Re: short Botnet list and Cashing in on DoS
someone who wished to remain publically unnamed answered me by saying:
I got chastized a little while ago, too, for a single post, and told that it was my THIRD warning (having not received any at all before). Feh.
i can't think of anyone among all nanog posters since the beginning of time who has not deserved to be smacked around at least once by our erstwhile moderator for saying something on a dead thread or speaking offtopically. i'm up to two warnings, and i think it's a lifetime quota not subject to annual resets (in other words it's three, ever, not three in the last year). it's really improved my thought processes. if i weren't about to say something operationally relevant, i'd already have deleted this without sending it. quality control for crowds is hard; for engineers, also hard; for crowds of engineers, i can't imagine a way it can be accomplished, yet here we all are. so, i'd written:
2. Filter aggressively. Run a dark-net, and if one of your customers... ^^^^^^^^
my nameless friend then asked me:
this sounds intrigueing, but I'm not sure what it is. Is is sort of an internal honeypot NETWORK?
it goes by several names. network telescope, darknet, etc. i called it a darknet above only because rob thomas calls it that, and he'd recently given a talk at the dns-oarc members meeting on this precise topic. yes, it's like a honeypot in some ways (but robt probably winced just now, as he read me saying that.) most of rob's talk is echoed by his web site <http://www.cymru.com/Darknet/index.html>, which is a good read. my own "darknet"-like project is wired up to a database that can answer questions like "what are the worst 25 sources of undesireable smtp since the last time i reset the database?" today's answer is: smtpk=> select * from top25_bysrc; src | howmany | earliest | latest -----------------+---------+----------------------+---------------------- 61.73.48.141 | 47650 | 03-AUG-2004 08:44:23 | 09-AUG-2004 22:03:55 61.73.49.56 | 39435 | 01-AUG-2004 18:53:03 | 02-AUG-2004 21:10:34 61.73.48.63 | 26938 | 21-JUL-2004 11:52:11 | 21-JUL-2004 12:12:39 210.244.26.120 | 17057 | 27-MAY-2004 04:42:33 | 27-MAY-2004 07:59:56 211.74.62.25 | 12674 | 26-MAY-2004 14:43:47 | 26-MAY-2004 15:31:58 61.73.20.220 | 12092 | 30-JUL-2004 13:43:55 | 31-JUL-2004 07:19:54 220.116.198.64 | 9576 | 05-AUG-2004 15:49:08 | 07-AUG-2004 00:01:31 61.73.49.21 | 9206 | 03-AUG-2004 19:57:01 | 04-AUG-2004 19:32:54 210.68.127.235 | 8367 | 26-MAY-2004 15:32:27 | 26-MAY-2004 16:47:56 222.101.168.37 | 8098 | 05-JUL-2004 03:55:37 | 31-JUL-2004 07:13:08 211.218.2.20 | 6410 | 06-AUG-2004 18:25:05 | 06-AUG-2004 18:51:45 222.117.215.23 | 5698 | 14-JUL-2004 03:56:23 | 18-JUL-2004 05:46:06 61.73.96.158 | 5516 | 06-AUG-2004 20:10:57 | 06-AUG-2004 20:27:48 220.116.197.49 | 5314 | 02-AUG-2004 15:10:37 | 02-AUG-2004 15:19:10 222.101.168.33 | 5066 | 22-JUN-2004 02:00:29 | 16-JUL-2004 13:11:30 211.218.3.167 | 4318 | 30-JUL-2004 12:36:05 | 30-JUL-2004 12:39:07 220.116.196.199 | 4301 | 04-AUG-2004 12:53:26 | 04-AUG-2004 16:23:08 222.117.216.15 | 4072 | 19-JUN-2004 14:16:52 | 22-JUN-2004 13:54:15 61.38.47.221 | 3777 | 04-JUL-2004 14:52:32 | 04-JUL-2004 21:49:40 211.218.5.224 | 3706 | 23-JUL-2004 12:22:55 | 23-JUL-2004 12:25:30 222.117.215.192 | 3624 | 15-JUN-2004 09:55:21 | 15-JUN-2004 14:33:42 222.117.216.112 | 3454 | 20-JUN-2004 19:24:13 | 21-JUN-2004 04:51:15 222.117.215.186 | 3418 | 18-JUN-2004 00:53:58 | 18-JUN-2004 20:46:21 211.218.2.125 | 3387 | 05-AUG-2004 09:28:24 | 05-AUG-2004 20:06:48 218.8.231.25 | 2996 | 16-AUG-2003 03:13:05 | 16-AUG-2003 21:28:31 (25 rows) caida's "network telescope" is also quite interesting. i see some 2001 work located at <http://www.caida.org/outreach/papers/2001/BackScatter/>. see also <http://www.nanog.org/mtg-0110/greene.html>. running an smtp listener in "darkspace" and wiring it to dynamic dns has resulted in a private-only dynamic blackhole list that now stops more spam than any other single public list i subscribe to... and some days more than all of them combined. (so you see, the venture capitalists and politicians were right after all -- there's all kinds of useful information out there, and great advantages available to anyone who can aggregate it in paranormal ways. but i digress.)
participants (1)
-
Paul Vixie