IP addresses being attacked in Krebs DDoS?

As an ISP who is pro-active when it comes to security, I'd like to know what IP address(es) are being hit by the Krebs on Security DDoS attack. If we know, we can warn customers that they are harboring infected PCs and/or IoT devices. (And if all ISPs did this, it would be possible to curtail such attacks and plug the security holes that make them possible.)

--Brett Glass, LARIAT.NET

[Pardon the slightly less than specific details below. Must be careful about disclosing names or information which is not public yet.]

What Brett is asking seems reasonable, even useful. Unfortunately, it is not as simple as posting a list of addresses on a website.

Many devices are compromised because of default user/pass settings. Publishing a list of IP addresses which are so trivially compromised is handing the miscreants a gift.

We have done things like this with open DNS resolvers and open NTP servers. (THANK YOU JARED!!!) However, we had a hope of the administrators fixing the problem, and they were at least somewhat easier to find.

This list is different. Harder to find, harder to fix. Grandma is unlikely to think about logging into her webcam and changing the admin password - to say nothing of reading NANOG in the first place. Hell, even if she did, how exactly do you remove malware from a SmartTV?

Obviously we do not consider Brett a bad actor. It is likely we can work something out with ISPs like Brett and give them the addresses on their network which need remediation. But this is not a five minute job. Plus most of the people working on this do so in their spare time. So please be patient as the lists are gathered, sorted, and offered in a reasonable manner.

If you are a member of the various secops lists, more info will be forthcoming. If not, I’m sure someone will make information available in wider channels.

To be clear, I am not doing this work personally, so do not email me. The people who are doing this work deserve a hearty and huge thanks from the community. If you know one of them, buy them a drink or dinner, or at least give them a hug. :slight_smile: I know I will be doing so in Dallas if they let me.

I think you may have misunderstood my request. I am not asking for the IP addresses of the bots, but the address or addresses which they are attacking. I can then scan outgoing packets for those destination addresses, and -- if I see them -- work my way back to the customers who are unknowingly harboring infected devices. Those devices could be PCs, Webcams, DVRs, even thermostats.... The customers may not know that they have changeable passwords or backdoors.

By doing this, we can not only enhance our users' security but forestall complaints. We have had more than one customer quit because an infected device on his or her network impacted the quality of video streaming or VoIP... and, of course, he blamed the ISP. Everyone ALWAYS blames the ISP. :wink:

--Brett Glass (it's just the one IP, not DNS-balanced).

Thanks for your interest in cleaning up your infected customers! 10,000
ASNs to go....


I did read it the other way.

It’s his website, which you can read about on … his website, http://krebsonsecurity.com/. (And for everyone on this list, it should be trivial to figure out who helped him get the website back up.) Or his twitter feed. Or lots of articles about it. Or lots of mailing lists. Or … etc.