[87560] in North American Network Operators' Group
Re: Destructive botnet originating from Japan
daemon@ATHENA.MIT.EDU (Hannigan, Martin)
Sun Dec 25 23:03:40 2005
Date: Sun, 25 Dec 2005 23:02:22 -0500
From: "Hannigan, Martin" <hannigan@verisign.com>
To: "Jon Lewis" <jlewis@lewis.org>, <blyon@prolexic.com>
Cc: "NANOG" <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C609D1.2CAA6442
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Prolexic qualifies. They do what MCI, ATT, Arbor, and others do =
regarding ddos mitigation and, IMHO, should be a shoe in. I was... =
subscribed and we are less valuable to the overall good so you decide =
(we do have presence ther though). Verisign is not an SP. Critical infra =
is 'critical' (us) but the attacks come from you guys. Whoever can help. =
I vote for realism.
Marty
-----Original Message-----
From: Jon Lewis [mailto:jlewis@lewis.org]
Sent: Sun Dec 25 17:37:57 2005
To: blyon@prolexic.com
Cc: NANOG
Subject: Re: Destructive botnet originating from Japan
On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote:
> The first rule of nsp-sec is, you do not talk about nsp-sec
> The second rule of nsp-sec is, you DO NOT talk about nsp-sec
https://puck.nether.net/mailman/listinfo/nsp-security
There's nothing secret about the existence or purpose of the list.
I don't know enough about Barrett to guess as to whether or not he'd=20
qualify.
Also, I was considering emailing Barrett privately, but since there =
seems=20
to be so much misinformation going around, others will probably benefit=20
from this. If you want to send out list of IPs suspected of being bots =
or=20
really any other class of insecure/0wn3d systems, to make it easier for=20
those who care to find their IPs in your list, run it through the Team=20
Cymru whois server first.
http://www.cymru.com/BGP/whois.html
Then sort the list numerically by ASN. That way, people can scroll=20
through it, or search by ASN, and quickly determine if there's any =
further=20
action worth taking.
It's also a really good idea to include timestamps, ideally exact ones =
in=20
GMT per IP. In this case (unix bots) it's not as likely, but typical=20
windows bots frequently show up on end-user systems with dynamic IPs.=20
Telling me one of my dial pool IPs was a bot "recently" is not as useful =
as telling me it was a bot 2005-12-25 02:30:45 GMT.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
------_=_NextPart_001_01C609D1.2CAA6442
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Re: Destructive botnet originating from Japan</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=3D2>Prolexic qualifies. They do what MCI, ATT, Arbor, and =
others do regarding ddos mitigation and, IMHO, should be a shoe in. I =
was... subscribed and we are less valuable to the overall good so you =
decide (we do have presence ther though). Verisign is not an SP. =
Critical infra is 'critical' (us) but the attacks come from you guys. =
Whoever can help. I vote for realism.<BR>
<BR>
Marty<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Jon Lewis [<A =
HREF=3D"mailto:jlewis@lewis.org">mailto:jlewis@lewis.org</A>]<BR>
Sent: Sun Dec 25 17:37:57 2005<BR>
To: blyon@prolexic.com<BR>
Cc: NANOG<BR>
Subject: Re: Destructive =
botnet originating from Japan<BR>
<BR>
<BR>
On Sun, 25 Dec 2005, Rubens Kuhl Jr. wrote:<BR>
<BR>
> The first rule of nsp-sec is, you do not talk about nsp-sec<BR>
> The second rule of nsp-sec is, you DO NOT talk about nsp-sec<BR>
<BR>
<A =
HREF=3D"https://puck.nether.net/mailman/listinfo/nsp-security">https://pu=
ck.nether.net/mailman/listinfo/nsp-security</A><BR>
<BR>
There's nothing secret about the existence or purpose of the list.<BR>
<BR>
I don't know enough about Barrett to guess as to whether or not he'd<BR>
qualify.<BR>
<BR>
Also, I was considering emailing Barrett privately, but since there =
seems<BR>
to be so much misinformation going around, others will probably =
benefit<BR>
from this. If you want to send out list of IPs suspected of being =
bots or<BR>
really any other class of insecure/0wn3d systems, to make it easier =
for<BR>
those who care to find their IPs in your list, run it through the =
Team<BR>
Cymru whois server first.<BR>
<BR>
<A =
HREF=3D"http://www.cymru.com/BGP/whois.html">http://www.cymru.com/BGP/who=
is.html</A><BR>
<BR>
Then sort the list numerically by ASN. That way, people can =
scroll<BR>
through it, or search by ASN, and quickly determine if there's any =
further<BR>
action worth taking.<BR>
<BR>
It's also a really good idea to include timestamps, ideally exact ones =
in<BR>
GMT per IP. In this case (unix bots) it's not as likely, but =
typical<BR>
windows bots frequently show up on end-user systems with dynamic =
IPs.<BR>
Telling me one of my dial pool IPs was a bot "recently" is not =
as useful<BR>
as telling me it was a bot 2005-12-25 02:30:45 GMT.<BR>
<BR>
----------------------------------------------------------------------<BR=
>
Jon =
Lewis &n=
bsp; | I route<BR>
Senior Network Engineer | therefore =
you are<BR>
Atlantic =
Net &nbs=
p; |<BR>
_________ <A =
HREF=3D"http://www.lewis.org/~jlewis/pgp">http://www.lewis.org/~jlewis/pg=
p</A> for PGP public key_________<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C609D1.2CAA6442--
