[83405] in North American Network Operators' Group
Re: botnet reporting by AS - what about you?
daemon@ATHENA.MIT.EDU (Hannigan, Martin)
Sat Aug 13 00:08:00 2005
Date: Sat, 13 Aug 2005 00:06:43 -0400
From: "Hannigan, Martin" <hannigan@verisign.com>
To: "Christopher L. Morrow" <christopher.morrow@mci.com>
Cc: <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C59FBC.6A4EC1CF
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
I was on it and unsubscribed. They wouldn't disclose the collection or =
validation process at that time. This made it useless for the most part =
as its hard to act on someones word without some idea of how they are =
getting their data and avoiding collateral damage.
I'm not saying there aren't valid zombies on it, but my criteria for a =
list that identifies rogues includes trust. I have lists I felt were =
more trustworthy than DA.
Things may have changed.=20
Martin
-----Original Message-----
From: Christopher L. Morrow [mailto:christopher.morrow@mci.com]
Sent: Fri Aug 12 23:56:53 2005
To: Fergie (Paul Ferguson)
Cc: nanog@merit.edu
Subject: Re: botnet reporting by AS - what about you?
On Sat, 13 Aug 2005, Fergie (Paul Ferguson) wrote:
> Chris,
>
> I can assure you that the Drone Army project is not run that
> way, and is quite useful, effective, etc.
>
> The folks behind the DA Project are certainly professionals...
> ...and the infromation is quite useable, parse-able, and genuine.
cool, among the 800k+ complaints we see a month (yes, 800k) there are
quite a few completely useless ones :( Anything sent in as a complaint =
has
to have complete and useful information, else it's hard/impossible to
action properly.
It'd help if the format it was sent in was also machine parseable :) =
With
800k+ complaints/month I'm not sure people want to spend time figuring
each one out, a script/machine should be doing as much as possible.
>
> - ferg
>
> -- "Christopher L. Morrow" <christopher.morrow@mci.com> wrote:
>
> perhaps we could back up and ask:
>
> 1) why are you not using the arin/ripe/apnic/japnic/krnic/lacnic poc's =
for
> these asn's? certainly some are not up to date, but there are a large
> number that are...
> 2) what is this for again?
> 3) are you planning on sending something to these poc's?
> 4) what are you planning on sending to them?
> 5) how often should they expect to see something, and from 'whom'?
> 6) looked at the INCH working group in IETF, thought about using some =
of
> these evolving standards for your alerts/messags/missives?
> 7) please don't send in bmp files of traceroutes (make the info you =
send
> in complete and usable... 'I saw a bot on ip 12' is not useable, as an
> fyi)
>
> -Chris
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg@netzero.net or fergdawg@sbcglobal.net
> ferg's tech blog: http://fergdawg.blogspot.com/
>
------_=_NextPart_001_01C59FBC.6A4EC1CF
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Re: botnet reporting by AS - what about you?</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=3D2>I was on it and unsubscribed. They wouldn't disclose =
the collection or validation process at that time. This made it useless =
for the most part as its hard to act on someones word without some idea =
of how they are getting their data and avoiding collateral damage.<BR>
<BR>
I'm not saying there aren't valid zombies on it, but my criteria for a =
list that identifies rogues includes trust. I have lists I felt were =
more trustworthy than DA.<BR>
<BR>
Things may have changed.<BR>
<BR>
Martin<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Christopher L. Morrow [<A =
HREF=3D"mailto:christopher.morrow@mci.com">mailto:christopher.morrow@mci.=
com</A>]<BR>
Sent: Fri Aug 12 23:56:53 2005<BR>
To: Fergie (Paul Ferguson)<BR>
Cc: nanog@merit.edu<BR>
Subject: Re: botnet reporting =
by AS - what about you?<BR>
<BR>
<BR>
<BR>
<BR>
On Sat, 13 Aug 2005, Fergie (Paul Ferguson) wrote:<BR>
<BR>
> Chris,<BR>
><BR>
> I can assure you that the Drone Army project is not run that<BR>
> way, and is quite useful, effective, etc.<BR>
><BR>
> The folks behind the DA Project are certainly professionals...<BR>
> ...and the infromation is quite useable, parse-able, and =
genuine.<BR>
<BR>
cool, among the 800k+ complaints we see a month (yes, 800k) there =
are<BR>
quite a few completely useless ones :( Anything sent in as a complaint =
has<BR>
to have complete and useful information, else it's hard/impossible =
to<BR>
action properly.<BR>
<BR>
It'd help if the format it was sent in was also machine parseable :) =
With<BR>
800k+ complaints/month I'm not sure people want to spend time =
figuring<BR>
each one out, a script/machine should be doing as much as possible.<BR>
<BR>
><BR>
> - ferg<BR>
><BR>
> -- "Christopher L. Morrow" =
<christopher.morrow@mci.com> wrote:<BR>
><BR>
> perhaps we could back up and ask:<BR>
><BR>
> 1) why are you not using the arin/ripe/apnic/japnic/krnic/lacnic =
poc's for<BR>
> these asn's? certainly some are not up to date, but there are a =
large<BR>
> number that are...<BR>
> 2) what is this for again?<BR>
> 3) are you planning on sending something to these poc's?<BR>
> 4) what are you planning on sending to them?<BR>
> 5) how often should they expect to see something, and from =
'whom'?<BR>
> 6) looked at the INCH working group in IETF, thought about using =
some of<BR>
> these evolving standards for your alerts/messags/missives?<BR>
> 7) please don't send in bmp files of traceroutes (make the info you =
send<BR>
> in complete and usable... 'I saw a bot on ip 12' is not useable, as =
an<BR>
> fyi)<BR>
><BR>
> -Chris<BR>
><BR>
> --<BR>
> "Fergie", a.k.a. Paul Ferguson<BR>
> Engineering Architecture for the Internet<BR>
> fergdawg@netzero.net or fergdawg@sbcglobal.net<BR>
> ferg's tech blog: <A =
HREF=3D"http://fergdawg.blogspot.com/">http://fergdawg.blogspot.com/</A><=
BR>
><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C59FBC.6A4EC1CF--
