Joe
participants (6)
-
Andy Smith
-
Bill Nash
-
Jim Popovitch
-
Joe Abley
-
Valdis.Kletnieks@vt.edu
-
william(at)elan.net