[191697] in North American Network Operators' Group
Re: IP addresses being attacked in Krebs DDoS?
daemon@ATHENA.MIT.EDU (Brett Glass)
Sun Sep 25 18:37:49 2016
X-Original-To: nanog@nanog.org
Date: Sun, 25 Sep 2016 16:35:18 -0600
To: "Patrick W. Gilmore" <patrick@ianai.net>, NANOG list <nanog@nanog.org>
From: Brett Glass <nanog@brettglass.com>
In-Reply-To: <581FADF1-B321-44B4-B78F-87C28FD8817B@ianai.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
At 03:50 PM 9/25/2016, Patrick W. Gilmore wrote:
>What Brett is asking seems reasonable, even useful. Unfortunately,
>it is not as simple as posting a list of addresses on a website.
>
>Many devices are compromised because of default user/pass
>settings. Publishing a list of IP addresses which are so trivially
>compromised is handing the miscreants a gift.
I think you may have misunderstood my request. I am not asking for
the IP addresses of the bots, but the address or addresses which
they are attacking. I can then scan outgoing packets for those
destination addresses, and -- if I see them -- work my way back to
the customers who are unknowingly harboring infected devices. Those
devices could be PCs, Webcams, DVRs, even thermostats.... The
customers may not know that they have changeable passwords or backdoors.
By doing this, we can not only enhance our users' security but
forestall complaints. We have had more than one customer quit
because an infected device on his or her network impacted the
quality of video streaming or VoIP... and, of course, he blamed the
ISP. Everyone ALWAYS blames the ISP. ;-)
--Brett Glass
