[87571] in North American Network Operators' Group
RE: Infected list
daemon@ATHENA.MIT.EDU (Scott Morris)
Mon Dec 26 14:16:01 2005
Reply-To: <swm@emanon.com>
From: "Scott Morris" <swm@emanon.com>
To: <Nanog@mandarin.com>, <nanog@merit.edu>
Date: Mon, 26 Dec 2005 14:14:32 -0500
In-Reply-To: <A.1Eqw4N-0006eg-Qa@ns8.spamhaus.org>
Errors-To: owner-nanog@merit.edu
Not to mention that many IP's may be set to one device, yet there are
multiple things NAT'd behind it.
Perhaps they're even non-related folks. Do we go after the ISP, the smaller
ISP, the Starbucks WiFi hotspot (example), or the user with the compromised
laptop that plugged in a whatever time that was???
Scott
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Richard Cox
Sent: Monday, December 26, 2005 12:24 PM
To: nanog@merit.edu
Subject: Re: Infected list
On Sun, 25 Dec 2005 13:33:44 -0600 (CST) Rob Thomas <robt@cymru.com> wrote:
> Here is Barrett's list, including and sorted by ASN.
And even that won't be sufficient for many networks to take action.
A lot of people provide lists of the IPs that spam/attack/etc them, but do
not provide the actual time. Since many "consumer" networks are running
DHCP, they will have no way to know which of their many customers using the
claimed IP on the day in question was actually an attacker, and so they will
almost certainly ignore such a report.
To get action, lists of compromised (etc) systems NEED to include:
Date/Time (preferably UTC), exact IP (as hostnames can have multiple
A-records) and AS number.
--
Richard
