[87572] in North American Network Operators' Group
Re: Infected list
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Dec 26 14:46:15 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: "Barrett G. Lyon" <blyon@prolexic.com>
Cc: NANOG <nanog@merit.edu>
Date: Mon, 26 Dec 2005 20:45:11 +0100
In-Reply-To: <5718B47A-9041-4F39-8EA2-CBCB94809EEE@prolexic.com> (Barrett
G. Lyon's message of "Sun, 25 Dec 2005 11:19:22 -0800")
Errors-To: owner-nanog@merit.edu
* Barrett G. Lyon:
> Here is a list of the compromised machines used in this new botnet we
> found in California. These are all web servers connected to good
> bandwidth and they are attacking us, so as a nice little holiday gift
> to me, please clean your network up if these are on your network. :)
It's usually better not to run DNS resolution on the IP addresses you
have because DNS is so volatile[1]. Mapping host names to IP address
is rather expensive, too, and the casual bot-hunter may not have the
necessary tools. (And I doubt that many bot hunters work at
web-hosting companies...)
Timestamps are usually required to pin-point an attack, but if the
compromised hosts are mostly largish web servers, they should have
static IP addresses and some kind of accounting where you can see that
something went terribly wrong.
[1] I assume you have verified those host names using a forward
lookup. Relying on PTR records alone is not a good idea.
