Re: Destructive botnet originating from California (was Japan)
Hows the mitigation going? We can argue semantics at Dallas NANOG. -----Original Message----- From: Jon Lewis [mailto:jlewis@lewis.org] Sent: Sun Dec 25 22:23:19 2005 To: Barrett G. Lyon Cc: NANOG Subject: Re: Destructive botnet originating from California (was Japan) On Sun, 25 Dec 2005, Barrett G. Lyon wrote:
I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone.
What's vacation? I gather Prolexic isn't a one man shop. Nobody else had a better internet connection and a few minutes to tidy up the data and make the post?
If the right thing is to post this information to a more private list, then I would do so. However, I think it has been benificial to get this information out to the public where they can actually do something about it. I've been
I didn't say nanog wasn't a good place to post the info...or that there aren't better places. Just that if you want people to take action based on the data, present it in a more reader-friendly and meaningful format. Also, mixing IPs and PTRs in such a report is not a great idea. I actually did scan through the message looking for any of my prefix's and $work's primary domain name. If there was a PTR for some customer of ours in their own domain, I didn't see it, but I also didn't look for it. Posting data by ASN/IP totally avoids that issue and makes looking for your ASN(s) trivial.
getting emails from a lot of people thanking for the posts because they were able to identify a lot of messy traffic on their network and put an end to it. Posting information like this to a private list may not have accomplished much.
I don't see a problem with posting it to both or as many appropriate lists as you can find. Nanog is kind of geo-specific though. Other lists might have much broader representation from the entire internet.
This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients. I'm not a lawyer but I would assume that tort liability law could apply and find someone liable for allowing their machine to DDoS people.
IANAL either, but if I steal your car and run someone over with it, are you liable? Should you be? Computers are "stolen" or at least commandeered on the internet at an alarming rate because those who do it know that odds are, they won't get caught. And if they are caught, odds are, nothing will happen. And there's apparently considerable profit in the sale of commandeered systems or services provided by them. I doubt you'll get anywhere trying to make an example of someone who's system was hacked or even just "used improperly". I really don't think this problem can be solved by scaring sysadmins or corporations. There will always be security holes. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (1)
-
Hannigan, Martin