[67264] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: Monumentous task of making a list of all DDoS Zombies.

daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)
Fri Feb 6 15:58:13 2004

Reply-To: "Rubens Kuhl Jr." <rubens@email.com>
From: "Rubens Kuhl Jr." <rubens@email.com>
To: "Drew Weaver" <drew.weaver@thenap.com>, <nanog@merit.edu>
Date: Fri, 6 Feb 2004 18:55:01 -0200
Errors-To: owner-nanog-outgoing@merit.edu


This is a multi-part message in MIME format.

------=_NextPart_000_00AA_01C3ECE2.B9A49180
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


You probably want to make a list of vulnerable hosts that fall to =
exploits like this:
http://server-ip-here/scripts/../../winnt/system32/ping.exe

Most DDoS zombies will use spoofed IP packets to attack its victim, so =
filtering the source will not relief your pain.


Rubens

  ----- Original Message -----=20
  From: Drew Weaver=20
  To: nanog@merit.edu=20
  Sent: Friday, February 06, 2004 7:15 PM
  Subject: Monumentous task of making a list of all DDoS Zombies.


              Is there a list maintained anywhere of all hosts that have =
been identified as a DDoS zombie? Or attack box? We got hit with an =
attack from more than 60 IPs last night and I'd like to add them to any =
list that anyone has started.



  Thanks,

  -Drew



------=_NextPart_000_00AA_01C3ECE2.B9A49180
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE>@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in =
1.25in; }
P.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
	FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
	COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
	COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
	COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
	COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
	COLOR: windowtext; FONT-FAMILY: Arial
}
DIV.Section1 {
	page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3DEN-US vLink=3Dpurple link=3Dblue bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>You probably want to make a list of =
vulnerable=20
hosts that fall to exploits like this:<BR><A=20
href=3D"http://server-ip-here/scripts/../../winnt/system32/ping.exe"><FON=
T=20
size=3D3>http://server-ip-here/scripts/../../winnt/system32/ping.exe</FON=
T></A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Most&nbsp;DDoS zombies will use spoofed =
IP packets=20
to attack its victim, so filtering the source will not relief your=20
pain.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Rubens</FONT></DIV>
<DIV>&nbsp;</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Ddrew.weaver@thenap.com =
href=3D"mailto:drew.weaver@thenap.com">Drew=20
  Weaver</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dnanog@merit.edu=20
  href=3D"mailto:nanog@merit.edu">nanog@merit.edu</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, February 06, 2004 =
7:15=20
  PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Monumentous task of =
making a=20
  list of all DDoS Zombies.</DIV>
  <DIV><BR></DIV>
  <DIV class=3DSection1>
  <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
=20
  Is there a list maintained anywhere of all hosts that have been =
identified as=20
  a DDoS zombie? Or attack box? We got hit with an attack from more than =
60 IPs=20
  last night and I'd like to add them to any list that anyone has=20
  started.</SPAN></FONT></P>
  <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN></FONT>&nbsp;</P>
  <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial">Thanks,</SPAN></FONT></P>
  <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">-Drew</SPAN></FONT></P>
  <P class=3DMsoNormal><FONT face=3DArial size=3D2><SPAN=20
  style=3D"FONT-SIZE: 10pt; FONT-FAMILY: =
Arial"></SPAN></FONT>&nbsp;</P></DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_00AA_01C3ECE2.B9A49180--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[67264] in North American Network Operators' Group

Re: Monumentous task of making a list of all DDoS Zombies.

daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)Fri Feb 6 15:58:13 2004

daemon@ATHENA.MIT.EDU (Rubens Kuhl Jr.)
Fri Feb 6 15:58:13 2004
