[87567] in North American Network Operators' Group
Re: Infected list
daemon@ATHENA.MIT.EDU (Richard Cox)
Mon Dec 26 12:24:01 2005
From: Richard Cox <Richard@mandarin.com>
To: nanog@merit.edu
Reply-To: Nanog@mandarin.com
In-Reply-To: <Pine.GSO.4.62.0512251332290.20127@qentba.nf23028.arg>
Date: Mon, 26 Dec 2005 17:23:36 +0000
Errors-To: owner-nanog@merit.edu
On Sun, 25 Dec 2005 13:33:44 -0600 (CST)
Rob Thomas <robt@cymru.com> wrote:
> Here is Barrett's list, including and sorted by ASN.
And even that won't be sufficient for many networks to take action.
A lot of people provide lists of the IPs that spam/attack/etc them,
but do not provide the actual time. Since many "consumer" networks
are running DHCP, they will have no way to know which of their many
customers using the claimed IP on the day in question was actually
an attacker, and so they will almost certainly ignore such a report.
To get action, lists of compromised (etc) systems NEED to include:
Date/Time (preferably UTC), exact IP (as hostnames can have multiple
A-records) and AS number.
--
Richard
