Here is a list of the compromised machines used in this new botnet we found in California. These are all web servers connected to good bandwidth and they are attacking us, so as a nice little holiday gift to me, please clean your network up if these are on your network. :) 12-223-37-219.client.insightbb.com 149.64.142.82.ip.b26.cz 151.1.32.221 158.37.52.20 193.138.228.24 193.58.239.61 194.87.149.34 195-13-58-95.oxyd.net 195.140.142.177 195.141.204.164 200.30.71.34 200.62.55.103 202.108.59.135 202.157.177.73 202.210.168.34 202.28.68.75 203.135.128.187 203.22.23.158 206.225.93.88 209.1.163.22 210-80-180-119.conexim.net 210.104.247.130 210.118.194.56 210.97.35.126 211.155.23.81 211.174.53.4 211.200.28.6 211.34.189.3 212.110.119.85 212.63.132.54 212.7.192.58 212.79.246.131 213.197.151.2 213.241.84.66 213.80.21.2 216.158.56.242 216.237.120.114 217-116-3-75.redes.acens.net 217-116-9-152.redes.acens.net 217.19.0.5 217.71.214.98 218.106.125.207 218.144.240.70 218.38.243.5 218.38.34.196 219.83.67.86 220.125.208.3 222.124.11.244 24.176.186.71 253-user7.scnet.cz 46.209.forpsi.net 61.111.254.95 61.129.70.191 61.172.245.21 62-99-206-202.static.sdsl-line.inode.at 62.119.154.2 62.128.242.9 62.204.69.34 62.61.142.98.generic-hostname.arrownet.dk 62.65.161.148 62.79.147.151.adsl.kh.tiscali.dk 64.203.136.14 64.27.109.170 64.5.53.103 65.164.218.248 65.39.145.5 66.132.249.67 66.179.166.218 66.235.184.100 67.18.170.170 69.64.191.40 72.4.161.75 72.75-228-195.hosting.adatpark.hu 72.9.224.146 79.Red-217-125-26.staticIP.rima-tde.net 80.83.176.40 81.169.184.73 81.177.4.15 81.177.4.7 81.29.96.152 81.4.80.116 81.91.64.45 82.113.60.76 82.149.245.5 83.217.76.66 83.72.0.197.ip.tele2adsl.dk 84.244.146.80 85.111.0.20 85.17.9.74 85.233.230.3 AStDenis-105-1-1-133.w193-253.abo.wanadoo.fr aarde.milieuconsult.be admin.eigafreak.com adserver.bresciaonline.it air651.startdedicated.com alpha.ckp.pl apoc.be.priorweb.net atlas.astro.cz baszar.icmax.com.pl bazyl.pagema.net blue2.nwinternet.com boom.barad.cz broadcast.broadcastbuyersguide.com bubak.halamasek.cz bws214.internetdsl.tpnet.pl catalystinternet.com champ.uft.uni-bremen.de charlotte.service.csd.uwo.ca cluster01.ahp01.lax.affinity.com cmt5.web.mdc.ubisoft.com cobalt.standingwave.co.uk colo3.routerspeed.com customersites3.easily.co.uk d-eyes.ttk.pte.hu dcs2.sdv.fr dedicated.ipowerweb.com devel.money.net dimedis-hosting2.de dns.hsjh.chc.edu.tw dns1.portnet.pl dns3.french-connexion.com dominator.7seas.hu ds80-237-152-61.dedicated.hosteurope.de dyndsl-085-016-019-248.ewe-ip-backbone.de eagle.ezaz.hu einstein.gottathink.com enterprise.aztecinternet.net fatman1.szi.fh-jena.de fch.vutbr.cz ferion.com fido.impulsed.net flame.xservu.com flexiserv.keme.net fpp.hamradio.si freja.yanet.dk gabo.pl gha5servers.com harlock2.transisters.net head.linpro.no heb62010.ikoula.com hornad.fei.tuke.sk host-81.216.82.22.addr.tdcsong.se host.mhr-viandes.com host107.200.80.42.ifxnw.com.ar hosting1.telekom.ru housing19.berlin3.powerweb.de hurricanepunch.netzkern.net iate.fortalnet.com.br igapc14.epfl.ch iits01121.inlink.com ik57045.ikexpress.com ikaika.xtremehosting.net inetw.de info3.domainserver.de ip-217-172-174-208.inaddr.intergenia.de ip-217-24-113-10.parma.ru ip-68-178-166-1.ip.secureserver.net ip36-18-166-62.adsl.versatel.nl ipartners-gw.interian.pl iptelecom-gw.niisp.gov.ua jowita.zr.univ.gda.pl juggernaut.anchor.net.au kermit.goldweb.com.au kid.rkka.cz koosh.cs.utk.edu kreativ.red-one.hu kvist.nt.ntnu.no lakeweb2.interac.it ld1.hrnet.fr mail.bashkortostan.ru mail.math.uvt.ro mail.tanet.hu mail.web401k.com mail.wws5.com mail.zenner.ro math1.math.ncku.edu.tw max.x3m.pl mc2.aon.at midas.mistral.co.uk monster-new.dataguard.no morpheus.spaceweb.ru mx0.gom.com.eg naka.xcite.net navaho.gymjev.cz neo.spaceweb.ru net4u.net4u.ch netprosintl.com newhttpd.vjf.cnrs.fr news.greenvilleonline.com ngv.cust.iaf.nl noriko.pageinabox.com ns.dns7943.net ns.extrahosting.cz ns.infoline.cz ns.mr.ru ns.nocex6.net ns.onetgroup.com ns.oxl-technologies.net ns1.multi.pt ns1.psrweb.net ns2.zmaximum.ru ns227.ovh.net ns2652.ovh.net ns31226.ovh.net ns31508.ovh.net ns31838.ovh.net ns32343.ovh.net ns32653.ovh.net ns33002.ovh.net ns3830.ovh.net ns3841.ovh.net ns4.kabir-ken.com ns7.virtualns.net opel1.zentropypartners.de p15192579.pureserver.info pauline.vellum.cz pavlova.org pc5.berlin.powerweb.de pd46.wyszkow.sdi.tpnet.pl philsonicusa.com phyweb.physics.nus.edu.sg pippin.denit.net plesk02.eurohosting.it pontnet.hu prodigy.bulport.com proton.science.upjs.sk psy.korea.ac.kr r2d2.linuxlab.dk ritz.domeneshop.no rtr.salbis.net rzv037.rz.tu-bs.de s1.mhotele.pl s15186348.rootmaster.info s4.vhost.hu s5.lansco.de sa-4-13.saturn.infonet.ee saleh-sh1.customer.vol.cz scoot-web01.msn-coloc.binc.net sd1038.sivit.org sd1092.sivit.org sd119.sivit.org serv.ilit.bas.bg serv2.th.schule.de server001.chemsoft.de server110.penguinhost.net server125.chihost.com server204-222.live-servers.net server3.substancia.com server36.fastbighost.com server6.hostpoint.ch sgce.cbse.uab.edu shlb.ub.uni-kiel.de srv1.netmogitecnologia.com.br ss5.simpleservers.com stx.com.mx temida.wpia.uw.edu.pl toktok.xs4all.nl totalqualitygirl.upl.cs.wisc.edu turbo.applet.cz turbobert.planet-school.de u15192743.onlinehome-server.com umbra.shadowplay.net ungoliant.kvarteret.no velocity.beatit.no vs244021.vserver.de wc-140.r-195-35-187.essentkabel.co web-01.dixigo.com web.lac.u-psud.fr web2.mtco.com wpc0034.amenworld.com wpc0262.host7x24.com wpc0659.amenworld.com wpc0740.amenworld.com wpc1699.host7x24.com ws.ganag.com ws95.amenworld.com wsc10r.amenworld.com wsc141.amenworld.com wvc.pf.jcu.cz www.alternatives.com www.ecolo.be www.fit4.net www.gut-steinhof.de www.in-case.hu www.ntnu.edu.tw www.sis-server.de www.stw-bonn.de www.szuper.info.hu www.ucab.edu.ve www.virtuaal.ee www1.ingame.de xeon.aura.cz zaphod.radak.org zem.ewan.com.pl zeus.serverglobe.net
Hi, NANOGers. Here is Barrett's list, including and sorted by ASN. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty); ASN IP AS Name 59 | 128.105.45.101 | WISC-MADISON-AS - University o 224 | 129.177.162.218 | UNINETT UNINETT, The Norwegian 224 | 129.241.192.22 | UNINETT UNINETT, The Norwegian 224 | 158.37.52.20 | UNINETT UNINETT, The Norwegian 559 | 128.178.179.34 | SWITCH SWITCH, Swiss Education 680 | 134.102.79.79 | DFN-IP service G-WiN 680 | 134.169.6.37 | DFN-IP service G-WiN 680 | 134.245.10.75 | DFN-IP service G-WiN 680 | 139.174.190.120 | DFN-IP service G-WiN 680 | 141.35.2.247 | DFN-IP service G-WiN 680 | 194.94.36.112 | DFN-IP service G-WiN 680 | 212.201.68.131 | DFN-IP service G-WiN 684 | 205.200.160.250 | MTSAL-ASN - MTS Allstream Inc. 703 | 210.80.180.119 | UNSPECIFIED UUNET 819 | 129.100.10.240 | LARG-NET - LARG_net 852 | 208.181.144.80 | ASN852 - Telus Advanced Commun 1257 | 83.72.0.197 | TELE2 AB 1659 | 140.122.65.149 | ERX-TANET-ASN1 Tiawan Academic 1659 | 163.23.66.1 | ERX-TANET-ASN1 Tiawan Academic 1785 | 209.236.174.66 | USLEC-ASN-1785 - USLEC Corp. 1835 | 130.226.142.11 | FSKNET-DK Forskningsnettet - D 1836 | 194.191.0.1 | AS1836 VIA NET.WORKS/CH Autono 1955 | 193.225.21.50 | HBONE-AS HUNGARNET 2107 | 193.2.75.15 | ARNES-NET ARNES 2200 | 193.49.17.120 | FR-RENATER Reseau National de 2269 | 129.175.56.150 | FR-U-PARISSUD-ORSAY FR 2578 | 194.87.149.34 | DEMOS-AS Demos, Moscow, Russia 2586 | 194.204.11.65 | UNINET-AS AS Uninet 2607 | 147.232.40.15 | SANET Slovak Academic Network 2607 | 158.197.44.28 | SANET Slovak Academic Network 2614 | 193.226.13.210 | ROEDUNET Romanian Education Ne 2819 | 62.168.63.139 | GTSCZ GTS NOVERA (GTS CZ) 2820 | 194.190.223.164 | ELVIS-AS Elvis-Telecom, Moscow 2852 | 147.229.88.129 | CESNET2 Czech National Researc 2852 | 160.217.96.178 | CESNET2 Czech National Researc 2852 | 195.113.97.230 | CESNET2 Czech National Researc 3064 | 72.4.161.75 | AFFINITY-FTL - Affinity Intern 3215 | 193.253.96.133 | AS3215 France Telecom Transpac 3242 | 151.1.32.221 | ASN-ITNET # AS-ITNET CONVERTE 3246 | 212.20.196.86 | TDCSONG TDC Song 3246 | 81.216.82.22 | TDCSONG TDC Song 3249 | 217.159.236.34 | ESTPAK Estonian Telephone Comp 3265 | 82.93.81.39 | XS4ALL-NL XS4ALL 3292 | 80.232.36.1 | TDC TDC Data Networks 3304 | 193.121.149.70 | SCARLET Scarlet Belgium 3352 | 217.125.26.79 | TELEFONICA-DATA-ESPANA Interne 3356 | 62.67.209.30 | LEVEL3 Level 3 Communications 3356 | 62.67.228.12 | LEVEL3 Level 3 Communications 3356 | 80.253.108.80 | LEVEL3 Level 3 Communications 3450 | 160.36.56.64 | UTK - University of Tennessee, 3452 | 138.26.238.9 | UAB-AS - University of Alabama 3561 | 209.1.163.22 | SAVVIS - Savvis 3561 | 72.21.49.154 | SAVVIS - Savvis 3595 | 72.9.224.146 | GNAXNET-AS - Global Net Access 3599 | 64.73.24.167 | BINCNET - Berbee Information N 3786 | 211.174.53.4 | ERX-DACOMNET DACOM Corporation 4134 | 211.155.23.81 | CHINANET-BACKBONE No.31,Jin-ro 4230 | 200.253.251.52 | Embratel 4264 | 63.240.62.101 | CERNET-ASN-BLOCK - California 4670 | 210.118.194.56 | HYUNDAI-KR Shinbiro 4670 | 61.111.254.95 | HYUNDAI-KR Shinbiro 4686 | 202.210.168.34 | BEKKOAME BEKKOAME INTERNET INC 4766 | 218.144.240.70 | KIXS-AS-KR Korea Telecom 4766 | 220.125.208.3 | KIXS-AS-KR Korea Telecom 4795 | 219.83.67.86 | INDOSAT2-ID INDOSATNET-ASN 4808 | 202.108.59.135 | CHINA169-BJ CNCGROUP IP netwo 4812 | 61.129.70.191 | CHINANET-SH-AP China Telecom ( 4812 | 61.172.245.21 | CHINANET-SH-AP China Telecom ( 5413 | 212.67.206.149 | AS5413 PIPEX Communications 5432 | 194.78.7.66 | BELGACOM-SKYNET-AS Belgacom re 5483 | 195.228.156.68 | HTC-AS Hungarian Telecom 5483 | 195.228.254.6 | HTC-AS Hungarian Telecom 5483 | 195.228.75.111 | HTC-AS Hungarian Telecom 5483 | 195.228.75.72 | HTC-AS Hungarian Telecom 5533 | 195.22.3.28 | VIA NET.WORKS Portugal - Tecn 5550 | 153.19.121.200 | TASK-AS TASK Academic Computer 5617 | 195.116.88.22 | TPNET Polish Telecom_s commerc 5617 | 212.160.144.130 | TPNET Polish Telecom_s commerc 5617 | 212.160.198.2 | TPNET Polish Telecom_s commerc 5617 | 217.98.208.46 | TPNET Polish Telecom_s commerc 5617 | 83.18.226.214 | TPNET Polish Telecom_s commerc 6130 | 209.216.209.5 | ADN-WEST - American Digital Ne 6372 | 207.245.113.66 | DCANET - DCANet 6372 | 216.158.56.242 | DCANET - DCANet 6428 | 209.135.140.121 | CDM - CDM 6461 | 213.152.250.18 | MFNX MFN - Metromedia Fiber Ne 6517 | 66.227.123.33 | YIPESCOM - Yipes Communication 6663 | 193.231.80.194 | EUROWEBRO EUROWEB ROMANIA SA 6706 | 195.122.196.239 | COL-AS Czech on line a.s. 6706 | 195.250.144.121 | COL-AS Czech on line a.s. 6714 | 193.24.198.146 | ATOMNET ATOM SA 6721 | 195.47.9.2 | CZ-TERMINAL Nextra Czech Repub 6724 | 81.169.184.73 | STRATO Strato AG 6730 | 195.141.204.164 | SUNRISE sunrise (TDC Switzerla 6740 | 82.202.115.4 | CZCOM Tiscali telekomunikace 7018 | 12.223.37.219 | ATT-INTERNET4 - AT_T WorldNet 7018 | 12.37.82.81 | ATT-INTERNET4 - AT_T WorldNet 7393 | 64.37.116.130 | CYBERCON - CYBERCON, INC. 7472 | 137.132.69.171 | NUS-AS-AP Computer Centre 7718 | 202.55.152.3 | TRANSACT-SDN-AS TransACT IP Se 7795 | 64.203.136.14 | NTELOSINC - Ntelos Inc. 7965 | 200.2.14.175 | Universidad Catolica Andres Be 8201 | 213.193.229.10 | EVONET EVONET Belgium NV 8246 | 217.153.146.158 | GTS-POLSKA-AS GTS Polska Sp. z 8246 | 217.8.185.222 | GTS-POLSKA-AS GTS Polska Sp. z 8289 | 213.80.21.2 | DATAPHONE ____________________ 8310 | 195.200.164.100 | PacWan 8342 | 81.177.4.15 | RTCOMM-AS RTComm.RU Autonomous 8342 | 81.177.4.7 | RTCOMM-AS RTComm.RU Autonomous 8359 | 212.188.13.132 | MTUONLINE MTU-Intel Moscow reg 8394 | 62.128.242.9 | ALFANETT Alfanett Autonomous S 8434 | 62.119.154.2 | TELENOR-SE Telenor AB 8447 | 195.3.87.71 | TELEKOM-AT Telekom Austria Aut 8514 | 62.99.206.202 | INODE inode Telekommunikations 8536 | 212.52.166.80 | ASN-QWERTYNET QwertyNet - Publ 8560 | 212.227.165.45 | SCHLUND-AS Schlund _ Partner A 8560 | 212.227.38.12 | SCHLUND-AS Schlund _ Partner A 8560 | 212.227.81.215 | SCHLUND-AS Schlund _ Partner A 8560 | 82.165.145.136 | SCHLUND-AS Schlund _ Partner A 8560 | 82.165.177.77 | SCHLUND-AS Schlund _ Partner A 8560 | 82.165.34.122 | SCHLUND-AS Schlund _ Partner A 8648 | 212.110.119.85 | KAMP-DE KAMP Netzwerkdienste G 8728 | 212.7.4.13 | INFONET.EE ISP Autonomous Syst 8728 | 212.7.7.206 | INFONET.EE ISP Autonomous Syst 8741 | 212.63.130.170 | ECORE AS - ecore Kommunikation 8741 | 212.63.132.54 | ECORE AS - ecore Kommunikation 8745 | 195.96.242.130 | AS-BG-BAS BASNET autonomous sy 8747 | 82.113.60.76 | INWAYCZ InWay CZ IP Network 8807 | 62.79.147.151 | TISCALIDK Tiscali Denmark Auto 8839 | 212.95.67.36 | SDV-AS SdV Plurimedia 8890 | 193.0.95.133 | OCHOTA Ochota Campus Network, 8897 | 217.154.108.226 | MISTRAL Mistral Internet Group 8928 | 81.31.2.234 | INTEROUTE Interoute Communicat 8972 | 217.172.174.208 | INTERGENIA-ASN intergenia auto 8972 | 62.75.244.21 | INTERGENIA-ASN intergenia auto 9080 | 212.71.146.170 | GIN IPEX/GIN Autonomous System 9121 | 85.111.0.20 | TTNET TTnet Autonomous System 9137 | 213.204.1.70 | ASN-UNO Uno Communications S.p 9145 | 85.16.19.248 | EWETEL EWE TEL GmbH 9148 | 83.69.38.253 | NET4NET net4net, a.s. 9184 | 212.7.192.58 | NETPLUS NetPlus AS number 9259 | 203.135.128.187 | WEBHOST-AS-AP Web Host Limited 9318 | 211.200.28.6 | HANARO-AS Hanaro Telecom Inc. 9318 | 218.38.34.196 | HANARO-AS Hanaro Telecom Inc. 9452 | 163.152.86.70 | KUNET-AS Korea University 9475 | 202.28.68.75 | WU-TH-AP Walailuk University 9768 | 210.104.247.130 | PUBNET1-AS KT 9768 | 210.97.35.126 | PUBNET1-AS KT 9768 | 211.34.189.3 | PUBNET1-AS KT 9929 | 218.106.125.207 | CNCNET-CN China Netcom Corp. 10021 | 61.120.201.4 | JPNIC-NET-JP-AS-BLOCK Japan Ne 10316 | 206.225.93.88 | ABACUS-NET-AS - Abacus America 10592 | 208.220.169.4 | NET1PLUS - Connected Data Syst 11062 | 207.179.212.99 | MTCO-COMMUNICATIONS - MTCO Com 11419 | 200.196.238.40 | Telefonica Empresas SA 12301 | 82.141.136.36 | PANTEL PanTel, Hungary 12306 | 213.83.41.133 | Plus.Line AG IP-Services 12312 | 195.185.214.7 | TISCALI-DE Tiscali Business Gm 12409 | 212.94.223.30 | HRNET HRNet Autonomous System 12445 | 212.38.32.53 | SPIDERNET-AS Selene s.p.a. 12695 | 213.219.242.3 | DINET-AS Digital Network JSC 12741 | 213.241.84.66 | INTERNETIA-AS Netia Commercial 12742 | 212.9.255.242 | UAIPT IP Telecom Ltd. 12804 | 217.19.0.5 | ADISAM Adisam Telecom S.A. 12874 | 83.103.115.11 | FASTWEB Fastweb Autonomous Sys 12876 | 62.210.190.199 | AS12876 Telecom Italia France 12909 | 212.183.164.38 | ASN-BNS Blixernetservices S.r. 12996 | 194.63.248.43 | DOMENESHOP Domeneshop AS 13069 | 213.158.233.142 | DATAGUARD DataGuard Norway 13127 | 62.166.18.36 | VERSATEL AS for the Trans-Euro 13301 | 213.202.222.68 | UNITEDCOLO-AS Autonomous Syste 13370 | 206.159.40.6 | NORTHWEST-INTERNET - NORTHWEST 13601 | 216.150.20.173 | ASN-INNERHOST - Interland 13601 | 64.239.115.121 | ASN-INNERHOST - Interland 13601 | 64.29.18.94 | ASN-INNERHOST - Interland 13601 | 66.132.249.67 | ASN-INNERHOST - Interland 13768 | 65.39.145.5 | PEER1 - Peer 1 Network Inc. 14127 | 69.64.191.40 | ILAND - Iland Internet Solutio 14361 | 66.235.184.100 | HOPONE-DCA - HopOne Internet C 14492 | 64.27.109.170 | DATAPIPE - DataPipe 15418 | 213.171.204.222 | FASTHOSTS-INTERNET Fasthosts I 15440 | 213.197.151.2 | AS15440 MicroLink Lietuva Auto 15516 | 62.61.142.98 | DK-ARROWHEAD Arrowhead DK 15525 | 83.240.154.200 | PTPRIMENET PT Prime Autonomous 15915 | 213.195.76.34 | IBERCOM WORLD WIDE WEB IBERCOM 16034 | 62.121.0.200 | AS16034 KeConnect Internet AS 16095 | 81.7.136.34 | JAYNET jay.net a/s 16265 | 62.212.92.74 | LEASEWEB LEASEWEB AS 16265 | 83.149.125.50 | LEASEWEB LEASEWEB AS 16265 | 85.17.9.74 | LEASEWEB LEASEWEB AS 16276 | 213.186.34.134 | OVH OVH 16276 | 213.186.35.170 | OVH OVH 16276 | 213.186.38.84 | OVH OVH 16276 | 213.186.40.126 | OVH OVH 16276 | 213.186.46.71 | OVH OVH 16276 | 213.186.57.83 | OVH OVH 16276 | 213.186.59.146 | OVH OVH 16276 | 213.186.60.212 | OVH OVH 16276 | 213.186.61.127 | OVH OVH 16276 | 213.251.133.72 | OVH OVH 16276 | 213.251.160.204 | OVH OVH 16276 | 213.251.162.129 | OVH OVH 16276 | 213.251.164.110 | OVH OVH 16371 | 217.116.3.75 | ACENS_AS acens technologies 16371 | 217.116.9.152 | ACENS_AS acens technologies 16518 | 216.57.220.46 | FIBERCLOUD-BHAM - OSDataCenter 17464 | 202.157.177.73 | TMIDC-AP Hosting Services (MYL 17845 | 218.38.243.5 | GTP-AS-KR Gyeonggi Technopark 17974 | 222.124.11.244 | TELKOMNET-AS2-AP PT TELEKOMUNI 18020 | 202.4.234.1 | ANCHORSYSTEMS-AP Anchor System 18177 | 140.116.21.1 | NCKU-TW National Cheng Kung Un 18447 | 216.185.128.200 | AFFINITY-INTER - Affinity Inte 18747 | 200.62.55.103 | IFX-NW - IFX Communication Ven 18747 | 200.80.42.107 | IFX-NW - IFX Communication Ven 19290 | 66.179.166.218 | INFLOW19290 - Inflow 19875 | 192.197.213.254 | IPWORLDNET - IPWorld Networks 20495 | 84.244.146.80 | WEDARE We Dare BV Autonomous S 20532 | 62.204.69.34 | FLATBOX Flatbox Facilities BV 20597 | 81.222.134.11 | ELTEL-AS ELTEL.net Autonomous 20597 | 81.222.134.21 | ELTEL-AS ELTEL.net Autonomous 20674 | 62.65.161.148 | GLOBALTEL-SK-AS GlobalTel 20773 | 80.237.152.61 | HOSTEUROPE-AS AS of Hosteurope 20830 | 217.194.64.5 | GLOBALAIRNETWORK-AS GlobalAirN 20923 | 212.84.188.34 | SKYMARKET-UK-AS Skymarket UK I 21055 | 217.151.104.3 | WEBTAPESTRY-AS Axamba Limited 21136 | 193.109.252.14 | CSUCS-AS CSUCS 21155 | 81.4.80.116 | ASN-PROSERVE ProServe B.V. Net 21159 | 80.89.232.28 | IAF-AS Internet Access Facilit 21409 | 213.246.39.107 | IKOULA IKOULA European Backbon 21409 | 213.246.57.45 | IKOULA IKOULA European Backbon 21409 | 213.246.62.10 | IKOULA IKOULA European Backbon 21435 | 82.142.64.149 | BNCZ-AS Broadnet Czech, Prague 21531 | 65.164.218.248 | CTUSA-NET - Corporate Technolo 21844 | 64.5.53.103 | THEPLANET-AS - THE PLANET 21844 | 67.18.170.170 | THEPLANET-AS - THE PLANET 21844 | 70.86.93.66 | THEPLANET-AS - THE PLANET 22291 | 24.176.186.71 | CHARTER-LA - Charter Communica 22428 | 216.169.118.131 | XCITENET - XciteNet, Inc 22634 | 216.98.54.72 | UBISOFT-COM - Ubisoft Entertai 23645 | 203.22.23.158 | BBW-AS-AP Broadband Wireless P 24679 | 83.246.118.19 | SSERV-AS Server-Service AG 24806 | 81.2.209.46 | INTERNET-CZ INTERNET CZ, a.s., 24822 | 195.56.234.78 | OPTICON-HU-AS Opticon Telecomm 24822 | 85.90.180.2 | OPTICON-HU-AS Opticon Telecomm 24875 | 212.79.246.131 | NL-ISPSERVICES ISP Services BV 24938 | 193.58.239.61 | REDBUS-INTERHOUSE-IT Redbus In 24940 | 213.239.197.236 | HETZNER-AS Hetzner Online AG R 24940 | 213.239.198.146 | HETZNER-AS Hetzner Online AG R 25074 | 213.203.220.12 | INETBONE-AS INET-People Provid 25078 | 81.91.64.45 | SKYTURN-AS Groupe Ecritel Fran 25248 | 82.99.173.4 | BLUETONE-AS Ceske Radiokomunik 25364 | 81.29.96.152 | EGYPTCYBERCENTER-AS Egypt Cybe 25532 | 84.252.139.206 | MASTERHOST-AS .masterhost auto 25542 | 62.148.166.220 | DENIT-AS Denit Internet Servic 25653 | 216.67.251.27 | PEGASUS - Pegasus Web Technolo 26496 | 68.178.166.1 | PAH-INC - Go Daddy Software, I 27650 | 200.30.71.34 | EMTEL S.A. E.S.P. 28677 | 62.193.194.163 | AMEN AMEN Network 28677 | 62.193.194.93 | AMEN AMEN Network 28677 | 62.193.197.92 | AMEN AMEN Network 28677 | 62.193.224.36 | AMEN AMEN Network 28677 | 62.193.225.115 | AMEN AMEN Network 28677 | 62.193.230.43 | AMEN AMEN Network 28677 | 62.193.232.89 | AMEN AMEN Network 28677 | 62.193.234.109 | AMEN AMEN Network 28747 | 83.217.76.66 | REALROOT-AS RealROOT Regional 28851 | 213.250.239.130 | FORTECH-CZ Fortech s.r.o. 28860 | 217.24.113.10 | PARMA-INFORM-AS Parma Inform L 28881 | 213.189.233.25 | BASHNET-AS Regional Network of 28897 | 217.21.144.5 | ROUTERSPEED Routerspeed Autono 29097 | 217.26.52.16 | HOSTPOINT-AS Hostpoint GmbH, S 29402 | 195.140.142.177 | CTN1 CTN1 European Network 29550 | 217.112.89.81 | EUROCONNEX-AS Euroconnex Netwo 29551 | 82.149.245.5 | HGCOMP-ASN HG Computerservice 30083 | 69.64.38.73 | SERVER4YOU - Server4You Inc. 30380 | 66.235.193.202 | IPOWER - iPowerWeb, Inc. 30496 | 206.123.110.39 | COLO4 - Colo4Dallas LP 31663 | 217.71.214.98 | ZONEPRO-SERVSYSTEMS servsystem 31683 | 194.150.246.4 | ZMPG-AS Zarzad Morskiego Portu 32181 | 69.65.19.206 | ASN-ECOMD-COLOQUEST - Ecomdeve 32181 | 69.65.21.120 | ASN-ECOMD-COLOQUEST - Ecomdeve 32736 | 216.237.120.114 | INFORTECH-001 - Infortech Corp 33937 | 217.113.62.25 | SENORG-HU-AS SERVERFARM Ltd. H 34305 | 193.138.228.24 | EUROACCESS EuroAccess Autonomo 34496 | 194.116.187.9 | PLANET-SCHOOL-AS Planet School 34868 | 80.83.176.40 | QS-AS QS Housing AS 35158 | 85.233.230.3 | DANSKNET Dansk Net A/S 35655 | 195.13.58.70 | OXYD-ASN OXYD French Network 35830 | 194.146.224.9 | SIVIT-AS SIVIT Network - http: 35830 | 194.146.225.213 | SIVIT-AS SIVIT Network - http: 35830 | 194.146.226.63 | SIVIT-AS SIVIT Network - http:
On Sun, 25 Dec 2005 13:33:44 -0600 (CST) Rob Thomas <robt@cymru.com> wrote:
Here is Barrett's list, including and sorted by ASN.
And even that won't be sufficient for many networks to take action. A lot of people provide lists of the IPs that spam/attack/etc them, but do not provide the actual time. Since many "consumer" networks are running DHCP, they will have no way to know which of their many customers using the claimed IP on the day in question was actually an attacker, and so they will almost certainly ignore such a report. To get action, lists of compromised (etc) systems NEED to include: Date/Time (preferably UTC), exact IP (as hostnames can have multiple A-records) and AS number. -- Richard
] To get action, lists of compromised (etc) systems NEED to include: ] Date/Time (preferably UTC), exact IP (as hostnames can have multiple ] A-records) and AS number. Agreed! We presumed it in this case, as the attack was "on-going." I really should have included the immediate timestamp, now that I think about it. Doh! -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Not to mention that many IP's may be set to one device, yet there are multiple things NAT'd behind it. Perhaps they're even non-related folks. Do we go after the ISP, the smaller ISP, the Starbucks WiFi hotspot (example), or the user with the compromised laptop that plugged in a whatever time that was??? Scott -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Richard Cox Sent: Monday, December 26, 2005 12:24 PM To: nanog@merit.edu Subject: Re: Infected list On Sun, 25 Dec 2005 13:33:44 -0600 (CST) Rob Thomas <robt@cymru.com> wrote:
Here is Barrett's list, including and sorted by ASN.
And even that won't be sufficient for many networks to take action. A lot of people provide lists of the IPs that spam/attack/etc them, but do not provide the actual time. Since many "consumer" networks are running DHCP, they will have no way to know which of their many customers using the claimed IP on the day in question was actually an attacker, and so they will almost certainly ignore such a report. To get action, lists of compromised (etc) systems NEED to include: Date/Time (preferably UTC), exact IP (as hostnames can have multiple A-records) and AS number. -- Richard
* Scott Morris:
Not to mention that many IP's may be set to one device, yet there are multiple things NAT'd behind it.
Are there any devices which perform non-static NAT and can forward significant DoS traffic? 8-) Perhaps if it's just a single flow, but this kind of DoS traffic would be rather unusual.
Irregardless of that, I always thought the whole point of a DDoS attack was quantity of hosts, not relying on quality of connection. I thought we were theorizing anyway. ;) -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Florian Weimer Sent: Monday, December 26, 2005 2:47 PM To: swm@emanon.com Cc: Nanog@mandarin.com; nanog@merit.edu Subject: Re: Infected list * Scott Morris:
Not to mention that many IP's may be set to one device, yet there are multiple things NAT'd behind it.
Are there any devices which perform non-static NAT and can forward significant DoS traffic? 8-) Perhaps if it's just a single flow, but this kind of DoS traffic would be rather unusual.
* Barrett G. Lyon:
Here is a list of the compromised machines used in this new botnet we found in California. These are all web servers connected to good bandwidth and they are attacking us, so as a nice little holiday gift to me, please clean your network up if these are on your network. :)
It's usually better not to run DNS resolution on the IP addresses you have because DNS is so volatile[1]. Mapping host names to IP address is rather expensive, too, and the casual bot-hunter may not have the necessary tools. (And I doubt that many bot hunters work at web-hosting companies...) Timestamps are usually required to pin-point an attack, but if the compromised hosts are mostly largish web servers, they should have static IP addresses and some kind of accounting where you can see that something went terribly wrong. [1] I assume you have verified those host names using a forward lookup. Relying on PTR records alone is not a good idea.
participants (5)
-
Barrett G. Lyon
-
Florian Weimer
-
Richard Cox
-
Rob Thomas
-
Scott Morris