Tools for LARTing large nets of compromised boxen?
One of our customers is (has been) under concerted attempt at a DDoS attack against their web server off and on for a while. I've lists of IPs, lots of them, many hundreds. I'd like to know if anyone has a tool that will take and match these lists of IPs into abuse contacts and fire off a LART to the appropriate RP for the IP, but only one per full set, IE if RP-A has IP A.B.C.D and A.B.C.C he should get one mail clue-batting him for both IPs. Any help? TIA! -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
--On April 20, 2006 12:51:35 AM -0600 Michael Loftis <mloftis@wgops.com> wrote:
Any help? TIA!
And before you go off on me YES these are the RESPONSIBLE boxen. There might be a CnC behind the drones but I'd have no way of obtaining that without cooperation. The actual attack is an old closed attack against phpBB so I've got web transactions on each of these bastards, not just an incoming UDP fart.
I received quite a few good responses, I've ended up using incident.pl and wormeter.pl from the list below (found at the same place). Thanks again everyone. IASON was pointed out but seems incomplete http://iason.site.voila.fr/ and http://sourceforge.net/projects/iason/ Another member pointed out that Cymru WHOIS server has a bulk mode input to turn IP lists into source ASNs. http://www.cymru.com/ and whois://whois.cymru.com/ incident.pl from http://www.viraj.org/ along with wormeter.pl from same is what I ended up using. I had to write a pattern to match, and remove other patterns to prevent accidental matches but this ended up doing what I wanted. I got some other responses, some duplicates too. I've anonymized responses since I'm not sure if the off-list responders wish to be identified.
On Thu, 20 Apr 2006, Michael Loftis wrote:
One of our customers is (has been) under concerted attempt at a DDoS attack against their web server off and on for a while. I've lists of IPs, lots of them, many hundreds. I'd like to know if anyone has a tool that will take and match these lists of IPs into abuse contacts and fire off a LART to the appropriate RP for the IP, but only one per full set, IE if RP-A has IP A.B.C.D and A.B.C.C he should get one mail clue-batting him for both IPs.
It's not an actual tool for doing the whole job, but you could use "bulk mode" on whois.cymru.com to turn your list of IPs [and timestamps?] into a a list of "AS | IP | Timestamp | AS Name". Send a help request to the whois.cymru.com whois server for instructions. Once you have that, you could pretty easily split it by AS#, grab email addresses from whois records for the AS#'s, and email each AS#'s data to their ASN POCs. You could also post a URL to the full output from your cymru whois here, and someone would likely forward the data to nsp-sec. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (2)
-
Jon Lewis
-
Michael Loftis