[191692] in North American Network Operators' Group
Re: IP addresses being attacked in Krebs DDoS?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sun Sep 25 18:00:41 2016
X-Original-To: nanog@nanog.org
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <201609252009.OAA17053@mail.lariat.net>
Date: Sun, 25 Sep 2016 17:50:38 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sep 25, 2016, at 4:01 PM, Brett Glass <nanog@brettglass.com> wrote:
> As an ISP who is pro-active when it comes to security, I'd like to =
know what IP address(es) are being hit by the Krebs on Security DDoS =
attack. If we know, we can warn customers that they are harboring =
infected PCs and/or IoT devices. (And if all ISPs did this, it would be =
possible to curtail such attacks and plug the security holes that make =
them possible.)
[Pardon the slightly less than specific details below. Must be careful =
about disclosing names or information which is not public yet.]
What Brett is asking seems reasonable, even useful. Unfortunately, it is =
not as simple as posting a list of addresses on a website.
Many devices are compromised because of default user/pass settings. =
Publishing a list of IP addresses which are so trivially compromised is =
handing the miscreants a gift.
We have done things like this with open DNS resolvers and open NTP =
servers. (THANK YOU JARED!!!) However, we had a hope of the =
administrators fixing the problem, and they were at least somewhat =
easier to find.
This list is different. Harder to find, harder to fix. Grandma is =
unlikely to think about logging into her webcam and changing the admin =
password - to say nothing of reading NANOG in the first place. Hell, =
even if she did, how exactly do you remove malware from a SmartTV?
Obviously we do not consider Brett a bad actor. It is likely we can work =
something out with ISPs like Brett and give them the addresses on their =
network which need remediation. But this is not a five minute job. Plus =
most of the people working on this do so in their spare time. So please =
be patient as the lists are gathered, sorted, and offered in a =
reasonable manner.
If you are a member of the various secops lists, more info will be =
forthcoming. If not, I=E2=80=99m sure someone will make information =
available in wider channels.=20
To be clear, I am not doing this work personally, so do not email me. =
The people who are doing this work deserve a hearty and huge thanks from =
the community. If you know one of them, buy them a drink or dinner, or =
at least give them a hug. :) I know I will be doing so in Dallas if they =
let me.
--=20
TTFN,
patrick
