[87559] in North American Network Operators' Group
Re: Destructive botnet originating from California (was Japan)
daemon@ATHENA.MIT.EDU (Hannigan, Martin)
Sun Dec 25 22:48:16 2005
Date: Sun, 25 Dec 2005 22:47:28 -0500
From: "Hannigan, Martin" <hannigan@verisign.com>
To: "Jon Lewis" <jlewis@lewis.org>,
"Barrett G. Lyon" <blyon@prolexic.com>
Cc: "NANOG" <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C609CF.178324E2
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hows the mitigation going? We can argue semantics at Dallas NANOG.
-----Original Message-----
From: Jon Lewis [mailto:jlewis@lewis.org]
Sent: Sun Dec 25 22:23:19 2005
To: Barrett G. Lyon
Cc: NANOG
Subject: Re: Destructive botnet originating from California (was Japan)
On Sun, 25 Dec 2005, Barrett G. Lyon wrote:
> I would have sent out a clean list sorted via AS and IP, except I have =
been=20
> working from vacation on GPRS via my 1 bar of service on my cell =
phone.
What's vacation?
I gather Prolexic isn't a one man shop. Nobody else had a better =
internet=20
connection and a few minutes to tidy up the data and make the post?
> If the right thing is to post this information to a more private list, =
then I=20
> would do so. However, I think it has been benificial to get this =
information=20
> out to the public where they can actually do something about it. I've =
been
I didn't say nanog wasn't a good place to post the info...or that there=20
aren't better places. Just that if you want people to take action based =
on the data, present it in a more reader-friendly and meaningful format. =
Also, mixing IPs and PTRs in such a report is not a great idea. I=20
actually did scan through the message looking for any of my prefix's and =
$work's primary domain name. If there was a PTR for some customer of =
ours=20
in their own domain, I didn't see it, but I also didn't look for it.=20
Posting data by ASN/IP totally avoids that issue and makes looking for=20
your ASN(s) trivial.
> getting emails from a lot of people thanking for the posts because =
they were=20
> able to identify a lot of messy traffic on their network and put an =
end to=20
> it. Posting information like this to a private list may not have=20
> accomplished much.
I don't see a problem with posting it to both or as many appropriate =
lists=20
as you can find. Nanog is kind of geo-specific though. Other lists =
might=20
have much broader representation from the entire internet.
> This should be another thread completely, but I am wondering about the =
> liability of the individual's who have owned machines that are =
attacking=20
> me/my clients. I'm not a lawyer but I would assume that tort =
liability law=20
> could apply and find someone liable for allowing their machine to DDoS =
> people.
IANAL either, but if I steal your car and run someone over with it, are=20
you liable? Should you be? Computers are "stolen" or at least=20
commandeered on the internet at an alarming rate because those who do it =
know that odds are, they won't get caught. And if they are caught, odds =
are, nothing will happen. And there's apparently considerable profit in =
the sale of commandeered systems or services provided by them. I doubt=20
you'll get anywhere trying to make an example of someone who's system =
was=20
hacked or even just "used improperly". I really don't think this =
problem=20
can be solved by scaring sysadmins or corporations. There will always =
be=20
security holes.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
------_=_NextPart_001_01C609CF.178324E2
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Re: Destructive botnet originating from California (was =
Japan)</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=3D2>Hows the mitigation going? We can argue semantics at =
Dallas NANOG.<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Jon Lewis [<A =
HREF=3D"mailto:jlewis@lewis.org">mailto:jlewis@lewis.org</A>]<BR>
Sent: Sun Dec 25 22:23:19 2005<BR>
To: Barrett G. Lyon<BR>
Cc: NANOG<BR>
Subject: Re: Destructive =
botnet originating from California (was Japan)<BR>
<BR>
<BR>
On Sun, 25 Dec 2005, Barrett G. Lyon wrote:<BR>
<BR>
> I would have sent out a clean list sorted via AS and IP, except I =
have been<BR>
> working from vacation on GPRS via my 1 bar of service on my cell =
phone.<BR>
<BR>
What's vacation?<BR>
<BR>
I gather Prolexic isn't a one man shop. Nobody else had a better =
internet<BR>
connection and a few minutes to tidy up the data and make the post?<BR>
<BR>
> If the right thing is to post this information to a more private =
list, then I<BR>
> would do so. However, I think it has been benificial to get =
this information<BR>
> out to the public where they can actually do something about =
it. I've been<BR>
<BR>
I didn't say nanog wasn't a good place to post the info...or that =
there<BR>
aren't better places. Just that if you want people to take action =
based<BR>
on the data, present it in a more reader-friendly and meaningful =
format.<BR>
Also, mixing IPs and PTRs in such a report is not a great idea. =
I<BR>
actually did scan through the message looking for any of my prefix's =
and<BR>
$work's primary domain name. If there was a PTR for some customer =
of ours<BR>
in their own domain, I didn't see it, but I also didn't look for it.<BR>
Posting data by ASN/IP totally avoids that issue and makes looking =
for<BR>
your ASN(s) trivial.<BR>
<BR>
> getting emails from a lot of people thanking for the posts because =
they were<BR>
> able to identify a lot of messy traffic on their network and put an =
end to<BR>
> it. Posting information like this to a private list may not =
have<BR>
> accomplished much.<BR>
<BR>
I don't see a problem with posting it to both or as many appropriate =
lists<BR>
as you can find. Nanog is kind of geo-specific though. Other =
lists might<BR>
have much broader representation from the entire internet.<BR>
<BR>
> This should be another thread completely, but I am wondering about =
the<BR>
> liability of the individual's who have owned machines that are =
attacking<BR>
> me/my clients. I'm not a lawyer but I would assume that tort =
liability law<BR>
> could apply and find someone liable for allowing their machine to =
DDoS<BR>
> people.<BR>
<BR>
IANAL either, but if I steal your car and run someone over with it, =
are<BR>
you liable? Should you be? Computers are "stolen" =
or at least<BR>
commandeered on the internet at an alarming rate because those who do =
it<BR>
know that odds are, they won't get caught. And if they are caught, =
odds<BR>
are, nothing will happen. And there's apparently considerable =
profit in<BR>
the sale of commandeered systems or services provided by them. I =
doubt<BR>
you'll get anywhere trying to make an example of someone who's system =
was<BR>
hacked or even just "used improperly". I really don't =
think this problem<BR>
can be solved by scaring sysadmins or corporations. There will =
always be<BR>
security holes.<BR>
<BR>
----------------------------------------------------------------------<BR=
>
Jon =
Lewis &n=
bsp; | I route<BR>
Senior Network Engineer | therefore =
you are<BR>
Atlantic =
Net &nbs=
p; |<BR>
_________ <A =
HREF=3D"http://www.lewis.org/~jlewis/pgp">http://www.lewis.org/~jlewis/pg=
p</A> for PGP public key_________<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C609CF.178324E2--
