[191700] in North American Network Operators' Group
Re: IP addresses being attacked in Krebs DDoS?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sun Sep 25 18:57:32 2016
X-Original-To: nanog@nanog.org
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <201609252235.QAA17953@mail.lariat.net>
Date: Sun, 25 Sep 2016 18:57:29 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Sep 25, 2016, at 6:35 PM, Brett Glass <nanog@brettglass.com> wrote:
> At 03:50 PM 9/25/2016, Patrick W. Gilmore wrote:
>> What Brett is asking seems reasonable, even useful. Unfortunately, it =
is not as simple as posting a list of addresses on a website.
>>=20
>> Many devices are compromised because of default user/pass settings. =
Publishing a list of IP addresses which are so trivially compromised is =
handing the miscreants a gift.
>=20
> I think you may have misunderstood my request. I am not asking for the =
IP addresses of the bots, but the address or addresses which they are =
attacking. I can then scan outgoing packets for those destination =
addresses, and -- if I see them -- work my way back to the customers who =
are unknowingly harboring infected devices. Those devices could be PCs, =
Webcams, DVRs, even thermostats.... The customers may not know that they =
have changeable passwords or backdoors.
>=20
> By doing this, we can not only enhance our users' security but =
forestall complaints. We have had more than one customer quit because an =
infected device on his or her network impacted the quality of video =
streaming or VoIP... and, of course, he blamed the ISP. Everyone ALWAYS =
blames the ISP. ;-)
I did read it the other way.
It=E2=80=99s his website, which you can read about on =E2=80=A6 his =
website, http://krebsonsecurity.com/. (And for everyone on this list, it =
should be trivial to figure out who helped him get the website back up.) =
Or his twitter feed. Or lots of articles about it. Or lots of mailing =
lists. Or =E2=80=A6 etc.
--=20
TTFN,
patrick
