[90047] in North American Network Operators' Group
Re: Tools for LARTing large nets of compromised boxen?
daemon@ATHENA.MIT.EDU (Jon Lewis)
Thu Apr 20 09:56:25 2006
Date: Thu, 20 Apr 2006 09:55:55 -0400 (EDT)
From: Jon Lewis <jlewis@lewis.org>
To: Michael Loftis <mloftis@wgops.com>
Cc: nanog@merit.edu
In-Reply-To: <83961CA75BDD7D76DCC88E2E@dhcp-2-206.wgops.com>
Errors-To: owner-nanog@merit.edu
On Thu, 20 Apr 2006, Michael Loftis wrote:
>
> One of our customers is (has been) under concerted attempt at a DDoS attack
> against their web server off and on for a while. I've lists of IPs, lots of
> them, many hundreds. I'd like to know if anyone has a tool that will take
> and match these lists of IPs into abuse contacts and fire off a LART to the
> appropriate RP for the IP, but only one per full set, IE if RP-A has IP
> A.B.C.D and A.B.C.C he should get one mail clue-batting him for both IPs.
It's not an actual tool for doing the whole job, but you could use "bulk
mode" on whois.cymru.com to turn your list of IPs [and timestamps?] into a
a list of "AS | IP | Timestamp | AS Name". Send a help request to the
whois.cymru.com whois server for instructions.
Once you have that, you could pretty easily split it by AS#, grab email
addresses from whois records for the AS#'s, and email each AS#'s data to
their ASN POCs.
You could also post a URL to the full output from your cymru whois here,
and someone would likely forward the data to nsp-sec.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
