[61421] in North American Network Operators' Group
Re: Sobig.f surprise attack today
daemon@ATHENA.MIT.EDU (Mike Tancsa)
Thu Aug 28 16:10:27 2003
Date: Thu, 28 Aug 2003 16:12:11 -0400
To: Dan Hollis <goemon@anime.net>
From: Mike Tancsa <mike@sentex.net>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0308281254200.26272-100000@sasami.anime.net>
Errors-To: owner-nanog-outgoing@merit.edu
At 12:54 PM 28/08/2003 -0700, Dan Hollis wrote:
> > Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS
> > blacklist
> > based on such connections to a honeypot. Any system which made the correct
> > request could then have it's address published via BGP or DNS for ISPs and
> > the like to do as they wish.
>
>an infected host dnsrbl doesnt sound like a bad idea...
I dont think this would work too well. The users who are infected often
think something is wrong because their connection and computer are not
working quite right. So they disconnect / reconnect / reboot so they burn
through quite a few dynamic IP addresses along the way.
---Mike
