Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello Joe, If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost. Now we can filter a single port, in the case of spam, phishing, etc? I'll look further into the JunOS. I'm not too familiar with the rules on the Juniper, so I'll take a look further, and see how to achieve this on a single IP rather then the network. Thank you for your time. Have a great day. --- Russell Mitchell InterCage, Inc. ----- Original Message ---- From: Joe Greco <jgreco@ns.sol.net> To: Russell Mitchell <russm2k8@yahoo.com> Cc: nanog@nanog.org Sent: Tuesday, September 23, 2008 8:20:18 PM Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST= Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha= ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som= e of the public media, such as google, DroneBL, as well as several Anti-Mal= ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire= ly GONE, we should not have any further issues.=0AIn the case that somethin= g=A0does arise, such as an exploited host, we're currently developing a gam= e plan for=A0response to=A0the issues.=0ATo make the best effort towards co= mbatting=A0abuse on our network, here's what I have planned so far for ANY = Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,= Call/Email the client whom the affected machine is leased to.=0AStep 3, Al= low the client=A0the option to=A0investigate the machine further (Nullroute= access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o= r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the = Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments= ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.= If it's clear that the server owner is the cause of the abusive material e= tc, the client will then be immediately cancelled. No questions.=A0=0A=0A= =0AIt seems that this approach will be the best supported by the anti-abuse= communities, so please let me know your input.=0A=0AThank you for your tim= e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A= =0A=0A----- Original Message ----=0AFrom: Paul Wall <pauldotwall@gmail.com>= =0ATo: Mark Foo <mark..foo.dog@gmail.com>=0ACc: nanog@nanog.org=0ASent: Tues= day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage= : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on = UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon= th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a= nd Drive Slow,=0APaul Wall=0A=0A=0A
Speaking of missing memos... mailing lists are not highly compatible with HTML or some clients that like to encode list mail. The above is what your mail looked like to some people. I would suggest a different Step 1. Instead of killing power, simply isolate the affected machine. This might be as simple as putting up a firewall rule or two, if it is simply sending outgoing SMTP spam, or for more complex issues, downing the port facing the machine in question. Killing the power may destroy useful forensic clues about what happened to the system, and may damage the system. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Hello Joe,
If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost. Now we can filter a single port, in the case of spam, phishing, etc?
You can do whatever you need to, of course. The right thing to do is not always immediately apparent. Some time looking at the traffic on a mirror port (etc) can provide useful clues about how to proceed to an experienced professional. Unfortunately, my experience suggests that handling incidents on the "datacenter" side is a somewhat different skill set than handling the sorts of incidents that are commonly found on consumer Internet connections. The relative value of an infected machine approaches zero, while the value of a controlling system is fairly high, which implies that more effort may have been put into active defenses, which in turn implies other things. The "Geek Squad" or other "Nerds On Wheels" services are probably not going to be able to effectively clean off an impacted server, much less determine useful and clever ways to analyze what is going on, which is where it pays to have someone with contacts into the security community. Alas, I believe that all of this basic stuff should be immediately obvious and familiar to those in the hosting community, which leads me to other questions that are more along the lines of what others have been asking in this thread, and probably not relevant to NANOG. In the event that you are what you claim to be, rather than what many believe you to be based on past history and appearances, you would be well advised to make some contacts within the security community, and be prepared to acquire some expensive advice the next time you have an incident. You would need more help than you're going to be able to get on NANOG. And if you're what many people seem to think, well, tough. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
participants (2)
-
Joe Greco
-
Russell Mitchell